The term of the newly appointed College of Commissioners kicked-off 1 Dec. Despite the slight delay, the College proceeds fully intact. All Commissioners-designate managed to secure support from members of the European Parliament last week, although the approval was rather underwhelming with only 53% of the votes in favor.
That date also marked the start of the term for the new President of the European Council, Portugal's former prime minister António Costa, who takes over the role from Charles Michel after he led the work of the Council for two consecutive terms, five years in total. The European Council does not participate in the EU lawmaking process and instead sets the overall political direction and priorities of the EU. For Costa, some key priorities will be to boost Europe's competitiveness and enhance cooperation with its international partners.
On 2 Dec., privacy advocacy group NOYB announced it was approved as a "Qualified Entity" in Austria and Ireland. In accordance with the EU Representative Actions Directive, entities with this status can bring representative actions on behalf of consumers. Such actions cover injunctive measures, for instance requiring temporary or permanent termination of a certain action, as well as redress measures like including claims for compensation.
Although NOYB currently has the "Qualified Entity" status in only two member states — Austria and Ireland — it can represent personal data subjects from across the EU and bring claims in other member states. Following such developments and accounting for the fact that the advocacy group has submitted hundreds of EU General Data Protection Regulation complaints over the years, with some resulting in massive fines, it is only fair to expect lots of large-scale actions in the near future.
Also 2 Dec., the Council adopted the Cyber Solidarity Act and a targeted amendment to the Cybersecurity Act. The objective of the former is to enhance the EU's capability to identify, anticipate and respond to significant and large-scale cybersecurity threats and attacks. The latter allows for the future adoption of European certification schemes for "managed security services" which include incident handling, security audits and other services.
Despite the progress at the EU level with new projects aiming to strengthen the EUs cybersecurity capacities, there is some stalling at the national level. The Commission recently announced it will be opening infringement procedures against 23 member states for failing to meet the transposition deadline of the NIS2 Directive. The member states are given two months to complete the transposition.
During its latest plenary meeting 3 Dec., the European Data Protection Board published guidelines on Article 48 of the GDPR about data transfers to third country authorities. The guidelines provide practical recommendations for controllers and processors in the EU for assessing whether a request to transfer or disclose personal data to a third country authority can be fulfilled lawfully. The board identified four steps for such assessment. The organization concerned must determine whether:
- The request in question is based on a judgment or decision from the third country's court, tribunal or administrative authority.
- The judgment or decision is based on an applicable international agreement.
- Such agreement provides for a legal basis for the transfer under Article 6(1)(c) and (e) GDPR.
- Such agreement provides for appropriate safeguards under Article 46(2)(a) GDPR and the EDPB guidelines 2/2020.
Interested stakeholders are invited to submit their views on the guidelines until 27 Jan. 2025.
During the plenary, the EDPB also approved a new European Data Protection Seal — the certification criteria for compliance of personal data processing activities with the GDPR developed by a Dutch certification body Brand Compliance. The criteria, already recognized in the Netherlands, will now also be applicable in all other EU member states. Organizations can use such recognized certifications to build customer trust by demonstrating compliance with European data protection standards.
Laura Pliauskaite is the European operations coordinator for the IAPP.
