October in Brussels was filled with yellowing leaves and various developments in the European digital policy realm. 

Unlocking data's potential in the UK

On 23 Oct., the U.K. Data Use and Access Bill was introduced to Parliament. As suggested by its title, the bill aims to unlock data's potential through facilitating secure handling and sharing of data, including by enabling smart data schemes in key sectors and adopting digital ID frameworks. The bill also introduces changes to certain data protection rules, including on international data transfers. If adopted, it will allow data transfers to third countries that have data protection standards "not materially lower" than that in the U.K.

European Commission's future priorities

The European Commission's future priority areas started becoming clearer after the publication of Commissioners-designates' mission letters

Consumers and digital fairness will be a major priority during the new mandate. A new legislative project — the Digital Fairness Act — is on the to-do list of Commissioner-designate for Democracy, Justice, and the Rule of Law Michael McGrath. This instrument, or possibly a package of instruments, is expected to address issues highlighted in the digital fairness fitness check on EU consumer law in October. This project will tackle issues connected to dark patterns, addictive designs of digital services, certain online profiling techniques and social influencers' marketing approaches. 

Artificial intelligence in the workplace will also be an important topic in the second half of the mandate, with plans to look at the impact of algorithmic management on work, be it in a form of a legislative project or guidelines. It will build on existing rules relevant to the use of algorithms in human resources, such as the recently adopted Platform Work Directive

DMA and DSA 

The European Commission concluded that social networking platform X will not be designated a gatekeeper under the Digital Markets Act, as it is not considered as an important gateway for business users to reach end users.

The Commission also issued various requests for information under the Digital Services Act. It asked YouTube, Snapchat and TikTok to provide more information on the "design and functioning of their recommender systems." Temu was asked to elaborate on its mitigation measures against traders of illegal products and several adult content platforms were requested to provide information on their transparency reports, advertisement repositories and content moderation employees. 

When it comes to the DSA, protection of minors is a burning topic. In early October, the Commission organized a workshop to gather stakeholders' input that will feed into the DSA guidelines, expected to be finalized in the second half of 2025. Certain tools are already in the making, as Euractiv reports on the ongoing development of digital wallets to comply with age-verification requirements for large social media platforms under the DSA. 

GDPR procedural reform

The Council Working Party on Data Protection met 24 Oct. to discuss the proposal for a regulation on additional procedural rules relating to the enforcement of the EU General Data Protection Regulation, as a gap remains between Parliament and member states' positions. Markéta Gregorová, a second-term Czech MEP of the Greens/EFA group will lead Parliament's work on this file as a new rapporteur, replacing Sergey Lagodinsky.

Earlier this month, the European Data Protection Board released a statement on amendments to the proposal by Parliament and the European Council, providing advice that could be used in the inter-institutional negotiations planned to start in November. The EDPB indicated support regarding some of the changes proposed, but it also expressed concern over certain measures, including the feasibility of introducing a joint case file.

EDPB 2025

The EDPB announced data protection authorities will focus their fourth Coordinated Enforcement Action in 2025 on the implementation of the right to erasure by controllers. The results of this year's CEA on the right of access will be published early next year. 

CJEU ruling

The Court of Justice of the European Union recently ruled that "an online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data." 

First NIS2 clarifications

The NIS2 Directive's deadline for implementation just passed 17 Oct., 21 months after its entry into force. The law aiming to strengthen the cybersecurity of critical entities in the EU has many elements, but the Commission is set to clarify some of its more nuanced requirements.

It adopted its first implementing act on cybersecurity risk management measures and on the definition of a "significant incident," clarifying organizations' requirement to report such incidents to national competent authorities. 

Laura Pliauskaite is European operations coordinator for the IAPP.