Notes from the IAPP Europe: The month of consultations — time to provide input on shaping Europe's digital future

The European Commission is seeking stakeholder input on its upcoming Consumer Agenda 2025-30. The new agenda is planned to address issues related to new technologies and data-driven practices, gaps remaining in the EU's digital rulebook according to the Commission — such as harmful practices by online operators other than platforms covered by the Digital Services Act — and more. In addition, it should also look at regulatory burdens on smaller businesses. 

The Commission is also asking for input on its Apply AI Strategy. Through this call closing 4 June, the Commission hopes to identify the hurdles, including regulatory, to the uptake of artificial intelligence in the EU, with a focus on strategic and public sectors. It is also explicitly asking what challenges companies are facing regarding the AI Act's implementation and how the Commission can help.

The third consultation of note currently open is on the Data Union Strategy, in part linked to the EU's AI efforts. To be distinguished from the European Strategy for Data, which gave rise to the Data Governance Act and the Data Act, the Data Union Strategy aims to enhance innovation and AI development in the EU by enabling data sharing among sectors and different actors. It is set to increase interoperability, and the Commission is looking to understand what it is that stakeholders need to feel safe to share data.

The Commission was expected to launch a public consultation for the upcoming Digital Fairness Act during the 2025 European Consumer Summit that took place 20 May. However, publication of the consultation was postponed at the last minute and is now expected in June.

The proposal for the DFA, planned to tackle problematic online practices such as dark patterns and deceptive techniques, is expected next year.

Rules implementation

As mandated by the NIS2 Directive, the European Union Agency for Cybersecurity launched the European Vulnerability Database, which seeks to enhance Europe's digital security and support the implementation of EU cyber laws. In this database, entities are encouraged to share publicly known vulnerabilities. The tool is set to provide transparency to users and offer information on possible risk mitigation measures.

Meanwhile, member states are struggling to meet deadlines set by the NIS2 Directive. The Commission recently sent a reasoned opinion to 19 member states, requesting they transpose the directive — which aims to enhance cybersecurity of critical sectors across the EU — into national laws. This is the last step before referral to the Court of Justice of the European Union.

Several EU member states are struggling with the implementation of yet another piece of legislation. On 7 May, the Commission announced it is referring Cyprus, Czechia, Poland, Portugal and Spain to the CJEU for failing to designate or empower their national Digital Service Coordinators under the Digital Services Act.

Adequacy

The European Data Protection Board published two opinions concerning adequacy matters this month. One is on the European Commission's draft adequacy decision concerning the European Patent Organization. The EDPB requested further clarification from the Commission on onward transfers, among others, but reached a favorable conclusion. The EPO may become the first international organization to be afforded an adequacy decision under the EU regime, allowing personal data to be transferred from the EU to the EPO freely. 

The other opinion concerns the Commission's proposal to extend the U.K. General Data Protection Regulation and Law Enforcement Directive adequacy decisions that were set to expire this June. The board recognizes the need for a six-month extension, as it will allow the Commission to review the adequacy of the U.K. legal framework once the new British data protection rules are in place.

Laura Pliauškaitė is European operations coordinator for the IAPP.