It is finally beginning to feel like summer in Brussels, but when it comes to the digital field, the atmosphere certainly does not indicate a "summer break." This week's column provides a brief overview of some significant developments in July.
DPAs in the AI Act framework
EU member states have been considering which national authorities should oversee the EU Artificial Intelligence Act's implementation. Their decisions may be influenced by the European Data Protection Board's recently adopted statement.
The board suggests appointing data protection authorities as market surveillance authorities for all high-risk AI systems listed in Annex III and designating them the single point of contact under the AI Act. The EDPB also notes the importance of solidifying the procedures for cooperation between MSAs and other regulatory authorities, as well as between DPAs, the EDPB and the AI Office.
The rationale for the recommendations is based on DPAs' full independence and their experience tackling topics concerning AI technologies and their effect on fundamental rights.
While the EDPB's opinions carry considerable weight, it remains to be seen which authorities will be appointed by member states. The fact that DPAs are already limited in resources must be considered.
Although briefly acknowledged in the EDPB's statement, this issue was elaborated upon in a recent EU Agency for Fundamental Rights report. Analyzing DPAs' experiences, the agency identified several issues hampering effective personal data protection enforcement, with the lack of resources being one of the most significant obstacles. The report highlights the need for more staff, and staff with the right expertise, to tackle growing duties.
If EU member states follow the EDPB's recommendations, financial and other hurdles DPAs are facing will have to be addressed to prepare them for additional responsibilities.
DSA, DMA enforcement
The European Commission started July by informing Meta of its preliminary findings concerning the company's pay-or-consent model, concluding it breaches Article 5(2) of the Digital Markets Act.
According to the Commission, Meta's users are not given an equivalent alternative to its service based on "personalized ads" that uses less personal data and they are prevented from exercising their right to freely consent to the combination of their personal data.
Meta will have a chance to respond to these allegations and defend its advertising model before the Commission makes its final decision, which may lead to a massive fine if infringements are confirmed and no changes are made. The destiny of the pay-or-consent model remains unclear, as it is not only challenged in relation to its compliance with the EU General Data Protection Regulation, DMA and Digital Services Act, but also with EU consumer laws.
Two weeks later, the Commission delivered its first preliminary findings concerning a possible breach of the DSA. In its view, social platform X uses dark patterns in relation to its "verified accounts" and has an advertisement repository that is noncompliant with advertising transparency requirements. The Commission also noted issues with access to X's data for researchers.
Just as in Meta's case, X will be able to respond to these accusations before the Commission makes its final decision.
Lastly, the General Court of the European Union delivered a judgment 17 July dismissing ByteDance's attempt at challenging its gatekeeper designation under the DMA. The court concluded the Commission was correct in designating TikTok's parent company as a gatekeeper.
It argued TikTok meets the necessary quantitative requirements for such designation, including concerning its global market value, the number of users in the EU and the timespan during which this number was reached despite the launch of competing services.
This is yet another loss for ByteDance in its DMA battle, as its application for interim measures concerning the gatekeeper designation decision was rejected in February.
July IT outage ― will there be GDPR breaches?
July was also marked by a massive, if not the biggest in history, global IT outage. Many services across the world, including retail, transportation, media, banking and health, were brought to a halt 19 July. Planes could not take off and hospital patients could receive treatment.
This was caused by an error in CrowdStrike's software update that shut down millions of devices running Windows. While CrowdStrike and other companies are considering how to prevent this from occurring again, Italy's data protection authority, the Garante, is already investigating the outage's effects on personal data of the affected services, particularly public services and users.
Considering the size of the incident, it would not be surprising if various GDPR breaches are identified.
Laura Pliauskaite is European operations coordinator for the IAPP.