Organizations have been “struggling” with the EU General Data Protection Regulation since its implementation in 2018, while awaiting the ePrivacy Regulation, originally intended to take effect alongside the regulation three years ago.

“And we thought that’s the only thing we would need to be struggling with,” IAPP Senior Westin Research Fellow Jetty Tielemans said.

But this past year, the European Commission announced its digital strategy, including the proposed Data Governance Act, Digital Services Act, Digital Markets Act and the Data Act. In a discussion on LinkedIn Live, Tielemans and the European Commission’s Christian D’Cunha discussed the “complicated web of legislative initiatives,” anticipated impacts of the proposals, and intersections with the GDPR.

“It’s all about the digitalization of the EU economy. The broad policy context for all of this is that this Commission, under President Ursula von der Leyen, has two big priorities. First, it’s the green transformation, and secondly, it’s the digital transformation, and they’re closely intertwined,” D’Cunha said.

The European Commission, European Parliament and the Council of the European Union reached agreement last week on the DGA, which would create a framework for secure data sharing, while D’Cunha said the DMA and DSA are “making swift progress” with hopes among some for adoption early next year.

Tielemans noted the DGA centers around “an open data marketplace,” while the GDPR “tends to have a rather restricting effect on the sharing of data.” She asked how companies that want to engage in data sharing under the DGA and meet compliance requirements can be sure they will not violate the GDPR.

“It is very important that any EU act does not in any way compromise the achievement of the GDPR and doesn’t compromise or interfere with the competence of independent supervisory authorities for personal data,” D’Cunha said. A clarification to the DGA noted that “wherever personal data is concerned, wherever there are mixed data sets, and you can’t separate personal data from the non-personal, then the GDPR fully applies … I think the reality of data processing now is that potentially all data could be personal, or it could pose some sort of risk to individuals, or more widely to society, and therefore you need to treat that data with respect because it could have an impact on individuals.”

Tielemans said she finds the Data Act “particularly intriguing” and “a bit of a mystery” as there’s no formal proposal out yet. She asked D’Cunha to shed some light on what that could look like.

He said it’s the “last big” initiative under the EU’s data strategy.

“The DGA is about sharing, it’s about voluntary data sharing. The DMA is about ensuring a competitive environment for digitalization. But the Data Act is about rights” and obligations around using and reusing data,” he said.

The proposal will cover connected devices, the business-to-government relationship, and enabling value from data, and a proposal could be expected around February 2022, he said.

Looking at other regulations within the EU’s digital strategy, Tielemans said there have been increasing calls from regulators to tackle the issue of targeted advertising and questions around why proposals do not include a ban.

D’Cunha said the DSA takes a “technology neutral approach,” so while there are rules around advertising, “the main focus is to set a process for how platforms and other intermediaries interact with users’ content.”  

“So, it brings one set of rules on content moderation and accountability of online platforms in the EU and ensures there is a higher standard of protection of fundamental rights, as well as ensuring safety online. That’s the main priority,” he said. “Advertising is a part of that priority, but it’s not the main focus.”

A study around advertising technology, privacy and impact on publishers and advertisers will be underway in the new year that D’Cunha said will “look at what would a more sustainable and balanced ecosystem for advertising look like.”

“What we want to do in the EU through all of this regulation — and I accept that from a compliance perspective especially if you are a small company, it must be very intimidating — but the idea is to try to create a regulatory environment where people can trust what happens online and at the moment, they don’t.”

Photo by Philipp Katzenberger on Unsplash