FUTURE PRIVACY COMPLIANCE SERVICES FOR UPCOMING DATA LEGISLATION
EUROPE
​
Europe has adopted and propose several new pieces of legislation since the General Data Protection Regulation (GDPR) that may affect your organisation or services you use; they are a step forward to regulate the evolution of digital technology and data.
E-PRIVACY REGULATION
> On the 10 February 2021, the EU Council's latest ePrivacy Regulation proposal promised to introduce strict rules on
electronic communications services, and regulating the use of cookies.
> The long-awaited e-Privacy Regulation is yet to become law, due to the complexities to reach a legal compromise between an effective protection of privacy and confidentiality in the use of electronic communications services; and, sufficient restrictive rules that could prevent the development of legitimate uses of data and innovation.
> The ePrivacy Regulation will set data protection standards for all electronic communications such as text messages, e-mails, internet calls, internet access, instant messaging applications, and personal messaging provided through social media, and any other form of digital communication. This would include contents of calls, metadata (such as location tracking), and cookies (online trackers).
EU DIGITAL SERVICES ACT (DSA)
​
On 4 October 2022 the EU adopted the Digital Services Act (DSA) it now applies to all digital services that connect consumers to goods, services, or content. It introduces a comprehensive new obligation for online platforms to reduce harms and counter risks online, introduces strong protections for users' rights online, and places digital platforms under a unique new transparency and accountability framework.
Designed as a single, uniform set of rules for the EU, these rules will give users new protections and businesses legal certainty across the whole single market.
There are tiered rules that will mostly apply from the 17 February 2024.
EU DIGITAL MARKETS ACT (DMA)
​
On 1 November 2022 the Digital Markets Act (DMA) entered into force and shall apply from 2 May 2023. The DMA will sets out rules defining and prohibiting unfair business practices to ensure a higher degree of competition and more choice for users in the European Digital Markets. The DMA comes with fines of up to 10% global turnover; it shall effect only the largest tech firms know as the 'gatekeepers'.
EU DATA ACT (PROPOSAL)
​
The Data Act published on 23 February 2022 is currently at a proposal stage it aims to redefine the rules and practices on data access and use in order to foster data (re)use. The draft Act aim to ensure fairness in how the value of data is allocated among actors who are active on different levels of the data value chain, and ultimately, to unlock the potential of the data economy in the era of cloud computing and the Internet-of-Things (IoT).
The key objectives of the proposed Data Act are:
​
> To give IoT device users more control over the data they generate and its use
> To enable use of privately held data by the national and EU public sector bodies in cases of "exceptional" data need
> To improve switching between cloud and edge services
> To restrict access by non-EU / non-European Economic Area (EEA) governments to data held in the EU by providers of cloud and edge services
> To remove barriers to data sharing by developing interoperability standards for data reuse.
​
The rules set out in the proposal would be directly applicable to all sectors and across the EU as minimum standards, though future revisions of sectoral regulations (e.g., in the health, energy, finance, and automotive sectors) may go beyond these rules.
EU DATA GOVERNANCE ACT (DGA)
​
The DGA provides a legal framework for trading data and provides a mechanism for the re-use of public sector data.
The aim of the DGA is to encourage the voluntary sharing of data amongst businesses. It applies to non-personal data only.
The Act allows neutral data intermediaries that comply with its requirements to be listed in a public register. Such intermediaries will not be able to tie their intermediation services with other services, such as cloud storage or analytics, which are excluded from the DGA. This provision has been included to foster competition by preventing large technology providers and platforms from dominating intermediation services.
​
Businesses will not be obliged to share their data, but for those that would like to do so without fear of breaching data protection laws or confidentiality, the DGA is intended to provide a regulated platform to do so.
The DGA also establishes the ‘Data Innovation Board’. This will be an advisory body that will develop guidelines, common standards and interoperability requirements to promote Europe’s data economy.
Status: The DGA has been approved by the EU Council and is expected to come into force in 2023 and apply 15 months afterwards.
EU ARTIFICIAL INTELLIGENCE ACT (AIA)
​
In April 2021, the European Commission introduced a draft law for regulating "high-risk" AI systems – the world's first-ever legal framework on AI. Examples include models for image and speech recognition, pattern detection, and translation.
​
On the 6 December 2022 the Council of the EU adopted its position (‘general approach’) on the Artificial Intelligence Act. The aim is to ensure that artificial intelligence (AI) systems placed on the EU market and used in the Union are safe and respect existing law on fundamental rights and Union values.
​
Risk Based Approach of Artificial Intelligence
The GDPR’s risk- based approach requires organisations to implement measures appropriate to their particular situation (i.e. the context, purposes, extent and nature of the proposed processing and the resulting risks to individuals’ rights and freedoms). In the case of AI, particular risks to individuals’ rights and freedoms and the circumstances of the processing mean that an appropriate balance will need to be struck between different interests to ensure that data protection law is adhered to.
CYBERSECURITY IN THE EUROPEAN UNION
​
1. The NIS 2 Directive
2. The European Cyber Resilience Act (CRA) On the 15 September 2022 the Council of the European Union (EU) announced the Cyber Resilience Act. This Act seeks to establish common mandatory cybersecurity rules for products with digital elements and associated services that are placed on the EU market. Two main objectives were identified aiming to ensure the proper functioning of the internal market: 1. create conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle; and 2. create conditions allowing users to take cybersecurity into account when selecting and using products with digital elements. Four specific objectives were set out: 1. ensure that manufacturers improve the security of products with digital elements from the design and development phase and throughout the whole life cycle; 2. ensure a coherent cybersecurity framework, facilitating compliance for hardware and software producers; 3. enhance the transparency of security properties of products with digital elements, and 4. enable businesses and consumers to use products with digital elements securely. Organisations should start planning now with security, supplier, legal and privacy teams. The new directive, NIS2, will set the baseline for cybersecurity risk management measures and reporting obligations across sectors (such as energy, transport, health and digital. The Cyber Resilience Act has connections to EU Data Act and EU Data Governance Act.
3. The Digital Operational Resilience Act (DORA) THE DIGITAL OPERATIONAL RESILIENCE ACT (DORA) – implementation date TBC once formally adopted it will be passed into law by each EU member state. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT related disruptions and threats. These requirements are homogenous across all EU member states. The aim is to reduce the vulnerabilities, mitigate cyber threats and strengthen the physical resilience of critical entities. Almost all financial entities will be subject to the new rules in Europe that provide vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. They need to be able to prepare for, cope with, protect against, respond to and recover from natural disasters, terrorist threats, health emergencies or hybrid attacks.
4. The European Cyber Defence Policy
5. The Strategic Compass of the European Union
6. The European Chips Act
7. The EU Cyber Diplomacy Toolbox