By now, we’ve been living with GDPR for several years, and most transnational companies and practitioners are familiar with its core principles (the following is by no means a comprehensive list):
- Setting parameters around the legal bases for the processing of personal data of data subjects located in the EU,
- data sovereignty – the principle that individual users are and should be in control of their own data,
- data minimization – the principle that companies should collect no more data than they need to perform their services or deliver their products,
- individual control of and access to personal data, including notice of privacy practices and data portability,
- onward transfer flows pursuant to standard contractual clauses or other transfer mechanisms,
- the appointment of a data protection officer and registration with an EU-based local data protection authority,
- creation of the European Data Protection Board, charged with providing guidance, review and oversight of national member state implementation.
As privacy practitioners in the US are well aware, GDPR has significant influence outside of the EU as well as within it. However, many of us, especially here in the US, may be excused for losing track of the other new EU laws either proposed or approved in recent months, namely the Data Governance Act, the Digital Services Act, and the Digital Markets Act, all three of which were all initially proposed by the European Commission in 2020 as part of its strategy for data and artificial intelligence. Here is a short overview of those initiatives:
Data Governance Act (DGA) – presented by the European Commission, approved by the European Parliament in April 2022, and currently awaiting formal adoption by the Council of the European Union, the DGA would permit the reuse of public sector data that is subject to certain protections and would set rules for data intermediaries. One interesting piece of the DGA is its introduction of the concept of “data altruism.” This is data voluntarily made available by individuals or companies for the common good. The DGA would establish a mechanism for organizations to register as a “Data Altruism Organization” recognized in the EU to increase trust in their operations, and would also introduce a standardized “data altruism consent form” to lower the costs of collecting consent and to facilitate data portability, especially where the data to be made available is not held by the individual. Finally, the DGA authorizes the creation of a European “Data Innovation Board” to help facilitate the emergence of best practices by member state authorities on processing requests for the re-use of data and data sharing.
Digital Services Act (DSA) – presented by the European Commission and approved in principle by the European Parliament and the Council of the European Union, the DGA now just needs formal approval from the Parliament and Council. This act would amend the outdated e-Commerce Directive, applying primarily to providers of intermediary services such as ISPs, cloud service providers, search engines, social media and online platforms and marketplaces. Like GDPR, this would have extraterritorial effect and apply to US and other non-EU entities. It would ban advertising to minors and other individuals based on certain data categories and would also ban the use of dark patterns (misleading practices and interfaces used by providers to encourage certain online behaviors). Providers over a certain size will be required to appoint qualified compliance officers and implement system risk management policies and procedures, among (many) other things. Finally, the DSA authorizes the creation of an oversight board, the European Board for Digital Services.
Digital Markets Act (DMA) – like the DSA, the DMA was presented by the European Commission, approved in principle by the European Parliament and the Council of the European Union and is pending now formal approval. This rounds out the Commission’s data strategy triumvirate by addressing competition law. It applies to companies that provider “core platform services” (online intermediation services, search engines, social networking services, video-sharing platforms, and cloud computing services) in at least three members states, meet certain turnover, size, or market capitalization thresholds, and also have a minimum number of active end or business users in the last three financial years. These gatekeepers would be subject to a long list of rules around what they may or may not do with personal data, with the biggest ban being on the combination and cross-use of personal data collected during the use of one service for the purposes of another service offered by the same gatekeeper. The DMA authorizes the creation of a Digital Markets Advisory Committee.
In addition to the above triumvirate, the European Commission together with the EU’s representative for Foreign Affairs and Security are working on a cybersecurity strategy, and the Commission continues to discuss with its counterparts’ proposals for harmonized rules on artificial intelligence and on health data. Let us also not forget about the 2002 e-Privacy Directive, revised in 2008 and currently under revision to become the e-Privacy Regulation. The e-Privacy Directive is often confused with GDPR and sets rules on unsolicited communications and use of cookies.
Many practitioners and companies are wondering whether and to what extent GDPR will need updating to reflect these initiatives, and it is worth emphasizing that they are not intended to amend or change the core principles of the GDPR. Instead, they are intended to expand upon and, in some cases, create additional rights for individual data subjects (read: individual people) in the EU. While many of these acts have little if anything to do with privacy per se, the European Commission’s view is that they would not have been possible without the privacy-by-design framework established by GDPR. There is definitely more to come: the European Commission has clarified that this growing body of laws is still very much in flux.
In other EU privacy news, in March of this year the U.S. and EU announced an agreement in principle on a new “Trans-Atlantic Data Privacy Framework” to replace the invalidation of the Privacy Shield in 2020 and its predecessor, the Safe Harbor, in 2015. Timeline for adoption of the Framework is still unclear and will require the U.S. to adopt safeguards on surveillance activities that are intended to strengthen privacy and civil liberties protections. Companies participating in the Framework will need to self-certify their adherence.
Stay tuned here for updates, and if you have any questions about any of the developments described above, please contact the Carney Privacy Team. We are here to help!