It may be summer in Brussels and Portsmouth, New Hampshire, but there is no time for a break yet; privacy professionals and digital policy wonks are busy.
The International Association of Privacy Professionals held its annual leadership retreat this week in beautiful New Hampshire. The peacefulness of the scenery was in contrast with the theme for the year: digital entropy, the notion of disorder and uncertainty. Applied to our fields of privacy, artificial intelligence governance and broader data responsibility, it translates into ever-so-complicated legislative and regulatory environments, challenges to a long-standing governance structure and new risks to address. Thankfully it is not all somber, quite the opposite, as opportunities exist.
The EU-U.S. CLOUD agreement
An agreement between the EU and the U.S. regarding access to electronic evidence in criminal investigations has been in negotiations for a few years, but it seems that there may be actual and significant progress. According to the joint statement released after last week’s EU-U.S. Ministerial Meeting on Justice and Home Affairs that took place in Brussels, "both sides welcomed further progress on the negotiations for an EU-U.S. agreement facilitating access to electronic evidence in criminal proceedings, and look forward to advancing and completing those negotiations."
This may suggest considerable advancement, as such strong confirmation from both sides of the Atlantic is unprecedented. The negotiations have stumbled across delicate issues, particularly stemming from a European patchwork of countries with very diverse systems and maturity levels of their governments access practice. As the European Commission will surely reflect in its upcoming 2024 Rule of Law report, there are also genuine concerns regarding democratic values in several member states like Hungary, which, ironically, is about to take over the rotating Presidency of the Council of the European Union in July.
Last year, Europe saw significant legislative advancements in the government access to data area, including the adoption of the e-Evidence Regulation, which was analyzed in detail by the IAPP Westin Research Fellow Luke Fischer in his article on its legislative package. For a broader view of government access instruments in Europe, check out Navigating Government Access to Private Data in the EU.
The first outcomes of the Digital Markets Act investigations surface
In a 24 June press release, the European Commission announced Apple's App Store rules are in breach of the Digital Markets Act — the European law regulating the gatekeeper powers of large online platforms in order to ensure a fair and contestable digital economy. The preliminary findings stem from investigations that started in March in relation to certain practices of three of the designated gatekeepers: Apple, Alphabet and Meta. With these findings, the Commission argues the Apple Store's current business terms are in breach of the DMA's rules on steering, as they prevent app developers from freely communicating alternative offers and purchasing channels to consumers.
Apple will now have a chance to respond to the Commission's claims to defend its practices or make changes to ensure compliance with the DMA. If these preliminary findings are confirmed, the Commission will adopt a final decision by the end of March 2025, within 12 months from when the investigations began, which could result in a fine of up to 10% of Apple's worldwide turnover. On the same day, the Commission announced yet another investigation into Apple's terms on third-party app developers and app stores, which sends a strong message to Apple and other companies that the Commission is serious about DMA enforcement.
Activity continues on the Digital Services Act front
The European Board for Digital Services met for the fifth time 20 June to discuss the June European Elections and guidelines on minor protections online, among other items. The board has established eight working groups to specifically work on, content moderation and data access, integrity of the information space, consumers and online marketplaces, and protection of minors, among other things.
While very large online platforms and very large online search engines were designated in April 2023 and have already published transparency reports twice, some adult entertainment platforms designated more recently have reached their first-time reporting obligations this week that will shed light on their content moderation practices. The European Commission will analyze them closely in light of online protection of minors and age-gating.
Preparing for the implementation of the EU AI Act
The EU AI Board has already started preparations for the implementation of the EU AI Act before the law's publication in the Official Journal of the EU, which is expected in July. It held its first meeting last week, during which its members — delegates from the Commission, the AI Office and all member states — addressed the board's organization and role, discussed approaches to AI Act implementation at national and Commission levels, and touched upon the Commission's first priorities and deliverables. The board will resume its periodical meetings after the summer, once the AI Act has entered into force.
Last, but not least, registrations for the IAPP European Data Protection Congress 2024 are open! Information and registrations can be found here.
Isabelle Roccia is the managing director, Europe, for the International Association of Privacy Professionals.