The IAPP Global Privacy Summit 2024 may have been in Washington, D.C., but it surely felt like Brussels at times — even more so with the grey skies and occasional rain.

The "Brussels effect" was prominently featured on the main stage during the thoughtful keynote remarks of Columbia Law School Professor Anu Bradford, who coined the expression to capture the global impact of the European machine as it assertively develops, promotes and exports its human-centric regulation. Offering one model of a "digital empire," Bradford observes, it opposes the other two — the U.S. and China.

Sure enough, the Brussels effect was on full display throughout the Summit, from workshops and panels to side bar conversations. The acronym soup of new data-governance legislation continues to raise significant questions, concerns and challenges. The private sector — and, to be candid, regulators as well — are trying to untangle how these laws interact with their privacy strategies and compliance approaches. They are trying to extrapolate the implications for their governance structures and business models.

There is no straight answer to any of these considerations, and perhaps what transpired most regularly in the conversations I had this week was the daunting and disorienting effect of not knowing when we will know. The intricate picture that is so delicately forming before us is no doubt one of the most complex our profession has ever had to face.

Elsewhere:

  • France's data protection authority, the Commission nationale de l'informatique et des libertés, provided a detailed look into the country's personal data breach notification tendencies in a report covering the first five years of the EU General Data Protection Regulation. The report states the CNIL received 17,483 personal data breach notifications over this period, and it identifies the most affected sectors, breach origins, geographical distributions and more. The CNIL concluded the number of breach notifications is growing over the years and at least half of those notified are linked to hacking.
  • In a 27 March court order, the vice president of the European Court of Justice required Amazon to make its advertisement repository publicly available as part of its obligations as a very large online platform under the Digital Services Act. The decision to reject a request for interim measures was reached after completing a balancing test of the interests of the European Commission and Amazon. While the order confirmed Amazon's fundamental rights may be limited and it could suffer serious and irreparable harm without the suspension, it did not find the requirement to publicly disclose their advertising repository would endanger Amazon's existence or long-term development. Another decisive factor was the risk of severely delaying the full achievement of the DSA's objectives, which would pose a threat to the fundamental rights protection online. While the order closes the chapter on the interim measures, the remainder of the case concerning Amazon's very large online platform designation remains ongoing.
  • On 26 March, the European Council adopted the regulation on the European digital identity, which will establish an interoperable and more secure online authentication and identification framework across Europe. The regulation will allow European citizens to have a digital wallet in the form of a mobile app that will store various documents, such as digital driver's licenses for access to different private and public services, and make them more easily accessible. It will also allow Europeans to use the wallets in any member state and in ways that gives them more control over who can access their personal data and when. The law will come into force 20 days after being published in the Official Journal of the European Union, and it will be directly applicable in all member states in 2026.
  • The EU Artificial Intelligence Act requires member states to designate national competent authorities responsible for the regulation's application and implementation at the national level. While each member state is free to determine which new or existing public entity will take up this role, they are required to choose one notifying authority and one market-surveillance authority within 12 months from the act's entry into force. Last week, Italy's data protection authority, the Garante, expressed its interest in the position when it officially reached out to the Italian Parliament and government. According to the Garante, taking the close link between AI and data protection, and its expertise in both fields into account, this role would be within its jurisdiction.