The overall sentiments across hallways and corridors of the IAPP Europe Data Protection Congress 2024 are often a mix of complexity of challenges and excitement at the opportunities ahead for the field. During a panel on artificial intelligence regulation, Bavarian State Office for Data Protection Supervision President Michael Will offered some comforting words many delegates would probably want to embrace: "don't panic."
What happened to the Cookie Pledge?
On 8 Nov., the European Commission published several documents on the Cookie Pledge — an initiative aiming to find ways to ensure users understand how and for what their data is processed, and what consequences it entails, while also simplifying cookie management.
The hoped-for outcome — voluntary commitment to pledging principles addressing the "cookie fatigue" phenomenon by some businesses — never materialized for several reasons, including the lack of legal certainty regarding the relationship between the principles and the EU General Data Protection Regulation and the ePrivacy Directive.
Although the Cookie Pledge initiative is dead, the Commission hopes the draft principles will live on and work as a starting-point for future projects on the topic.
Will the EU have liability rules specifically for AI?
The Commission tabled proposed AI Liability Directive in 2022, but there was little progress on this file during the previous term.
Despite talks suggesting its revival, the recent European Parliament's complementary impact assessment suggests the proposal may be outdated. Its relevance was also questioned during the 11 Nov. technical meeting of the Council. According to MLex, many member states criticized the complexity of the proposal's legal provisions and doubted the existence of a legal gap it aims to address.
What the EDPB is saying about the Recommendations on Access to Data for Effective Law Enforcement
The European Data Protection Board released a statement on the Recommendations of the High-Level Group on Access to Data for Effective Law Enforcement published earlier this year, sharing concerns regarding the possible interference of some of the 42 recommendations with the right to data protection and privacy.
The EDPB highlighted the lack of objective evidence supporting the recommendations, particularly focusing on issues related to data retention and encryption. The EDPB advised being cautious with the scope of any future rules on data retention, asking to pay special attention to general and indiscriminate retention. It also warned against measures that would result in indiscriminate weakening of encryption.
Is the EU-US Data Privacy Framework working? Yes, but.
The EDPB published its report on the European Commission's first review of the EU-U.S. Data Privacy Framework 4 Nov. The report looks at the framework's commercial aspects as well as at the U.S. government access to personal data transferred from the EU under the framework.
Concerning the commercial aspects, the EDPB concluded all relevant steps for implementation were taken, but it also pointed out the low number of eligible complaints and suggested the U.S. address this by increasing the number of ex officio investigations concerning substantial compliance of certified organizations with all DPF principles.
The board also called for the adoption of guidelines for U.S. importers on the DPF's Accountability for Onward Transfer Principle and guidance to resolve the diverging interpretation of human resources data by the EU and U.S. authorities.
Regarding the assessment of the U.S. government's access to personal data, and particularly Executive Order 14086, the EDPB focus gravitates away from redress and closer to the notions of necessity and proportionality. The board's comments about the lack of specificity on how the U.S. interprets and applies necessity and proportionality could anchor critics as a future court challenge still looms for the DPF.
Laura Pliauskaite is European operations coordinator for the IAPP.
