Have you taken a break from your usual spot in front of the computer screen over the past few weeks? No worries, this article provides a succinct overview of the significant advancements in the world of technology and data that have transpired over the summer. You’ll soon discover that the summer has been exceptionally eventful in this regard.
EU Commission adopted adequacy decision for EU-US Data Privacy Framework
On 10 July 2023, the EU Commission announced the adoption of its adequacy decision pertaining to the EU-US Data Privacy Framework (“EU-US DPF”). This decision allows for seamless data transfers between businesses in the EU and the US. Read more here.
The EU-US DPF removes the need to use another transfer mechanism. As a result, your company will not need to enter into additional contractual instruments (such as Standard Contractual Clauses) or conduct a transfer impact assessment (“TIA”). However, transfers to US-based processors will still require a GDPR-proof data processing agreement. Prior to the transfer, we recommend verifying on the DPF website whether the recipient (organization) in the US is indeed certified under the EU-US DPF and whether the relevant data transfer is covered by such certification.
If the recipient (organization) in the US is not on the DPF website, you will need to use another transfer mechanism (typically the Standard Contractual Clauses) and a simplified/light TIA. Depending on the outcome of the TIA, your company may need to implement supplementary measures (or continue using measures that existed prior to the DPF’s adequacy decision) to make up for any gaps in the level of protection for the transferred data.
On 7 September 2023, Philippe Latombe, a French lawmaker, made a significant announcement. In a press release, he revealed his intention (in a personal capacity as a citizen of the Union) to challenge the EU-US DPF before the European Union’s General Court. One of the challenges involves the prompt suspension of the EU-US DPF. Latombe asserts that “the text resulting from these negotiations violates the Union’s Charter of Fundamental Rights, due to insufficient guarantees of respect for private and family life with regard to bulk collection of personal data, and the General Data Protection Regulation (GDPR)”.
European Data Protection Board analysed adequacy decision review for Japan
On 19 July 2023, the European Data Protection Board (“EDPB”) released a comprehensive statement in response to the EU Commission’s review of the adequacy decision adopted on 23 January 2019 for data transfers between the EU and Japan. This review examined the effectiveness of the Japanese legal framework in guaranteeing an adequate level of protection for personal data transferred from the European Union. The findings affirm that the Japanese legal framework aligns with the requirements outlined in the GDPR.
However, the EDPB identified some areas that require closer monitoring, such as the new category of “pseudonymized” personal information and the use of consent in situations of power imbalance. Ultimately, the EDPB concurred with the EU Commission’s evaluation of the review and expressed its approval of the Commission’s proposal to transition to a four-year review cycle.
EU reached agreement on Data Act
On 27 June 2023, the EU Parliament and Council reached a political agreement on the EU Data Act (“Act”), a new piece of comprehensive data legislation for Europe. The Act aims to boost the data economy, unlock industrial data and promote a competitive European cloud market. It introduces rules for access to and use of non-personal data in various industries.
The Act covers data access and sharing for connected devices, conditions for data sharing, government access to data and data portability obligations for cloud service providers.
The political agreement is now subject to formal endorsement by the two institutions. Currently, the agreed text is undergoing legal-linguistic revision. Both co-legislators have announced that they will adopt the final text as quickly as possible. Once adopted, the EU Data Act will enter into force on the 20th day following its publication in the Official Journal and will become applicable 20 months after its entry into force – a relatively long implementation period, but one that is urgently needed for businesses to prepare for the far-reaching changes that this new EU data law will bring.
For more information on the Act, we have summarized the main aspects and explore its key features in detail in our Law Now. Also, don’t miss the opportunity to attend our two webinars on this topic (11 and 12 September). Register now here.
Potential “Gatekeepers” under the Digital Markets Act (“DMA”)
3 July 2023 was the deadline for large, systemic platforms to notify the Commission that they meet the thresholds to qualify as gatekeepers under the DMA. On 6 September 2023, after checking the submission, the EU Commission designated six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft – under the DMA.
The Commission said that a total of 22 core platform services operated by the six gatekeepers have been designated under the DMA (including four social networks (TikTok, Facebook, Instagram and LinkedIn)). Now, the designated gatekeepers will be allotted a six-month period within which they are required to adhere to the stipulations outlined by the DMA rules, including:
- Ecosystem liberation: One of the pivotal changes will be the elimination of their capability to confine users within their proprietary ecosystems.
- App installation autonomy: Gatekeepers will no longer retain the authority to dictate the obligatory pre-installation of specific apps on users’ devices or enforce the exclusive use of particular app stores.
- Self-preference prohibition: Gatekeepers will be prohibited from displaying preferential treatment towards their own products and services, thereby ensuring fair competition.
- Interoperability mandate: Their messaging applications will have to seamlessly interact with other platforms, promoting enhanced interoperability.
For more detailed information on the DMA, see our previous article.
Big tech companies’ efforts to develop AI models to compete with OpenAI’s ChatGPT
The ever-evolving AI sector witnesses tech giants such as Google, xAI, Apple and Meta vying for prominence.
On 12 July 2023, Elon Musk announced the formation of xAI, a company aimed at understanding “the true nature of the universe”, to take on OpenAI. On 13 July 2023, Google launched “Bard” in the EU, a rival to OpenAI’s ChatGPT. The launch was delayed by a month due to privacy concerns raised by the Irish Data Protection Commission. Meta (formerly Facebook) unveiled plans to launch a commercial version of its AI model “LLaMA”. Finally, Apple is preparing its own large language model called “Ajax”.
Companies should proceed with caution and understand the legal implications of using Generative AI Technologies and Large Language Models. Privacy concerns, exposing confidential information, reputational damage and legal liability are all risks that companies need to consider when using AI models.
We recommend implementing an internal, company-wide policy regarding Generative AI Technologies and Large Language Models. This policy will serve to underscore your company’s dedication to the responsible integration of these AI models, ensuring its alignment with your mission, security protocols and the effective mitigation of associated risks. CMS can assist you in drafting this essential policy.
Financial and payment services
On 23 August 2023, the European Data Protection Supervisor released two significant opinions. The first opinion pertained to the proposal for a Regulation on a Financial Data Access Framework, while the second opinion related to the proposal for a Regulation and Directive on payment services within the EU’s internal market. These two proposals share a common goal of promoting data sharing to expand the range of available financial services and products, while still ensuring that individuals and organizations retain control over the processing of their financial data.
Digital Services Act (“DSA”) became enforceable for VLOPs and VLOSEs
The DSA encompasses regulations that apply to a wide spectrum of online intermediaries and platforms, including online marketplaces, social media networks, content-sharing platforms, app stores, messaging services, network infrastructure services and online search engines, as they provide their services to both EU businesses and individuals. For more detailed information on the DSA, you can refer to our previous article on the topic.
On 25 August 2023, the DSA became legally enforceable primarily for Very Large Online Platforms (“VLOPs”) and Very Large Online Search Engines (“VLOSEs”), as outlined in greater detail here. These VLOPs and VLOSEs specifically refer to major technology giants, namely those online platforms and search engines boasting over 45 million monthly active users within the EU.
The DSA will subsequently extend its full applicability to all intermediary service providers in February 2024. It is noteworthy that the maximum fine that may be imposed under the DSA stands at 6% of the total annual worldwide revenue earned in the preceding financial year. This ceiling is even higher than the one stipulated by the GDPR.
The relentless wave of cyberattacks that continues to roll in
Cyberattacks persist as an enduring scourge. In this article (available in French and Dutch), we have succinctly outlined several essential steps to contemplate in the face of such incidents post-cyberattack:
- Notification to the Data Protection Authority (“DPA”): In the event of a cyberattack affecting individuals’ data, the controller must promptly notify the DPA, unless there is no risk to the affected individuals. This notification must be submitted within 72 hours of discovering the incident. Recognizing that comprehensive information may not be immediately available, the reporting process typically unfolds in two stages: an initial report is filed within the 72-hour timeframe, followed by a more detailed follow-up report, which may be sent to the DPA after a few days or even weeks.
- Notification to data subjects: When a cyberattack carries a high risk for the individuals whose data has been compromised, the controller must also inform all data subjects. This obligation arises, for instance, when sensitive information is exposed on a ransomware group’s website following an attack. Affected customers should receive the following information: (i) a comprehensive description of the cyberattack; (ii) the name and contact details of the Data Protection Officer or another point of contact for further information; and (iii) an explanation of the potential consequences of the cyberattack concerning their personal data.
- Fraudulent payments: In cases where you, your customers or your suppliers fall victim to a Man-in-the-Middle (“MitM”) attack, there is a substantial risk that account numbers on incoming and outgoing invoices have been tampered with, leading to payments being directed to fraudulent accounts. It is essential to understand that making payments to unauthorized parties does not absolve the debtor of their financial obligation. In practical terms, this means that if a debtor mistakenly pays a fraudulent account following a MitM attack, they remain liable to their creditor for the original invoice amount.
- IT service provider liability: Should your IT service provider experience a cyberattack that results in damage or losses at your end, you may pursue legal action to hold them accountable. This assumes, however, that the cyberattack was facilitated by an error on the part of your service provider and that their liability has not been expressly excluded in your contractual agreement with them.
- Cyberattack insurance: Explore insurance coverage for prompt technical, operational and legal support.