On 27th November, the Council announced it had ‘adopted a new Regulation on harmonised rules on fair access to and use of data (Data Act)’. According to the Council, the law aims to establish ‘new rules on who can access and use data generated in the EU across all economic sectors’. More specifically, amongst other things, the law aims to: ‘ensure fairness in the allocation of value from data among actors in the digital environment’; ‘stimulate a competitive data market’; ‘open opportunities for data-driven innovation’; ‘make data more accessible to all’; ‘ease the switching between providers of data processing services’; put ‘in place safeguards against unlawful data transfer’; provide ‘for the development of interoperability standards for data to be reused between sectors’; ‘give both individuals and businesses more control over their data through a reinforced portability right’; and ‘empower consumers and companies by giving them a say on what can be done with the data generated by their connected products’. In the forthcoming weeks, the Regulation will be published in the Official Journal and will enter into force twenty days after this publication. The Regulation will then apply twenty months after its entry into force – with the exception of Article 3(1) concerning ‘simplified access to data for new products’, which will apply to connected products and related services 32 months after the Regulation enters into force.
– Political Agreement Reached on the Cyber Resilience Act –
On 1st December, the Commission announced ‘the political agreement reached last night between the European Parliament and the Council on the Cyber Resilience Act’. According to the Commission, the Act will ‘improve the level of cybersecurity of digital products to the benefit of consumers and businesses across the EU, as it introduces proportionate mandatory cybersecurity requirements for all hardware and software, ranging from baby monitors, smart watches and computer games to firewalls and routers’. The Commission highlights, amongst other things, that the Act will require ‘manufacturers of hardware and software…to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market’. Moreover, the Act will ‘introduce a legal obligation for manufacturers to provide consumers with timely security updates during several years after the purchase’. The Act must now be formally approved by the Parliament and Council. Following its approval and adoption, it will enter into force 20 days after its publication in the Official Journal. After the Act enters into force, ‘manufacturers, importers and distributors of hardware and software products will have 36 months to adapt to the new requirements, with the exception of a more limited 21-month grace period in relation to the reporting obligation of manufacturers for incidents and vulnerabilities’.
– EDPB Adopts Best Practices on the Organisation of Plenary Meetings –
On 14th November, the EDPB adopted their ‘Best practices for the organisation of EDPB Plenary meetings’. In essence, the document aims to provide ‘guidance on how the EDPB Plenary meetings should be organised, considering in particular its interaction with the EDPB Expert Subgroup (ESG) and Taskforce (TF) meetings’. More specifically, the document aims to ‘focus and prioritise the work of the Plenary, to improve the flow and sharing of information and to increase the efficiency of the plenary meetings’. In this regard, the document is broken into seven substantive sections, dealing with, in turn: ‘Roles and responsibilities’; ‘Plenary agendas’ – including concerning scheduling, agenda items and their submission, the exchange of documents, and agenda structure; ‘Written procedure’; ‘Maturity of agenda items’ – including concerning the focus of the Plenary sessions, ‘Info notes’, and ‘Requests for mandates’; ‘Plenary discussions’ – including concerning the structure and scope of discussions; ‘Outcome of the plenary’; and ‘Periodic evaluation’. The document does not concern substantive aspects of substantive law. It is, nevertheless, worthy of attention in its elaboration of the procedural structures of one of the key fora in EU data protection law. The Plenary sessions are, after all, where many EDPB decisions are made and where many EDPB documents are adopted.