In the early hours of Friday, 13 May, the European Parliament and the Council of the EU reached provisional political agreement on a new framework EU cybersecurity law, known as “NIS2”. This new law, which will replace the existing NIS Directive (which was agreed around the same time as GDPR, see here) aims to strengthen EU-wide cybersecurity protection across a broader range of sectors, including the pharmaceutical sector, medical device manufacturing, and the food sector.
On April 23, 2022, the European Parliament and Council of the EU announced that they reached a provisional political agreement on the Digital Services Act (“DSA”) during their final trilogue meeting. The news comes roughly one month after the provisional political agreement on the Digital Markets Act (“DMA”).
Both acts are part of the European…
Update: On May 3, 2022, the European Commission published the official version of the proposal for a European Health Data Space Regulation. It’s open for feedback until July 14, 2022.
Original blog post: On March 3, 2022, a leaked version of the proposal for a regulation setting up the European Health Data Space was published. The draft regulation will set up a common framework across EU Member States for the sharing and exchange of quality health data (such as electronic health records, patient registries and genomic data). The European Commission has not yet released an official version of the proposal. It is expected to do so on May 3.
The leaked proposal is a lengthy document (126 pages, excluding annexes) that contains within it a number of different sets of rules. Key requirements that are likely to be of interest to organizations in the life sciences sector are that the draft regulation proposes to:
- create new patient rights over their electronic health data, and sets out rules regarding use of electronic health data for primary care;
- establishes a pre-market conformity assessment requirement for electronic health record systems (“EHR systems”);
- sets out rules that apply to digital health services and wellness apps; and
- introduces a harmonized scheme for providing access to electronic health data for secondary use.
The German Conference of Independent Supervisory Authorities (“DSK”) published on March 23, 2022 a statement on scientific research and data protection (see here, in German). The DSK published the statement in response to the German Government’s initiative on a general law on research data as part of its Open Data Strategy, announced on July 6, 2021. The DSK also refers to the Government’s intention to introduce a law on the use of health data, including the storage of data in electronic health records.
Continue Reading German Supervisory Authorities Publish Paper on Scientific Research and Data Protection
The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here). Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.
Continue Reading Irish DPC Reports on Cross-Border Activity and Resources
On March 25, 2022, the EU Commission and US announced that an agreement in principle on a new framework for transatlantic data flows had been reached (see the Commission’s statement here, here, and here, and the US White House’s statement here). The Commission and the U.S. published draft factsheets outlining the…
On March 21, 2022, the European Data Protection Board (“EDPB”) published its draft Guidelines 3/2022 on Dark patterns in social media platform interfaces (hereafter “Guidelines”, available here), following the EDPB’s plenary session held on March 14, 2022. The stated objective of the Guidelines is to provide practical guidance to both designers and users of social media platforms about how to identify and avoid so-called “dark patterns” in social media interfaces that would violate requirements set out in the EU’s General Data Protection Regulation (“GDPR”). In this sense, the Guidelines serve both to instruct organizations on how to design of their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices). The Guidelines are currently subject to a 6-week period of public consultation, and interested parties are invited to submit feedback directly to the EDPB here (see “provide your feedback” button).
In this blog post, we summarize the Guidelines and identify key takeaways. Notably, while the Guidelines are targeted to designers and users of social media platforms, they may offer helpful insights to organizations across other sectors seeking to comply with the GDPR, and in particular, its requirements with respect to fairness, transparency, data minimization, purpose limitation, facilitating personal data rights, and so forth.…
On March 2, 2022, following a fast-track legislative process in the French National Assembly and Senate, President Macron of France signed into law a new piece of legislation designed to reinforce parental controls over minors’ access to the Internet (the “Law”) (see final text of the Law published in the Official Journal here, in French).
The Law will apply primarily to manufacturers of devices that enable minors to access online services and content “likely to harm [their] physical, mental or moral development” (e.g., computers, smart phones, and tablets). The Law – which extends only to devices sold with an operating system (e.g., PCs, mobile phones, tablets, smart TVs) – requires manufacturers of such devices to provide a pre-installed parental control system which can be activated by parents or guardians upon first use. The installation, use, and (where applicable) uninstallation the system must be provided to end users at no additional cost.…
On February 23, 2022, the European Commission published the draft EU Regulation on harmonized rules on fair access to and use of data, also referred to as the “Data Act” (available here). The Data Act is just the latest EU legislative initiative, sitting alongside the draft Data Governance Act, Digital Services Act, and Digital Markets Act, motivated by the EU’s vision to create a single market for data and to facilitate greater access to data.
Among other things, the proposed Regulation:
- grants “users” of connected “products” and “related services” – meaning a digital service incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions – offered in the EU rights to access and port to third parties the data generated through their use of these products and services (including both personal and non-personal data);
- requires manufacturers of these products and services to facilitate the exercise of these rights, including by designing them in such a way that any users – which may be natural and legal persons – can access the data they generate;
- requires parties with the right, obligation or ability to make available certain data (including through the Data Act itself) – so-called ”data holders” – to make available to users the data that the users themselves generate, upon request and “without undue delay, free of charge, and where applicable, continuously and in real-time”;
- requires data holders to enter into a contract with other third-party “data recipients” on data sharing terms that are fair, reasonable and non-discriminatory; relatedly, any compensation agreed between the parties must be “reasonable” and the basis for calculating the compensation transparent, with special rules set out for micro, small or medium-sized data recipients to facilitate their access to the data at reduced cost;
- authorizes public sector bodies and Union institutions, agencies or bodies to request access to the data in “exceptional need” situations;
- requires certain digital service providers, such as cloud and edge service providers, to implement safeguards that protect non-personal data from being accessed outside the EU where this would create a conflict with EU or Member State law;
- requires such data processing service providers to make it easy for the customers of such services to switch or port their data to third-party services; and
- imposes interoperability requirements on operators of “data spaces”.
As a next step, the Council of the EU and the European Parliament will analyze the draft Regulation, propose amendments and strive to reach a compromise text that both institutions can agree upon. Below, we discuss the key provisions of the Data Act in more detail.
Continue Reading European Commission Publishes Draft Data Act