Spanish technology digital paradigm has recently analyzed the legislative news that this year companies should take into account in terms of Data Protection after the great legislative activity that has taken place in 2022, as well as some others pending approval.
According to Carmen Troncoso, Data Protection Delegate at Paradigma Digital, among the main developments and trends that may affect data protection in 2023, the following stand out, which are part of the cybersecurity strategy of the European Union:
1. European Artificial Intelligence Law
In April 2022, a proposal for a regulation was approved establishing harmonized standards on Artificial Intelligence in the European Union. This regulation encourages the use of AI and the development of its industry under “democratic standards” in order to “technology completes human work”.
It will be applicable to all uses of AI that affect EU citizens, regardless of the headquarters of the service provider or the place where the system is developed or executed, inside or outside the borders of the EU, as is already the case. with the European Data Protection Regulation.
It addresses the risks of specific uses of AI, classifying them into four different levels: unacceptable risk, high risk, limited risk and minimal risk, to ensure that Europeans can trust the AI they are using. The regulation is also key to building an ecosystem of excellence in AI and positioning Europe to play a leading role globally, as it would be the first world power to have this type of regulation.
2. Digital Markets Law and the Digital Services Law
On the other hand, on November 1, 2022, two determining regulations in the EU for online platforms have entered into force, although they will begin to be applicable as of May 2, 2023:
On the one hand, the Digital Markets Act (DMA). This rule seeks to put an end to unfair practices by companies that act as guardians of the economy of online platforms.
It defines when a large online platform qualifies as a “gatekeeper.” These are digital platforms that provide an important gateway between business users and consumers, whose position can give them the power to act as a private rule maker and thereby create a bottleneck in the digital economy.
As for the Digital Services Act, or DSA, it seeks to create a safer and more responsible online environment, offering new protections to users and legal certainty to companies throughout the single market by regulating intermediaries in line, thus becoming an international reference by being a pioneer in establishing a regulation of this type.
3. New data protection agreement between Europe and the US
After the annulment of the previous agreement in 2020 and two years of negotiations, a new agreement has been approved whose objective is to restore an important legal basis for the transatlantic data flows, in which it is intended to address the issues raised by the Court of Justice of the European Union, thus trying to prevent it from being annulled again, considering that the United States did not give sufficient guarantees to protect the privacy of the data.
“This agreement explains how the flow of data between the EU and the US will be allowed in a predictable, reliable way, balancing security, the right to privacy and data protection” points out Carmen Troncoso from Paradigma Digital.
4. NIS Directive 2
In December 2022, Directive NIS 2, Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14, 2022, regarding measures aimed at guaranteeing a high common level of cybersecurity throughout the Union, entered into force. amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (SRI Directive 2).
This directive establishes cybersecurity obligations for member states, measures for cybersecurity risk management and notification obligations for entities within its scope, obligations relating to the exchange of information on cybersecurity, as well as supervision and enforcement obligations for Member states.
5. Cybersecurity regulation proposal for products with digital elements
On the other hand, in September 2023 the European Commission approved the Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and which modifies Regulation (EU) 2019/1020.
The proposed regulation aims to set EU-wide cybersecurity requirements for a wide range of hardware and software products and its remote data processing solutions. These include, for example, browsers, operating systems, firewalls, network management systems, smart meters, or routers.
