News Update Data Protection & Cybersecurity

The GDPR's entry into force in May 2018 has not marked the end for new data protection and cybersecurity initiatives. On the contrary, new laws and regulations at national and EU level continue to be introduced.

The European Commission has recently adopted its 'Strategy for Data', which aims to propose new legislation, the latest being the Data Act and Data Governance Act. The EU's focus seems to have gotten broader than just 'personal data' as it focuses on data in general.

In this overview, we highlight the status of some important developments:

1. Data Act
2. Data Governance Act
3. Network and Information Security Directive 2 (NIS2)
4. Dutch Data Protection Collective Act
5. Dutch P2B Regulation Implementation Act
6. Transparency and Targeting of Political Advertising Regulation
7. Monitoring and Reporting of CO2 Emissions Regulation

1. Data act

The European Commission published the proposal for the Data Act on 23 February 2022, complementing the Data Governance Regulation. While the Data Governance Act (discussed in the next section) creates the processes and structures to facilitate data, the Data Act aims to maximise the value of data by ensuring that more stakeholders, for example the aftermarket, gain control over their data and that more data is available for innovative use while preserving incentives to invest in data generation. It proposes measures to create a fair data economy by enabling data access and use, including in business-to-business and business-to-government situations.

The proposed Data Act envisages basic rules for all sectors on the rights to use data, such as in the areas of smart machinery, automotive or consumer goods. It contains measures to give users of connected devices (instead of exclusively manufacturers) access to the data generated about them by these devices. Furthermore, measures are included to rebalance the bargaining power of small and medium-sized enterprises by preventing the abuse of contractual imbalances in data sharing agreements.

Moreover, the Data Act's new rules allow businesses and consumers to switch effectively between cloud service providers and provide safeguards against unlawful data transfers.

2. Data Governance Act

The European Commission proposed the Data Governance Act on 25 November 2020, which aims to make more data available and facilitate data sharing across sectors and EU countries. This is expected to leverage the potential of data to benefit European citizens and businesses. The proposal regulates, among others, the re-use of public sector data, data sharing among businesses against remuneration (data sharing services), and data use on altruistic grounds. The proposal applies to "data" in general, including but not limited to personal data.

The European Parliament and the EU Member States have reached a political agreement on the Data Governance Act. The Council of Ministers and the European Parliament will need to negotiate on the proposal's final text.

3. Network and Information Security Directive 2 (NIS2)

On 3 December 2021, the EU Council agreed on the NIS2 proposal. The draft directive (NIS2) aims to achieve a high common level of cybersecurity across the EU Member States and improves the resilience and incident response capacities of public and private entities, and the EU as a whole. It replaces the existing NIS Directive by strengthening the security requirements, addressing supply chain security and streamlining reporting obligations. NIS2 introduces more stringent supervisory measures and stricter enforcement requirements, including harmonised sanctions across the EU.

It sets a baseline for cybersecurity risk management measures and reporting obligations across a variety of sectors, such as energy, health and digital infrastructure. NIS2 includes a 'size-cap rule', which means that all medium and large companies operating or providing services within sectors covered in the proposal fall within the scope. In addition, smaller companies that fulfil certain criteria which indicate a key role for economies or societies of EU Member States will also be covered in NIS2.

The European Commission and European Parliament will need to agree on the final text. The aim is to reach an agreement on the final wording by the first quarter of 2022. Within two years of the entry into force of the NIS2 Directive, EU Members States will have to incorporate the provisions into their national law. In the meantime, the Commission has announced that it will also start working on the Cyber Resilience Act.

4. Dutch Data Protection Collective Act

The Dutch Data Protection Collective Act (Verzamelwet gegevensbescherming) amends the Dutch GDPR Implementation Act from 2018 (Uitvoeringswet AVG) and several other Dutch laws to streamline and update the current data protection legislation. It contains amendments of a technical, explanatory and substantive nature. Included are exceptions to the prohibition to process special category personal data by a legally required audit by an auditor.

The bill was submitted to the Council of State (Raad van State) for advice on 14 December 2021. It will then have to be adopted by the House of Representatives and the Senate.

The latest version of the Act has not yet been published. The draft can be found here (Dutch only). It is unknown at this stage when the Act will enter into force.

5. P2B Regulation Implementation Act

On 26 May 2021, the Dutch proposal for the Implementation Act (or 'Supplementary Act') for the Platform-to-Business Regulation was published for public consultation. Houthoff submitted its comments to the proposal, which you can find here.

The proposal provides for public supervision and enforcement of the provisions of the European Platform-to-Business Regulation (2019/1150). The P2B Regulation introduced requirements for transparency and dispute resolution on platforms for business users who offer goods or services to consumers via the platform. For example, providers of online intermediation services must include a description in their terms and conditions on the user's access to any data generated by the platform or its users.

The bill provides a basis for supervision by the Netherlands Authority for Consumers and Markets (ACM) and aims to fit the Regulation's provisions regarding collective claims within the Dutch legal framework.

6. Transparency and Targeting of Political Advertising Regulation

On 25 November 2021, the European Commission published its proposal for a Regulation on the transparency and targeting of political advertising. The Regulation is expected to apply from 1 April 2023.

Its aim is to establish harmonised rules ensuring a high level of transparency of political advertising and related services (such as preparing or publishing content). Furthermore, the proposed Regulation protects natural persons from the processing of personal data by laying down rules on the use of targeting and amplification techniques in political advertising. Personal data use in political targeting and amplification will be monitored by the national Data Protection Authorities who will also have the power to impose fines in line with EU data protection rules.

The Regulation requires "political advertising publishers", such as online intermediaries, to use efficient and prominent marking and labelling techniques to easily identify political advertising. Additional information obligations apply to political advertising publishers which are very large online platforms specified in the Digital Services Act (DSA). It clarifies that none of the obligations laid down in the DSA impose a general monitoring obligation on intermediary service providers for political content shared by natural or legal persons. Nor does it obligate intermediary service providers to take proactive measures on illegal content or activities which those providers transmit or store.

7. Monitoring and Reporting of CO2 Emissions Regulation

EU Regulation 2021/392 has been in force since 25 March 2021 and is relevant for car manufacturers. It sets out rules on the procedures for the monitoring and reporting by EU Member States and manufacturers of data relating to CO2 emissions from new passenger cars and light commercial vehicles registered from 1 January 2021.

Under this Regulation, vehicle manufacturers, dealers, repairers, and bodies responsible for roadworthiness testing are responsible for collecting vehicle identification numbers (VINs) together with data on the real-world fuel and energy consumption. Data collection monitors the effectiveness of CO2 emission standards in reducing CO2 emissions from vehicles and informs the public. With effect from 1 April 2022, manufacturers and EU Member States must report actual data collected during a calendar year to the European Commission and the European Environment Agency (EEA). Furthermore, it specifies how these data must be gathered, assessed, transferred and disclosed.

The VIN is considered personal data from the moment the vehicle is registered, and therefore, falls within the scope of the General Data Protection Regulation (GDPR). The entities involved in the collection, reporting and processing of VINs are considered controllers under the GDPR.