In a nutshell: Belgium took over the Presidency of the Council of the EU for the remainer of the current legislative term. The European Commission is looking into limiting cookie banners, has launched a package of measures to support AI innovation, and is gathering public feedback on application of the GDPR. The European Parliament moves on the Financial Data Access initiative. Geographical indications protection regulations enter the road to implementation. The co-legislators are expected to officially adopt the new EUID Regulation and the AI Act. EU is preparing for elections in June 2024.
Belgium takes over the Presidency of the Council of the EU
From 1 January, Belgium is holding the Presidency of the Council of the EU, and leading negotiations on the key legislative and policy initiatives on behalf of the co-legislator. Belgium is responsible for driving the remaining legislative negotiations to conclusion, as we are approaching the EU elections in June. According to the Presidency Programme, Belgium's priorities are a “human-centered approach to the digital transformation”, with particular attention to “virtual identity protection”, as well as finalising “any remaining work” on the amendment of the Cybersecurity Act and the Cyber Resilience Act, reinforcing the security of “our digital society and supply chains”. Looking ahead to the next legislative term, the Belgian Presidency will also conduct a review of EU cyber policy and the institutional landscape “to assess the progress and identify the remaining gaps and disparities that need to be addressed”. When it comes to intellectual property (IP), the Belgian Presidency pledges to “work towards an IP system that provides access to critical technologies, including effective systems for issuing compulsory licences”, and modernisation of the legislative framework for IP. Regarding the GDPR, the Presidency will work on “additional procedural rules to resolve differences in administrative[...] practices” and enhance cross-border cooperation among national supervisory authorities.
Next GDPR application report is due in 2024
According to Article 97 of the GDPR, the Commission is required to submit a report on the evaluation and review of the Regulation to the European Parliament and the Council every 4 years after its first report in 2020. The Commission’s first report was adopted on 24 June 2020 (see our previous reporting here). The next report is due by mid-2024. The GDPR stipulates that the report should in particular cover the international transfer of personal data to third countries (Chapter V, GDPR) and the cooperation between national data protection authorities (Chapter VII, GDPR). Aspects of the functioning of Chapter VII are addressed in the Commission’s proposal for a Regulation on GDPR procedural rules, adopted on 4 July 2023 (see our previous reporting here). The 2024 report may identify issues with the application of the GDPR and possible follow-up actions. In preparation for the report, the European Commission has opened the round of gathering public feedback, which is open until 8 February.
The European Commission is looking into limiting cookie banners
The Commission aims to finalise a voluntary Cookie Pledge initiative before presenting a final version at the Consumer Summit in April 2024. The Cookie Pledge is a voluntary business pledge to simplify the management of cookies for consumers, based on a set of principles that would serve that goal. These include, for example, not asking consent for essential cookies, transparency regarding business models based on advertising, avoiding pushing consumers into pay-or-consent model, and others. The initiative was announced by Commissioner Reynders in 2023 to simplify cookie banners within conversations with the advertising industry and tech companies. In December 2023, the European Data Protection Board (EDPB) issued its feedback on the draft principles. The EDPB reiterated that pledging principles should not be used to circumvent legal obligations, while undertaking voluntary commitments does not guarantee compliance with applicable privacy and data protection frameworks. Industry stakeholder feedback requires more clarity on the relationship of the pledge with the Digital Services Act (DSA) and the Digital Markets Act (DMA). It is expected that the Commission will look into this area of regulation more closely during its next legislative mandate.
The European Parliament moves on the Financial Data Access initiative
On 13 December, the European Parliament’s Rapporteur for the Proposal for a Regulation on a Framework for Financial Data Access (FiDA proposal) issued a Draft Report (see our previous reporting here). The European Commission’s proposal aims to establish a framework for easier customer data sharing within the financial sector. One of the enforcement measures available for competent authorities is a possibility to order domain registries and registrars to delete domain names of non-compliant financial services. The amendments suggested by the Rapporteur include suggestions to exclude any health-related data that might be in the possession of financial entities under the scope of the regulation, together with other special categories of data under the GDPR, as well as exclusion of the so-called “gatekeepers” under the DMA, that should not be able to access any customer data under the FiDA proposal. The Rapporteur also suggests closer cooperation between competent authorities under FiDA and data protection authorities under the GDPR, in the exercise of their investigatory and sanctioning powers. The vote on the Draft Report in the European Parliament is preliminarily scheduled for March 2024. Most of legislative discussions will happen during the next legislative term after EU elections.
Geographical indications protection enters the road to implementation
In 2023, the EU finalised its geographical indications (GI) reform, extending its protection to craft and industrial products (see our previous reporting here) and reaching a deal on the revision of rules concerning existing GIs in the agricultural sector (see our previous reporting here). The reform included the extension of GI protection to the domain space, including the establishment of a domain name information and alert system that interferes with the neutrality of the domain name registration process. For domain name actors, the following 12 months include the evidence-gathering period by the Commission to re-evaluate the feasibility of the domain name information and alert system based on “abusive use” of craft/industrial GIs, and the EUIPO establishing a voluntary domain name information and alert system for agricultural GIs. The Commission is also planning to provide “detailed rules” for the implementation of the GI protection regulation for crafts/industrial products in Q4 2024. During the exchange with members of the European Parliament in the Legal Affairs committee (JURI), the Executive Director of the EUIPO João Negrão stated that the work on the domain alert system has already started, pending the adoption of the Regulation on agricultural GIs.
EU-wide digital identity legal framework to be adopted in the first quarter of 2024
Following the provisional agreement reached by the co-legislators in November 2023, the European digital identity regulation (EUID Regulation) is expected to be officially adopted during the first quarter of 2024 (see our previous reporting here). Per the EUID Regulation, the EU Member States will offer to citizens and businesses digital wallets that will allow users to identify themselves when accessing public and private services, as well as allowing to store, present and share electronic attestations (e.g., diplomas and driving licences), and sign digital documents. There could be several EU digital wallets offered across EU Member States, but the latter have to implement common technical standards and specifications that are being jointly developed by the European Commission and EU Member States. The EU digital wallets are expected to be operational by the end of 2026.
The AI Act is moving closer to the finishing line
The regulation of Artificial Intelligence (AI) has been one of the top priorities of the current Commission, cumulating to the negotiations of the EU AI Act (see our previous reporting here). In December 2023, the co-legislators European Parliament and the Council of the EU reached a political deal on the AI Act. According to the political deal, the co-legislators agreed to prohibit biometric categorisation systems that use sensitive characteristics (e.g. political, religious, philosophical beliefs, sexual orientation, race), untargeted scraping of facial images from the internet or CCTV footage, emotion recognition in the workplace, and social scoring. Exceptions for the use of biometric identification systems are put in place for law enforcement, subject to prior judicial authorisation. For AI systems classified as high-risk (due to their significant potential harm to health, safety, fundamental rights, environment, democracy, and the rule of law), additional obligations are applicable, such as mandatory fundamental rights impact assessment, risk-mitigation systems, high quality of data sets, logging of activity, detailed documentation, clear user information, human oversight, and high levels of cybersecurity. AI systems intended to be used as safety components in the management and operation of critical digital infrastructure under the Directive on the resilience of critical entities (CER Directive) shall be classified as high-risk. Safety components of critical infrastructure, including critical digital infrastructure, are systems used to directly protect the physical integrity of critical infrastructure or the health and safety of persons and property, but which are not necessary in order for the system to function. Failure or malfunctioning of such components might directly lead to risks to the physical integrity of critical infrastructure and thus to risks to the health and safety of persons and property. Components intended to be used solely for cybersecurity purposes should not qualify as safety components. The unofficial full text of AI Act is available here. The political agreement is now subject to formal approval by the European Parliament and the Council of the EU and will entry into force 20 days after publication in the Official Journal. The AI Act would then become applicable two years after its entry into force.
The European Commission launched a package of measures to support AI innovation
On 24 January, the European Commission launched a package of measures to support European startups and SMEs in the development of AI in respect of EU values and rules. To stimulate the emergence of competitive AI ecosystems in the Union, the Commission will establish “AI Factories” that are “open ecosystems formed around European public supercomputers”, associated data centers and human resources to attract talent. To improve quality data availability for generative AI models, the Commission will strengthen its financial support for the Common European Data Spaces with calls covering sectorial application areas such as mobility and energy, being launched in 2024 under the Digital Europe Programme. In addition, the Commission intends to support the scale-up of an open-source “large language model capable of addressing all European languages”. Generative AI is also seen as an essential technology for the development of “virtual worlds”. The forthcoming European Public Private Partnership on Virtual Worlds will support AI-enabled virtual reality applications. Generative AI is also seen as both beneficial and risky in the area of cybersecurity. According to the Commission, the “prevalence of generative AI will[...] increase the need to[...] prepare preventive and mitigation measures for critical asset protection”.
EU is preparing for elections in June 2024
Every five years, EU citizens vote in the elections of the European Parliament, the directly-elected institution that is supposed to defend their interests in the EU decision-making process. The next European elections will take place between 6-9 June 2024. 720 members will be chosen to represent EU citizens in the European Parliament until 2029. Following the elections, the European Parliament elects the new head of the European Commission and approves the full team of commissioners. There are several predictions when it comes to the upcoming composition of the European Parliament, starting from the centre-right EPP keeping their status as the biggest group in the Parliament, to the rise of the ID group (right-wing to far-right) as the third-largest force in the Parliament. The biggest downfall in seats is expected for the Greens.