We survived GDPR implementation… but it doesn't stop there Part II
It may seem impossible, but GDPR has been with us since 2016 – i.e. 8 years. After the initial problems and disagreement, everything settled down over time and now companies are acting in accordance with the regulation and we have all simply adjusted our view of how we can handle personal data. But…
In the last edition we delved into data and AI regulations, today we will focus more on those involving new rules for markets and specific groups of providers.
- Regulation on horizontal requirements for the cyber security of products with digital elements
- Digital Markets Regulation
- Digital Services Regulation
- European strategy for data
- European Code of Conduct for Cloud Providers
Regulation on horizontal requirements for the cybersecurity of products with digital elements
This regulation is better known as the Cyber Resilience Regulation. NÚKIB estimates that it will enter into force in the autumn of this year. It is a game changer for manufacturers of Internet-connected devices as well as software. Such a big game changer that sites have appeared on the Internet that help companies estimate the amount of budget they should set aside for this regulation.
The aim of this act is
- Improving the safety of the development phase and throughout the entire product life cycle
- One cybersecurity framework
- Greater transparency of security features
- Enable safe use of products
Thanks to this unified framework, requirements for uniform mandatory security elements will be harmonized and obstacles to the free movement of goods will be removed. The entire supply chain will also be secured, as the conditions will not only apply to manufacturers. It will apply to all legal entities, including sole proprietors. In addition, certification will be required for critical products.
Currently, the entire market is facing these problems
- Generally low level of cyber security
- Insufficient user access to information about the safety of specific products
The network of companies to which the regulation will apply will be really wide. For example, even a company that is not a manufacturer, but has the product manufactured as a white label, will have to verify and ensure compliance. The same applies to companies that significantly modify a product. The control will also have to be carried out by every company that is part of the supply chain of the product covered by the regulation.
Also interesting is the paragraph about the need to anticipate how users might use the product, both correctly and incorrectly. Even these situations must be monitored by the provider.
There are exceptions, but even those need to be verified in the context of the entire wording of the regulation and the specific product.
Digital Services Regulation
This regulation came into force in February of this year for all companies, although it was already valid for some large services from last August. Its goal is to ensure a safe and trusted online environment that is properly maintained so that illegal content, misinformation and other issues are dealt with quickly.
This regulation is intended to help with protection at the cross-border level, because even the Internet does not focus on national borders. It is supposed to encourage innovation, provide greater certainty for developers and also support the existence of a single internal market – although the regulation applies to all companies operating in Europe, not just those based in the EU.
Although it is possible to define digital services that should be covered by this regulation, it is much more practical to look at the key feature of the service – the main aspect is the public dissemination of information. Therefore, for example, some hosting services may be included and others not.
However, probably the biggest benefit for users is the obligation of service providers to summarize the contractual terms in such a way that it is possible to quickly find out how to opt out of optional provisions.
This regulation also imposes more conditions the larger the company. Platforms that can be used by minors are also accessed otherwise. But in general, it helps users not to become victims of unfair contractual practices, harmful information and manipulation in decision-making. At the same time, the sellers on the platforms should be well identified and verified, so users will only be able to buy from trusted sellers.
Each member state has a Digital Services Coordinator, which for the Czech Republic is the Czech Telecommunications Authority (ČTÚ).
Digital Markets Regulation
This act came into effect more than a year ago. It focuses primarily on a small number of large companies that are platform providers that have a large influence on their market, and to protect their users and maintain the competitiveness of other organizations.
These large platforms are designated in the regulation as “gatekeepers” – guardians of access. With their great influence, they gain control over how end users can handle digital products – in other words, they actually dictate the terms of use of digital services.
This large influence distorts open competition and also reduces choice. From the point of view of other companies, it is very difficult to enter the same market as the access guards, because they have too much economic power. This imbalance also means that users have a very disadvantaged bargaining position regarding the terms of use of a particular platform.
The aim of this regulation is therefore
- Creating rules to ensure open competition in the digital sector
- Defining regulatory safeguards for users against unfair practices by platform providers
- Avoiding the fragmentation of the internal market in the EU
However, the connection between digital markets and the platform is very general. This Regulation mainly, but not exclusively, targets the following sectors:
- Online brokerage services
- Internet search engine
- Operating systems
- Social networks
- Video sharing
- Communication services independent of numbers
- Cloud computing
- Virtual assistants
- Web browsers
- Online advertising services
The main guide to determining whether you are covered by this regulation is that a large number of end-users and businesses interact on the platform and that this connection brings significant benefits to them.
One of the main benefits for end users is the possibility to use the service despite the fact that the user does not consent to the processing of his data. It will be a non-individualized form, but not sharing data cannot prevent users from using the platform. It should also not be necessary to register or log in to use.
At the same time, the gatekeeper cannot use its position to impose its additional services on businesses and end users because it is in such a position that businesses and users depend on its platform.
The whole regulation is generally about the freedom of those who use it. Freedom in dealing with non-system applications, selecting information and resources, migrating between systems and/or canceling consents and canceling the service. It also gives users control over their data and at no cost should their data from the main platform be used in other provider systems.
If the Commission suspects unfair practices or problems, it can request and get access to all the internals of the given platform – including the algorithms.
The obligation to check whether the company complies with this regulation is the responsibility of the company itself. But the commission will conduct its own investigations, so it’s not just the companies’ responsibility. Any failure to comply with the terms of this regulation may result in fines of up to 10% of worldwide turnover.
Additional information
The European Union released a data strategy several years ago. The EU is aware that the world is changing and the basis of everything is and will be more and more data. It therefore wants to stimulate the creation of common data spaces and the use of data for:
- Increasing the competitiveness and performance of industry
- More effective environmental protection
- Development of intelligent transport
- Advances in healthcare
- Stimulate the financial market
- Decarbonization of the energy sector
- Sustainability of agriculture
- Greater transparency of public administration
- A more efficient labor market
This strategy is followed by the previously mentioned Data Regulation.
Also worth mentioning is the Code of Conduct for Cloud Service Providers. It is voluntary and anyone can sign up to comply with it. But we still have to wait for the official European certification some Friday.
Next?
Quite often in companies we get stuck on GDPR or NIS2, but the EU strategy includes many more regulations and directives that show a new direction. Make time for them.