The new EU Data Act enters into force
The EU regulation on harmonized rules on fair access to and use of data, (the Data Act) was published in the EU’s official journal on 22 December 2023, and entered into force on 11 January 2024.
The Data Act sets rules for accessing and using data generated within the European Union and aims to make it easier to switch between data processing service providers. This regulation covers both personal and non-personal data. However, in respect of personal data, the General Data Protection Regulation (GDPR) takes precedence over the Data Act. The Act also includes guidelines to protect against illegal international government access and the transfer of non-personal data, and it encourages the development of standards for interoperability, ensuring data can be accessed, transferred, and used effectively.
Key obligations include:
- Manufacturers and service providers must give their users the ability to access, reuse, and share data collected through their products and associated services without any cost to the user.
- The design of products and related services should be such that users can access their data easily, without any barriers. If a user requests their data, the entity holding the data (such as the manufacturer or service provider) must provide it to the user.
- Data holders must allow third parties to access the data if the user requests it or if there’s a legal requirement to do so. This includes both readily available data and relevant metadata. Data holders are generally not permitted to deny access to this data, except in specific cases where safeguards, limitations, or prohibitions are necessary, such as to protect trade secrets. These exceptions are designed to ensure the data is used appropriately by the recipients.
- When data is shared with third parties, it must be shared under conditions that are fair, reasonable, and non-discriminatory, and the process should be transparent.
Enforcement of the Data Act will begin on 12 September, 2025. Notably, the specific obligation for data to be accessible by default, as outlined in Article 3(1), will be applicable to connected products and their related services that are introduced to the market after 12 September, 2026. This staggered implementation schedule allows for a phased approach to compliance with the regulation’s requirements.
This means understanding the specific timelines, such as the application of the regulation from September 2025 and the accessibility by default for connected products and services coming into the market after September 2026. It is important to stay informed about these timelines and adjust strategies and operations accordingly to meet the new regulatory requirements over time.
CNIL fines Yahoo €10 million
On December 29, 2023, Yahoo EMEA was handed a €10 million fine by the French Data Protection Authority (CNIL) for failing to recognise the cookie preferences of users who visited the “Yahoo.com” website and not providing users of its “Yahoo! Mail” messaging service the option to withdraw their consent to cookies. The regulator received 27 complaints relating to non-compliance with cookie refusal and difficulties in withdrawing cookie consent, and subsequently conducted multiple online investigations between October 2020 and June 2021. These investigations led the restricted committee (CNIL’s sanctioning body) to conclude that Yahoo! had not complied with Article 82 of the French Data Protection Act. In determining the penalty, the committee considered Yahoo’s disregard for users’ cookie preferences and the implementation of measures dissuading the withdrawal of cookie consent. Furthermore, the committee highlighted the personal importance of an email address, as it is used for communication, networking, and storing important conversations.
NIST releases updated guidance for businesses’ cybersecurity standards
The U.S. National Institute of Standards and Technology (NIST) has released draft guidelines designed to assist businesses in creating robust cybersecurity programs. These guidelines are tailored to meet the specific needs of individual organisations and provide direction on managing cyber risks effectively.
The guidelines emphasise a flexible methodology for crafting information security measures aligned with an organisation’s specific performance objectives. NIST is currently inviting public feedback on this initial draft until March 18, 2024.
The guidelines have been structured to complement any risk management framework and aim to guide organisations in transitioning from broad, abstract statements about risk levels to a more defined and data-driven understanding of their cybersecurity posture.
The NIST guidelines present an important reminder of the critical role and significance of cybersecurity in every organisation. Below are some useful recommendations:
- Organisations are encouraged to utilise the flexibility of the NIST guidelines to implement a cybersecurity program that aligns with business-specific objectives and risk profiles. Organisations should avoid a one-size-fits-all approach and focus on measures that address unique vulnerabilities and threats.
- Organisations are advised to leverage the two-volume structure of the guidelines to involve both technical and executive teams in the cybersecurity goals of the organisation. Organisations should encourage information security experts to use Volume 1 for technical guidance, while guiding C-suite executives through Volume 2 to understand the broader strategic impact of cybersecurity on the organisation.
- Organisations can use the guidelines to support a transition from general statements about risks to a more precise, data-driven understanding of their cybersecurity status. They should implement processes to regularly collect, analyse, and report cybersecurity data to make informed decisions and adapt strategies as needed.
- Organisations are encouraged to integrate the guidelines with existing risk management frameworks to develop a progressive cybersecurity implementation plan. This integration will ensure a comprehensive and sustainable approach to managing cyber risks.
As a global B Corp organisation, HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed.