From May 12 to 16, the annual Privacy Symposium took place in Venice — a significant international forum where data protection experts, representatives of supervisory authorities, policymakers, and members of the academic community from around the world gather. The symposium is organized to discuss current issues in data protection, including the impact of artificial intelligence development, digital security solutions, challenges in regulatory enforcement, and cooperation between supervisory authorities.
Latvia was represented at the symposium by the Director of the Data State Inspectorate (hereinafter – the Inspectorate), Jekaterina Macuka, who participated as a speaker in two panel discussions. One of these took place on May 12 and focused on the Cyber Resilience Act and the protection of critical infrastructure, paying special attention to the interplay between cybersecurity and personal data protection.
“Personal data protection is closely linked to cybersecurity measures, as the technical and organizational requirements arising from the General Data Protection Regulation (GDPR) essentially overlap with cybersecurity requirements. The new regulatory framework in the field of cybersecurity can help controllers better understand which requirements they must implement to ensure compliance with the GDPR,” J. Macuka emphasized during her presentation.
It was also stressed that the requirements for incident and data breach notification set out in various legal acts must be implemented reasonably and in a coordinated manner to avoid placing an undue administrative burden on organizations. Effective coordination between supervisory authorities at the national level is also crucial.
This panel discussion also included the head of the Estonian Data Protection Authority, Pille Lehis, as well as representatives from the European Cyber Security Organisation and an Austrian law firm.
In the May 14 panel discussion, in which J. Macuka participated alongside representatives from the European Commission’s Directorate-General, the focus was on the interplay and practical application of the GDPR, the Data Governance Act (DGA), and the Data Act (DA). Responding to questions about the experience and needs of the Inspectorate regarding cross-border cooperation mechanisms, as well as the main practical challenges in supervising and applying these legal acts, Director Jekaterina Macuka noted that the GDPR remains the fundamental rights instrument setting out the core principles for personal data processing. Meanwhile, the DA and DGA are legal acts that regulate data governance procedures but do not in themselves provide a legal basis for processing personal data.
“If data being processed is not personal data, then the GDPR does not apply. However, if personal data is involved in the data exchange process, it is always necessary to find a suitable legal basis to ensure the lawfulness of such processing. One of the key challenges in practice is identifying the appropriate legal basis, especially in cases where data is being transferred between two private companies. Furthermore, it should be noted that combining different datasets, which individually may not be considered personal data, can result in information that allows individuals to be indirectly identified. In such cases, the data becomes personal data and the GDPR requirements apply,” said J. Macuka.
The Director also emphasized that, from a data supervision perspective, the most important factor is that organizations are able to recognize when personal data processing is occurring and to apply the appropriate legal basis for such processing.
Additionally, one of the main challenges in implementing these legal acts was identified as the need for a unified understanding of specific actions across all Member States.
Such high-level discussions are extremely important for promoting a consistent, human-rights-based approach to data protection across the European Union and for strengthening inter-institutional cooperation.