The Digital Decade policy programme 2030, a monitoring and cooperation mechanism to achieve common targets for Europe’s digital transformation by 2030, has entered into force.
For the first time, the European Parliament, Member States and the Commission have jointly set concrete objectives and targets in the four key areas of digital skills, infrastructure including connectivity, the digitalisation of businesses, and online public services, in respect of the Declaration on European Digital Rights and Principles. The objectives and targets are accompanied by a cyclical cooperation process starting today, to take stock of progress and define milestones so that they can be reached by 2030. The programme also creates a new framework for multi-country projects that will allow Member States to join forces on digital initiatives.
The aim: Digital Decade targets and objectives
Starting now and leading up to 2030, EU Member States, in collaboration with the European Parliament, the Council of the EU and the Commission, will shape their digital policies to achieve targets in 4 areas to:

Improve citizens’ basic and advanced digital skills;
Improve the take-up of new technologies, like Artificial Intelligence, data and cloud, in the EU businesses, including in small businesses;
Further advance the EU’s connectivity, computing and data infrastructure; and
Make public services and administration available online.

These targets embody the policy programme’s objectives, such as ensuring safe and secure digital technology, a competitive online environment for SMEs, safe cybersecurity practices, fair access to digital opportunities for all, as well as developing sustainable, energy and resource-efficient innovations.
Together, the Digital Decade objectives and targets will guide the actions of Member States, which will be assessed by the Commission in an annual progress report, the State of the Digital Decade. A new high-level expert group, the Digital Decade Board, will also reinforce the cooperation between the Commission and the Member States on digital transformation issues. A new Forum will also be created to bring on board various stakeholders and discuss their views.
Cooperation and monitoring progress towards 2030 targets
In the coming months, the Commission, together with Member States, will develop key performance indicators (KPIs) that will be used to monitor progress towards individual targets, within the framework of the annual Digital Economy and Society Index (DESI). In turn, Member States will prepare their national strategic roadmaps within 9 months from today, describing the policies, measures and actions that they plan to make, at national level, to reach the programme’s objectives and targets. From June 2023, the Commission will publish its annual progress report, the State of the Digital Decade, to provide an update, assessment and recommendation on progress towards the targets and objectives.
Multi-country projects
Pooling investments between Member States is necessary to achieve some of the ambitions of the Digital Decade objectives and targets. To join efforts for large-scale impact, the policy programme creates a process to identify and launch multi-country projects in areas such as 5G, quantum computers, and connected public administrations among others.
Next Steps
In the coming months, the Commission will adopt an implementing act defining the KPIs for the digital targets and will develop projected EU trajectories for each of them together with Member States.
In June, the Commission will publish the first State of the Digital Decade report, to provide an update, assessment, and recommendation on progress towards the targets and objectives.
In October, Members States will submit their first national strategic roadmaps, on which the Commission will have published guidance to support them.
Background
On 9 March 2021, the Commission laid out its vision for Europe’s digital transformation by 2030 in its Digital Compass: the European way for the Digital Decade Communication. In her State of the Union address in September 2021, President Ursula von der Leyen put forward the Path to the Digital Decade, a robust governance framework to reach these digital targets. It calls for combined efforts and investments to create a digital environment in Europe that can lead the future, while empowering people and their businesses. A political agreement by the European Parliament and the Council of the EU was reached in July 2022.
In parallel, the inter-institutional solemn Declaration on Digital Rights and Principles, the EU’s ‘digital DNA’, was signed in December 2022. The Commission will also provide an assessment of the implementation of the digital principles in the annual State of the Digital Decade report, to make sure that rights and freedoms enshrined in the EU’s legal framework are respected online as they are offline.
Compliments of the European Commission.
The post First cooperation and monitoring cycle to reach EU 2030 Digital Decade targets kicks off first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.

On 13 December 2022, the European Commission launched the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.
Today’s draft decision follows the signature of a US Executive Order by President Biden on 7 October 2022, along with the regulations issued by the US Attorney General Merrick Garland. These two instruments implemented into US law the agreement in principle announced by President von der Leyen and President Biden in March 2022.
The draft adequacy decision, which reflects the assessment by the Commission of the US legal framework and concludes that it provides comparable safeguards to those of the EU, has now been published and transmitted to the European Data Protection Board (EDPB) for its opinion. The draft decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.
Key elements
US companies will be able to join the EU-U.S. Data Privacy Framework by committing to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties. EU citizens will benefit from several redress avenues if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.
In addition, the US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order, which addressed the issues raised by the Court of Justice of the EU in the Schrems II judgment:

Access to European data by US intelligence agencies will be limited to what is necessary and proportionate to protect national security;
EU individuals will have the possibility to obtain redress regarding the collection and use of their data by US intelligence agencies before an independent and impartial redress mechanism, which includes a newly created Data Protection Review Court. The Court will independently investigate and resolve complaints from Europeans, including by adopting binding remedial measures.

European companies will be able to rely on these safeguards for trans-Atlantic data transfers, also when using other transfer mechanisms, such as standard contractual clauses and binding corporate rules.
Next steps
The draft adequacy decision will now go through its adoption procedure. As a first step, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee composed of representatives of the EU Member States. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopting the final adequacy decision.
The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, which will be carried out by the European Commission, together with European data protection authorities, and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.
Background
Article 45(3) of the General Data Protection Regulation grants the Commission the power to decide, by means of an implementing act, that a non-EU country ensures ‘an adequate level of protection’, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow freely from the EU (and Norway, Liechtenstein and Iceland) to a third country without further obstacles.
After the invalidation of the previous adequacy decision on the EU-US Privacy Shield by the Court of Justice of the EU, the European Commission and the US government entered into discussions on a new framework that addressed the issues raised by the Court.
In March 2022, following intense negotiations between the lead negociators, Commissioner Reynders and Secretary Raimondo, President von der Leyen and President Biden announced an agreement in principle on a new transatlantic data transfer framework. In October 2022, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’, which was complemented by regulations adopted by the US Attorney General. Together, these two instruments implemented the US commitments into US law, as well as complemented the obligations for US companies. On this basis, the Commission is now proposing a draft adequacy decision on the EU-U.S. Data Privacy Framework.
Once the adequacy decision is adopted, European entities will be able to transfer personal data to participating companies in the United States, without having to put in place additional data protection safeguards.
Compliments of the European Commission.
The post Data protection: EU Commission starts process to adopt adequacy decision for safe data flows with the US first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.

The Data Protection Commission (DPC) has today announced the conclusion of two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) in connection with the delivery of its Facebook and Instagram services. (Meta Ireland was previously known as Facebook Ireland Limited).
Final decisions have now been made by the DPC in which it has fined Meta Ireland €210 million (for breaches of the GDPR relating to its Facebook service), and €180 million (for breaches in relation to its Instagram service).
Meta Ireland has also been directed to bring its data processing operations into compliance within a period of 3 months.
The inquiries concerned two complaints about the Facebook and Instagram services, each one raising the same basic issues. One complaint was made by an Austrian data subject (in relation to Facebook); the other was made by a Belgian data subject (in relation to Instagram).
The complaints were made on 25 May 2018, the date on which the GDPR came into operation.
In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services. It also flagged the fact that it was changing the legal basis on which it relies to legitimise its processing of users’ personal data. (Under Article 6 of the GDPR, data processing is lawful only if and to the extent that it complies with one of six identified legal bases). Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook’s and Instagram’s services (including behavioural advertising), Meta Ireland now sought to rely on the “contract” legal basis for most (but not all) of its processing operations.
If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click “I accept” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so).
Meta Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between Meta Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its Facebook and Instagram services was necessary for the performance of that contract, to include the provision of personalised services and behavioural advertising, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).
The complainants contended that, contrary to Meta Ireland’s stated position, Meta Ireland was in fact still looking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, Meta Ireland was in fact “forcing” them to consent to the processing of their personal data for behavioural advertising and other personalised services. The complainants argued that this was in breach of the GDPR.
Following comprehensive investigations, the DPC prepared draft decisions in which it made a number of findings against Meta Ireland. Notably, it found that:

1. In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by Meta Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. It also considered that it amounted to a breach of Article 5(1)(a), which enshrines the principle that users’ personal data must be processed lawfully, fairly and in a transparent manner. The DPC proposed very substantial fines on Meta Ireland in relation to the breach of these provisions and directed it to bring its processing operations into compliance within a defined and short period of time.

2. In circumstances where it found that Meta Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider Meta Ireland’s reliance on “contract” as providing a legal basis for its processing of users’ personal data in connection with the delivery of its personalised services (including personalised advertising). Here, the DPC found that Meta Ireland was not required to rely on consent; in principle, the GDPR did not preclude Meta Ireland’s reliance on the contract legal basis.

Under a procedure mandated by the GDPR, the draft decisions prepared by the DPC were submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”).
On the question as to whether Meta Ireland had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions, albeit that they considered the fines proposed by the DPC should be increased.
Ten of the 47 CSAs raised objections in relation to other elements of the draft decisions (one of which was subsequently withdrawn in the case of the draft decision relating to the Facebook service). In particular, this subset of CSAs took the view that Meta Ireland should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalised advertising (as part of the broader suite of personalised services offered as part of the Facebook and Instagram services) could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.
The DPC disagreed, reflecting its view that the Facebook and Instagram services include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising.  In effect, these are personalised services that also feature personalised advertising. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.
Following a consultation process, it became clear that a consensus could not be reached. Consistent with its obligations under the GDPR, the DPC next referred the points in dispute to the European Data Protection Board (“the EDPB”).
The EDPB issued its determinations on 5 December 2022.
The EDPB determinations rejected many of the objections raised by the CSAs. They also upheld the DPC’s position in relation to the breach by Meta Ireland of its transparency obligations, subject only to the insertion of an additional breach (of the “fairness” principle) and a direction that the DPC increase the amount of the fines it proposed to impose.
The EDPB took a different view on the “legal basis” question, finding that, as a matter of principle, Meta Ireland was not entitled to rely on the “contract” legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioural advertising.
The final decisions adopted by the DPC on 31 December 2022 reflect the EDPB’s binding determinations as set out above. Accordingly, the DPC’s decisions include findings that Meta Ireland is not entitled to rely on the “contract” legal basis in connection with the delivery of behavioural advertising as part of its Facebook and Instagram services, and that its processing of users’ data to date, in purported reliance on the “contract” legal basis, amounts to a contravention of Article 6 of the GDPR.
In terms of sanctions, and in light of this additional infringement of the GDPR, the DPC has increased the amount of the administrative fines imposed on Meta Ireland to €210 million (in the case of Facebook) and €180 million in the case of Instagram. (The revised levels of these fines also reflect the EDPB’s views in relation to Meta Ireland’s breaches of its obligations in relation to the fair and transparent processing of users’ personal data).
The DPC’s existing requirement that Meta Ireland must bring its processing operations into compliance with the GDPR within a period of 3 months has been retained.
Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of Facebook and Instagram’s data processing operations and would examine special categories of personal data that may or may not be processed in the context of those operations. The DPC’s decisions naturally do not include reference to fresh investigations of all Facebook and Instagram data processing operations that were directed by the EDPB in its binding decisions. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.
Compliments of the Irish Data Protection Commission.
The post Data Protection Commission announces conclusion of two inquiries into Meta Ireland first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.

With the right tools, policymakers can help to manage the climate risks impacting economies and financial systems

When it comes to the devastating impact of climate change, most people think of the harm inflicted on lives and livelihoods. Yet the effects of more frequent and extreme weather are just as consequential for the health of financial systems.
The physical impacts of climate-related shocks, such as hurricane damage to power grids, affect financial institutions and how they make decisions. So do the risks of transition to a low-carbon economy. Think of the costs of new carbon taxes or new laws that require phase-outs of fossil fuels before greener replacements are available.
To make well-informed decisions about future operations, banks, insurers, and others in the financial sector need tools to manage climate risks in their operations and balance sheets. At the same time, as financial supervisors monitor the resilience of the system, they need tools to adequately assess and supervise these risks.
Financial risk analysis
With the right tools, financial sector authorities can start to assess climate risks as a crucial input to gauging how to manage them with the right policies.
This is where the IMF comes in. The Fund’s Financial Sector Assessment Program already regularly examines the resilience of banks and other institutions, including with stress tests to better gauge systemic risks. These procedures are being retooled to incorporate climate risk analysis to better gauge financial stability risks from climate change.
Risk analysis typically entails development of scenario-based stress tests for assessing bank solvency. The process incorporates adverse macroeconomic scenarios specifically designed for the tests—including elements like economic contraction, rising unemployment, exchange-rate shocks, and falling asset prices.
These scenarios are then used as inputs when looking at relationships between these macro drivers and risk factors, such as credit risk and interest income, to estimate impacts on bank income and capital. Bank resilience is then assessed based on whether capital levels fall below regulatory thresholds.
Beyond the standard approach
Unlike conventional stress testing, climate risk analysis, at this stage, doesn’t focus on quantifying possible capital needs of financial institutions relative to the regulatory thresholds. Instead, the IMF approach focuses on measuring and raising awareness of risks. This reflects new challenges, including the complexities of modeling climate risk and its economic impacts over very long horizons and major data gaps.

While the consequences of climate change will play out over decades, risks that could arise in the next three to five years are considered in typical stress testing exercises. The incidence and impact of extreme events is rising and there is sizable uncertainty over policies. All these can potentially have large effects on the value of companies, and thus banks, as markets price in the effects of longer-term risks on business prospects.
The first step in the IMF’s climate risk analysis is to assess which hazards are the most relevant for a country. Where climate risks are important, the bank solvency stress testing framework incorporates the physical and transition risk.
This often starts with temperature and emissions scenarios based on figures from the United Nations Intergovernmental Panel on Climate Change and adapted by the Network for Greening the Financial System, a coalition of central banks working on climate change.
Climate scenarios then map emissions and temperature scenarios to physical risks, like extreme weather, and transition risks, such as future carbon taxes. These scenarios point to the trade-offs between physical and transition risk—the more orderly the transition, the lesser the increase in temperatures and the occurrence of physical climate risk.
Data and projections
The overall assessment of bank stability involves measuring how physical or transition risks impact the economy and bank capital. Physical risks are localized and require new approaches to understanding where storms and floods may strike. The analysis uses new data and projections of the likelihood and impact of different hazards on physical assets like buildings or infrastructure, and economic activity, such as extreme heat that reduces working hours. This approach was applied to consider risks to banks from typhoons in the 2021 Philippines FSAP.
Policies to support transition to a lower carbon world seek to shift resources from brown to green sectors, impacting the prospects for the brown sectors. For the purposes of analyzing how this impacts the financial sector, we assess the impact of carbon taxes (as a proxy for the wide set of policies to foster transition) on individual economic sectors and, where possible, directly on firms’ balance sheets and therefore to banks.
We also assess what happens if investors reassess the value of businesses because of the effect of unforeseen changes in policies on long term earnings. Such an outcome, sometimes referred to as a climate Minsky moment, could lead to increases in credit risk today, affecting bank capital. This was discussed in this year’s United Kingdom FSAP which gauged how firm valuations, and thus credit risk, could be suddenly affected by climate change.
Enhancing the policy framework
At this early stage, climate risk analysis can help raise awareness around the prudent management of climate risks and incentivize banks in improving their frameworks. At the same time, it will help to inform supervisors about the potential magnitude of climate-related risks in their jurisdictions and better understand transmission channels to the financial system.
Currently, several supervisors and central banks use climate stress tests to measure the exposures to related risks. This helps to understand the challenges to banks’ business models, the implications for the provision of financial services, and desired policy responses. Ultimately, climate risk analysis will help financial institutions disclose and manage related risks.
Authors:

Tobias Adrian
Vikram Haksar
Ivo Krznar
This blog reflects research by Pierpaolo Grippa, Marco Gross, Sujan Lamichhane, Caterina Lepore, Fabian Lipinsky, Hiroko Oura and Apostolos Panagiotopoulos.

Compliments of the IMF.
The post IMF | How Economies and Financial Systems Can Better Gauge Climate Risks first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.

Blog post by Fabio Panetta, Member of the Executive Board of the ECB |

Trading in unbacked digital assets should be treated by regulators like gambling.

Last year marked the unravelling of the crypto market as investors moved from the fear of missing out to the fear of not getting out.
TerraUSD — a stablecoin that was stable in name only — was among the first to fall in a chain of collapses that brought down several lending platforms, a hedge fund, a leading crypto asset exchange and most recently a large US-listed crypto mining company. Other crypto companies are likely to be added to this list in the coming months.
These failures occurred in rapid succession, reflecting crypto players’ incredibly high leverage, their interconnectedness across the crypto ecosystem and their inadequate governance structures.
Yet remarkably, the crypto market rout has left the financial system largely unscathed. Many therefore think it preferable to let crypto burn rather than regulate at the risk of legitimising cryptos. Let me voice two important reservations about this view.
First, despite their fundamental flaws, it is not certain that crypto assets will ultimately self-combust.
Take unbacked crypto assets, for instance. They do not perform any socially or economically useful function: they are rarely used for payments and do not fund consumption or investment. As a form of investment, unbacked cryptos lack any intrinsic value, too. They are speculative assets. Investors buy them with the sole objective of selling them on at a higher price. In fact, they are a gamble disguised as an investment asset.
But it is precisely for this reason that we cannot expect them to disappear. People have always gambled in many different ways. And in the digital era, unbacked cryptos are likely to continue to be a vehicle for gambling.

This year’s crypto market meltdown caught millions of investors off guard.

Second, the cost to society of an unregulated crypto industry is too high to ignore. For one, this year’s crypto market meltdown caught millions of investors off guard. Uninformed investors were left with significant losses. It is not just cryptos that are being burnt.
In addition, unregulated cryptoassets can be used for tax evasion, money laundering, terrorist financing and the circumvention of sanctions. They also have high environmental costs.
That is why we cannot afford to leave cryptos unregulated. We need to build guardrails that address regulatory gaps and arbitrage and tackle the significant social costs of cryptos head-on.
This is easier said than done. Regulators must walk a tightrope. Like Ulysses, they must resist the beguiling crypto sirens to avoid falling prey to the industry’s intense lobbying. And on their journey, they must steer clear of the Scylla of poor regulation and the Charybdis of legitimising unsound crypto models.
The EU’s Regulation on Markets in Crypto-Assets is an important step. It is crucial that it is implemented as soon as possible. However, further work needs to be done to ensure that all segments of the industry are regulated, including decentralised finance activities such as crypto asset lending or non-custodial wallet services.
In addition, regulation should acknowledge the speculative nature of unbacked cryptos and treat them as gambling activities. Vulnerable consumers should be protected through principles similar to those recommended by the European Commission for online gambling. They should be taxed in accordance with the costs they impose on society.
To avoid the risk of regulation lagging behind because of the time needed for legislative processes, regulators and supervisors need to be empowered to keep pace with crypto developments.
And to be effective and prevent regulatory arbitrage, regulation must have a global reach. The recommendations of the Financial Stability Board for the regulation and oversight of crypto asset activities and markets should be finalised and applied urgently, as should the rules recently published by the Basel Committee for the treatment of banks’ exposures to cryptos.
However, regulation and taxation alone will not be sufficient to address the shortcomings of cryptos. To build solid foundations for the digital finance ecosystem, we need a risk-free and dependable digital settlement asset, which can only be provided by central bank money. That is why the ECB and central banks around the world are working on both retail and wholesale central bank digital currencies. By preserving the role of central bank money as the anchor of the payment system, central banks will safeguard the trust on which private forms of money ultimately depend.
Author:

Fabio Panetta, Member of the ECB’s Executive Board

Compliments of the European Central Bank.
The post ECB | Caveat emptor does not apply to crypto first appeared on European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources.