Commissioner addresses GTG Tech Law Seminar

20 February 2025

The Information and Data Protection Commissioner Ian Deguara took part in a panel session organised by GTG as part of the GTG Tech Law Seminar which was held on 19 February 2025.

Moderated by Dr Terence Cassar, this panel explored the latest legislative developments shaping the future of technology, data protection, and digital innovation. It brought together leading experts from regulatory authorities, critical infrastructure, and compliance – including the IDPC. The theme of the panel discussion was “Navigating the Wave of Tech Legislation.”

Mr Deguara stated that the GDPR is still fit for the digital age and there are no plans in the pipeline to open it for re-negotiation. It will nonetheless be supplemented by a separate regulation setting out procedural rules which will apply for cross-border complaints. He said that the regulation is still being negotiated among the co-legislators.

The GDPR may also be subject to specific targeted amendments by means of omnibus simplification measures as indicated in the European Commission's Competitiveness Compass which states that the Commission will "work on simplifying record keeping under the General Data Protection Regulation", Mr Deguara added.

He referred to the much-awaited ruling to be delivered by the CJEU in the case EDPS v. SRB where the notion of whether pseudonymised data is considered to fall within the definition of personal data, when the controller does not have the additional information to identify the data subjects or legal means to have access to the key, will be decided. The Advocate General delivered his advice on the 5 February 2025 wherein he took the view that pseudonymised personal data in the hands of a third-party recipient shall not automatically be considered to be personal data when the risk or re-identification is insignificant or non-existent.

Finally, Mr Deguara spoke about the need to ensure that all security incidents, which might involve personal data breaches, are handled appropriately under the various legal regimes, and that it is imperative that an incident response plan is in place.