Much of the legislation currently underway at EU level, as part of the EU's digital package and data strategy, also has an impact on information rights.

1. Draft e-Privacy Regulation: this is planned to replace the previous Electronic Communications Directive 2002/58/EC currently in force, but its adoption is uncertain. The National Media and Communications Authority currently carries out the public authority tasks under the existing Directive. (https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_statement_20201119_eprivacy_regulation_en.pdf and https://www.edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf)

2. Digital Services Act (DSA), EFFECTIVE from 16 November 2022, general application from 17 February 2024

It replaces the E-Commerce Directive and sets harmonised standards for intermediary service providers, and promotes competitiveness, the protection of consumers and their fundamental rights, and a trustworthy online environment. Pursuant to Article 110 (i) of Act CLXXXV of 2010 on Media Services and Mass Communications, the National Media and Infocommunications Authority has been designated as the Digital Service Coordinator with accreditation, registration and regulatory supervision powers, but the designation of the competent supervisory authority/ies is still under discussion. For the so-called very large online platforms, the EU Commission will also have a supervisory role. In addition, a "European Board for Digital Services" will be set up with a coordinating and advisory role, composed of members delegated by the national coordinators.

On 25 April 2023, the European Commission designated and registered the first group of very large online platforms and search engines. According to the registration decision, this group includes 17 very large online platforms and 2 very large search engines with at least 45 million monthly active users. The list is available at https://ec.europa.eu/commission/presscorner/detail/en/IP_23_2413

3. The Digital Markets Act (DMA), EFFECTIVE from 1 November 2022, with general application from 2 May 2023

It focuses on regulating large service providers, known as gatekeepers, to make the market more open and accessible to smaller operators. It does not directly affect the processing of personal data, but contains antitrust and transparency rules.

On 6 September 2023, the European Commission designated 6 online service providers as gatekeepers, a list of which is available at https://ec.europa.eu/commission/presscorner/detail/en/IP_23_4328

4. Digital Governance Act (DGA), EFFECTIVE from 23 June 2022, directly applicable from 24 September 2023

Aiming to regulate access to large public databases at EU level - the DGA has established procedures and structures to facilitate data sharing between companies, individuals and the public sector.

Based on Section 38 (3) j) of Act CXII of 2011, the Hungarian National Authority for Data Protection and Freedom of Information performs the tasks of the competent authority responsible for the registration and supervision of data intermediary service providers and the competent authority responsible for the registration and supervision of data altruism organisations as defined in the DGA (Section 34/B-E of Act CXII of 2011, effective from 1 January 2024).

The new European Data Innovation Board will have an advisory role, with delegates from supervisory authorities, the EDPB, the EDPS, ENISA (European Union Agency for Cybersecurity), the Commission and other interested organisations.

5. Data Act EFFECTIVE from 11 January 2024, most provisions directly applicable from 12 September 2025

As a "counterpart" to the DGA, it regulates the transfer of private data to the public sector and the sharing of data between private parties, in particular in the case of jointly generated data, and explicitly facilitates the users of data-generating network-connected devices to access and share their data with third parties (right to data portability).

Useful link: https://op.europa.eu/en/publication-detail/-/publication/9f840928-aa62-11ec-83e1-01aa75ed71a1?pk_campaign=OPNewsletter_March2023&pk_source=EUP and https://www.consilium.europa.eu/en/press/press-releases/2023/11/27/data-act-council-adopts-new-law-on-fair-access-to-and-use-of-data/

6. Artificial Intelligence Act (AI Act) EFFECTIVE from 1 August 2024, directly applicable in stages from 1 February 2025

The AI Act provides a uniform definition of AI systems at EU level, following the previous OECD definition, and sets different levels of obligations for producers, importers and deployers of AI through risk-based regulation. In addition to prohibited AI systems, it regulates high-risk and limited-risk AI systems. It does not impose additional obligations on low risk AI systems that do not fall into either category (e.g. spam filters). The AI Act establishes liability for the development and use of typically multi-stakeholder AI in a similar way to product liability rules, and details the information, transparency and accountability requirements already established in data protection law. To support innovation, it allows AI to be tested in a regulatory sandbox and in real-world conditions, subject to certain safeguards (e.g. involvement of data protection authorities). In addition to the competent authority, it establishes an extensive institutional set-up to address AI issues (AI Office, European Artificial Intelligence Board, advisory forum, scientific panel of independent experts). It is still to be decided by Member States whether the supervisory authority under the AI Act will be separate from others and how it will cooperate with other similar authorities.

7. Amendment to the eIDAS Regulation - EFFECTIVE from 20 May 2024, applicable within 24-36 months from the adoption of implementing acts to be adopted by 21 November 2024

On 30 April 2024, Regulation (EU) No 2024/1183 (amending Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, eIDAS Regulation) was published. The eIDAS Regulation amendment extends the scope of electronic trust services with new rules on e.g. the European digital identity wallet, electronic authenticated delivery, electronic website certificates, electronic stamps, electronic ledger and eGovernment. The European digital identity wallet is an electronic identification device that allows the user to securely store and make available to third parties personal identification data and electronic certificates of attributes, to manage access rights at all times, and to sign using qualified electronic signatures or to stamp using qualified electronic stamps. An attribute can be the characteristic, attribute, right or permission of any natural or legal person or object (e.g. position of director, chairman of a legal entity, etc.). This new legal instrument will allow for a uniform, authentic and secure access to identification and other personal data in both private and public sector transactions throughout the EU, instead of the current solutions for identification based on non-authentic data, which are not universally accepted. The Digital Citizenship Program will be one of the practical implementations of this in Hungary.

8. EU Interoperable Europe Act – EFFECTIVE from 11 April 2024, applicable partially from 12 July 2024 and the remaining part from 12 January 2025

The proposal aims to achieve a high level of public sector interoperability within the Union, applicable to public sector organisations and Union institutions that provide or manage network or information systems enabling public services to be provided or delivered electronically. Member States are free to decide on the coordinating body and the detailed arrangements for cooperation. The competent national authority delegates a member to the Interoperable Europe Body. All institutions, bodies and agencies of the Union that provide or manage network and information systems enabling the electronic delivery or performance of public services will appoint an interoperability coordinator. It also aims to create the "Interoperable Europe Portal", a community platform for common and reusable interoperability solutions and a one-stop shop.

9.  Regulation on the European Health Data Space – ENTERED INTO FORCE on the 26th of March 2025, certain provisions are only applicable from the 26th of March 2027 or the 26th of March 2029 and the regulation is applicable in full from the 26th of March 2031.

The aim of the Regulation is to establish the European Health Data space with the dual purpose of facilitating the self-determination of natural persons over their electronic personal health data and the reusability of electronic personal health data for the benefit of society (e.g. research and innovation, policy making, health emergency preparedness and response). The Regulation also sets out a common legal and technological framework for the development, marketing and use of electronic health record systems. The new infrastructure will include the establishment of supervisory and licensing authorities and a central interoperability platform for digital health (MyHealth@EU) to ensure the transfer of electronic health data between national contact points for digital health in the Member States. The Regulation distinguishes between primary and secondary uses. Under the new rules, data subjects will have faster and easier access to their own electronic health data, whether they are in their home country or in another EU Member State and they will have greater control over how these special categories of data are used. The secondary use involves the re-use of health data in anonymised or pseudonymised form and it is subject to strict safeguards.