In 2024, businesses will continue to face an evolving landscape of privacy opportunities and challenges, including an increasingly complex data regulatory environment that extends beyond the General Data Protection Regulation (GDPR). With heightened scrutiny from regulators, consumers, and investors, the need to bolster privacy and data management practices has become even more important. Here’s our top 10 list of what to watch for in the privacy and data regulatory space in 2024:

1. Focus areas for GDPR enforcement. In 2024, there should be an increase in regulatory inquiries relating to data brokerage, the use of biometric data and children’s data and Artificial Intelligence (AI) across the EU. Various supervisory authorities (SAs), including those in Belgium, France, Italy, Spain, and the UK, have marked several of these activities as their enforcement focus areas for 2024. For example, the Spanish SA identified the protection of minors as a focus area for 2024 and recently issued guidelines on effective age verification.¹ We also expect SAs to continue their targeted sweeps on the processing of personal data through mobile applications, companies’ cookie practices, and their handling of data access requests.
2. EU’s highest court to continue to set standards. In 2024, the Court of Justice of the European Union (CJEU) is expected to rule on important data protection issues. For example, the CJEU will clarify the criteria that national courts need to consider in determining the amount of non-material damages to be awarded in case of a GDPR violation. Furthermore, the CJEU will rule on how to determine whether a dataset truly is “anonymous” (e.g., whether this should be assessed on a case-by-case basis, such as by taking into account the possible re-identification tools available to a controller). Finally, the CJEU is expected to clarify companies’ transparency obligations with regard to their automated decision-making (e.g., the necessary content for complying with the GDPR obligation of providing data subjects with “meaningful information about the logic involved”).
3. New data regulations entering into force in 2024. The Data Act entered into force on January 11, 2024, though most of its obligations will apply from September 12, 2025. Data driven companies will want to watch out for this Act that will require providers of connected products (e.g., cars, toys, health tech devices) or related services to allow access to the (non-)personal data generated by their products and share it with third parties. In addition, we expect a push to finalize key pieces of digital legislation before the next EU elections in June 2024, after which there will be a pause in legislative activity. On the plate are:
   • The AI Act (AIA), which is the first comprehensive legislation for AI and which will impose strict obligations on providers and users of AI systems. A political compromise was reached in December 2023 and the AIA is expected to be adopted by mid-2024. Most of its obligations will likely become applicable two years after it has entered into force.
   • The proposed Cyber Resilience Act (CRA) introduces rules for software and hardware products and the remote (processing) solutions, which are essential for the software or hardware to perform its functions. A political compromise was reached in November 2023 and the CRA is expected to be adopted by mid-2024.
   • The proposed GDPR Enforcement Procedural Regulation, which aims to increase the effectiveness and efficiency of GDPR enforcement in cross-border cases by streamlining the cooperation between SAs.² The proposal is still going through the legislative process and subject to political debate at this stage.
   • The proposed Regulation on the European Health Data Space (EHDS) aims to enable the sharing of electronic (anonymized or pseudonymized) health-related data with patients and third parties, such as public authorities, universities, and private companies, for research, innovation, policy-making, and regulatory activities. The text entered trilogue negotiations at the end of December 2023, which will continue in 2024. We expect to see an intense debate on the scope of data sharing under EHDS before a final agreement is reached.
4. Uptick in certifications to the Data Privacy Framework. 2023 brought the long-awaited adoption of the EU-U.S. Data Privacy Framework (DPF) to enable steady flows of personal data between the EU and the U.S. (more than 2,500 U.S. companies were certified to the DPF by the end of 2023). In 2024, more companies are likely to find their way to the DPF and its benefits. However, we also expect to see challenges to the DPF. While the request of a French MP to suspend the DPF through interim measures was denied, the main proceeding, calling to invalidate the DPF, is still pending.³ The privacy activist organization, None of Your Business (NOYB), recently also announced their intent to challenge the validity of the DPF before courts in 2024.⁴
5. First wave of DMA enforcement. Companies designated as ‘gatekeepers’ under the Digital Markets Act (DMA) will need to start complying with the DMA as of March 2024. The European Commission has already indicated that it will “rely on the full array of DMA enforcement powers, including the ability to initiate investigations for non-compliance and impose hefty fines, to continue working towards full and effective compliance”.⁵ Key data-related provisions include, for instance, requirements for gatekeepers to obtain end-user consent to combine or cross-use personal data from a core platform service (CPS) with personal data from their other services; refrain from using nonpublic data of business users, collected by their CPS, to compete against the business users on the platform; and give business users access to continuous and real time data on their use of the CPS, including data on their end users’ engagement on that platform.
6. AI governance takes shape. In 2024, companies will continue to develop and integrate AI into their products and processes. As regulations affecting AI take shape in parallel, companies will need to implement robust governance, such as through internal policies and processes. Such a framework will help identify and minimize risk and liability and document compliance efforts. This will not only be relevant under the AIA and the GDPR, but also under the Digital Services Act (DSA), which includes obligations on auditing algorithms. In the final breaths of 2023, the International Organization for Standardization (ISO) also published its standard on AI management systems (ISO/IEC 42001:2023). This globally recognized standard will likely serve as a helpful tool for companies building their AI governance framework in 2024.
7. Continued focus on online safety, including content moderation. With the introduction of the DSA, the EU has taken the lead in fighting misinformation online and ensuring the protection of children online. In 2024, we expect DSA enforcers will focus on companies’ efforts to detect and take down misinformation (such as AI generated fake news), prompted by the various elections that will take place. Similarly, EU regulators have voiced concerns over the effectiveness of age verification controls that are meant to prevent children from accessing inappropriate content. Therefore, age verification and measures to protect children in online interactions (e.g., against harmful content) are likely to remain high on the regulatory agenda in 2024.
8. Online safety is also a regulatory priority in the UK. The UK’s Online Safety Act (OSA) entered into force on October 26, 2023, and imposes obligations on i) online platforms that allow users to generate, upload, or share content with others, and ii) search services. The most burdensome obligations relate to the protection of children, the completion of risk assessments, and the removal of illegal content. Ofcom, the UK regulator tasked with enforcing the OSA, is expected to release guidance and set codes of practice on how companies can comply with these obligations throughout 2024 and 2025. The guidance will be released in three phases, covering i) illegal harms, ii) child safety, pornography, and the protection of women and girls, and iii) transparency, user empowerment, and other duties.
9. New cybersecurity requirements for companies and cybersecurity service providers. Member States have until October 17, 2024, to transpose the Network and Information Security Directive (NIS2) into national law. Compared to the first NIS Directive, NIS2 imposes stricter cybersecurity risk management requirements and reporting obligations. It also applies to a wider range of companies across various sectors. NIS2 is part of the wider EU Cybersecurity Strategy, which aims to build resilience to cyber threats and includes other recently enacted cyber laws, such as the Digital Operational Resilience Act, which focuses on the financial sector, and the Directive on the resilience of critical entities.
10. Investors will be asking questions about ESG and privacy. The EU’s Corporate Sustainability Reporting Directive (CSRD) requires large companies and publicly listed companies operating in the EU to report on the environmental, social, and governance (ESG) impact of their activities. The CSRD applies a phased approach, with the first reporting obligation taking effect on January 1, 2024 (i.e., companies subject to the EU’s nonfinancial reporting directive must report on financial year 2024 as of 2025). As a result, the topic of ESG has gained significant traction in the last couple of years, including with investors asking about a company’s ESG footprint during due diligence. ESG notably goes beyond reducing carbon emissions. Data processing and data security are also seen as areas that can have an ESG impact if not managed appropriately. Examples include not only appropriate data governance and enabling data subjects to effectively exercise their rights but also assessing the environmental impact of data hosting and processing facilities.

^[1] See https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/aepd-presenta-sistema-verificacion-edad-para-proteger-a-menores-de-edad.

^[2] https://www.europarl.europa.eu/legislative-train/theme-a-new-push-for-european-democracy/file-specifying-procedural-rules-relating-to-the-enforcement-of-the-gdpr.

^[3] https://curia.europa.eu/juris/document/document.jsf?text=&docid=278542&pageIndex=0&doclang=FR&mode=req&dir=&occ=first&part=1&cid=12824321.

^[4] https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu.

^[5]https://eulawlive.com/competition-corner/op-ed-dma-enforcement-setting-the-scene-for-effective-compliance-by-antoine-babinet-and-katarzyna-sadrak/.