Privacy horizon - what to expect in 2024?

Aušra Mažutavičienė
Written by
Aušra Mažutavičienė
January 10, 2024

Happy New Year✨ In our first 2024 newsletter we’ll wrap up 2023 and have a quick look at the privacy horizon for the year ahead. Let's dive in!

Wrapping up 2023

During 2023, the EU-US Data Privacy Framework was finalized and new data protection laws were introduced around the world. But it was mostly the enforcement actions against Big Tech companies (such as Meta) and a dramatic focus on AI regulations that made the headlines.

Here are the main takeaways from 2023:

  • Data transfers - the EU-US (and UK-US) Framework. The new EU-US Data Protection Framework came into effect in July of 2023. It made - and is making it -  easier for EU and UK companies to transfer data to the US. The new framework has already been challenged so it’s hardly a “happily ever after” for data transfers to the US (see below for what’s expected in 2024).

  • New privacy laws. New data protection laws in India and at least seven US states were introduced. Five US State privacy laws came into effect: revised California law, Virginia, Colorado, Connecticut and, most recently - Utah privacy law which is effective from December 31, 2023. Also, a revised Swiss data privacy law came into effect in September. So if you’re operating on a global scale, it’s quite a challenge to stay on top of all the new legislation.

  • The enforcement actions against Big Tech. This year saw a jump in the frequency and severity of fines handed out by regulators. The receiving end of these fines was dominated by Big Tech, with Meta the most constant target.

The cumulative numbers for 2023:

438 total GDPR fines

€2.054 Billion in fines

The latter is mostly due to Meta's €1.2 billion fine, the largest GDPR fine ever issued.  That fine was over Meta’s continued data transfers from users in Europe to the US and as you might recall from our previous newsletter, they’re also facing issues in Norway.

  • The rise of AI - and AI legislation. The use of AI is progressing so fast that the regulators are in the rush to introduce comprehensive rules and guidelines. In the US, the Biden Administration released the first comprehensive executive order on AI. The G7 released a code of conduct for AI. CNIL, the French Data Protection Authority, published guidelines on the use of AI along with an action plan. But, most importantly - the first comprehensive AI legislation - the EU AI Act - was agreed on (on a political level). The final text of the legislation has yet to be published.

    This brings us to what to expect in 2024👇🏻

What to expect in 2024?

We believe it's likely that the following will happen (although nothing is certain these days 😉

  • Finalizing the EU AI Act. In 2024, the EU AI Act will be finalized (but not enforced). So you can expect that EU data protection authorities will likely begin urging companies to already meet the Act’s material requirements. Vetting vendors for AI compliance will likely also start and increased compliance around safeguards and guardrails can be expected.

  • EU-US Privacy Framework being challenged. NOYB, the organization behind Max Schrems, has said it will challenge the EU-US Privacy Framework (DPF) in what will perhaps result in a “Schrems III”. While the first attempt to strike the DPF down by French MP Philippe Latombe failed (largely due to procedural issues), it remains to be seen if the DPF will ultimately be declared invalid.

  • New EU data regulations. 2024 is going to be a big year for new EU data regulations. All obligations under the Digital Services Act (DSA) will start to apply to intermediary services (e.g. online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms) as of February 17, 2024. Data-driven tech companies will want to take note of the final text of the Data Act which is expected to be adopted in 2024. The Data Act includes obligations for companies that provide connected products (i.e. products that can communicate data) or related services to provide access to data generated by the use of their connected products.

  • US privacy laws. 2023 saw a flood of new US state privacy laws and 2024 looks no different: privacy laws in Florida, Tennessee, Montana, Oregon, and Texas come into effect this year along with new regulations under the existing California and Colorado laws. It can feel overwhelming but there’s some good news – most of these laws are similar in scope and obligations so compliance efforts can be streamlined.
  • Children’s privacy. In 2024, one of the main focus of regulatory and supervisory authorities around the world will be children’s online safety. Expect enforcement actions against digital service providers not implementing appropriate age checks or failing to protect children against illegal content and content deemed “harmful to children”.
  • NIS2’s deadline. By October 2024, EU member states will need to have implemented the NIS2 Directive into their national laws. NIS2 introduces a number of cybersecurity obligations, both with regard to security as well as reporting of incidents. EU and non-EU based organizations will have to come to grips with the widened scope of NIS2 -figuring out whether NIS2 applies to them (or whether it can indirectly affect them through an in-scope, third-party organization’s supply chain obligations) and tightening up their cybersecurity practices where needed.
  • AI litigation. Use (and abuse) of AI platforms is expected to grow in 2024 due to their increasing adoption and we will likely see new litigation cases in this area. On that note, the New York Times Company recently sued OpenAI and Microsoft accusing them of using millions of the newspaper's articles without permission to help train chatbots to provide information to readers. This suit is not the first against artificial intelligence companies but the New York Times is the first major news publisher to sue the AI creators. So the conclusion of this lawsuit will undoubtedly have huge implications for how the battle between AI and media will play out.

We will keep a close look on all the above and anything else that happens in the world of privacy this year. And will of course keep you updated.

Wishing you a good start to 2024 from Stine, Ausra and the Openli Team