25 May 2024 marks six years of the GDPR being the global standard for data protection rules for companies doing business across Ireland and Europe.
This regulatory regime is only the beginning. To mark this anniversary, our Technology group takes stock of six key areas businesses should prepare for in the near term.
1. GDPR and the EU's Digital Reforms Package
The net of regulation for entities doing business across Ireland and the EU is getting wider, particularly around the processing of data and personal data. The EU's Digital Reforms package introduces new laws to regulate the areas of AI, content, data and cybersecurity, each of which interplay with and share similarities with the GDPR. To help guide compliance, we have prepared an EU Technology Regulation Playbook, which gives an overview of what is to come and the expected impact on your business.
What to expect and plan for?
Leverage existing data protection governance frameworks for these new laws.
2. Data Protection and Artificial Intelligence
The EU AI Act will take effect (in part) towards the end of 2024. Given the reliance of AI systems on data (including personal data), businesses deploying or developing AI systems must consider GDPR compliance.
What to expect and plan for?
Prepare to combine data protection and AI governance frameworks; understand the challenges and solutions that AI systems present for the GDPR's rules (e.g. data protection principles).
3. Protection of Children's Data Online
EU regulators will continue to focus on protecting children's personal data, particularly in the online world. Companies will continue to face scrutiny on transparency, parental consent and parental controls, age assurance and age verification, children's privacy, and content regulation for children (including under the Online Safety and Media Regulation Act 2022).
What to expect and plan for?
Guidance from the European Data Protection Board (EDPB) on processing children's personal data is expected.
4. One-Stop-Shop Mechanism: Centralised Enforcement?
Where ultimate decisions concerning the processing of personal data by group companies with an EU headquarters are made outside of the EU, businesses may be unable to argue that their "main establishment" is in the EU. In recent guidance, the EDPB has clarified that the One-Stop-Shop mechanism may not apply in such circumstances. The proposed 'GDPR Procedural Regulation' is also on the table and aims to centralise cross-border enforcement of the GDPR among EU data protection authorities.
What to expect and plan for?
A possible shift in the enforcement of the GDPR via the One-Stop-Shop Mechanism and proposed new legislation.
5. Increased Privacy Litigation
Businesses will likely face increased privacy litigation as individuals become increasingly aware of their data subject rights and lower courts have jurisdiction to adjudicate data subject actions. Following the Austrian Post Case (C-300/21), businesses must consider the legal costs and reputational impact associated with a mere infringement of the GDPR for (non-)material damage. To date, non-compliance with the GDPR's basic principles has been at the centre of privacy litigation.
What to expect and plan for?
To see continued and increased privacy litigation for infringements of the GDPR.
6. EU and US Transfers
In July 2023, the European Commission adopted a US adequacy decision under the EU-US Data Privacy Framework (DPF), allowing the free flow of personal data from the EU to the US for certification companies. The possibility of a Schrems III remains a topic of discussion, but regulators on both sides of the deal are confident it will remain valid.
What to expect and plan for?
To see meaningful procedural action from the EU regulators to bring the DPF redress mechanism to EU-based individuals and for any challenge to the adequacy decision to be robustly defended by the European Commission.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.