Welcome to 2024. Best wishes of good health and happiness from all of us at the IAPP. 

1 Jan. marked the switch from the Spanish to the Belgian Presidency of the Council of the European Union. Belgium is taking over for six months with a slogan of "Protect, Strengthen and Prepare," and many challenges await. The war is still raging at Europe's borders, the climate emergency is accelerating and the rule of law is being mistreated in several member states — including the one next in line to hold the presidency come July. Parliamentary elections 6-9 June will lead to an overhaul of leadership across the EU's main institutions and by then Belgium's ambitions to close as many legal files as possible, knowing there are still about 150 files open.

Of the open files, only a handful bear relevance for privacy pros in the grand scheme of things, but they may have a significant impact on organizations' privacy compliance and operations as they cover topics including cyber resilience of connected products, digital identity, data spaces and, of course, EU General Data Protection Regulation cross-border enforcement and artificial intelligence. 2024 will also be a year of implementation for many laws finalized last year, further complexifying the data privacy and governance environment.

Enforcement is expected to continue to ramp up in Europe. According to May 2023 IAPP Research, the total amount of fines issued under the GDPR was already over 4 billion euros at that point. In addition to fines, regulators are also increasingly requiring a change in privacy practices from entire ecosystems, such as advertising technology. Regulators' priorities for this year are likely to include cookies, data subject rights, legal basis for processing and children's privacy. They are also taking on more responsibilities and supervisory powers due to the new EU data policy instruments.

Other things to watch in the coming months:

  • DPOs: European regulators are assessing the position of data protection officers across Europe, which will raise the focus on how well DPOs are positioned, trained, funded and equipped to do their job appropriately against GDPR requirements and may trigger some enforcement actions. The regulators' findings are expected around February.
  • GDPR: The European Commission will release its evaluation report of the GDPR in the spring, which may lead to some (significant) changes in how the law is interpreted and implemented, if the Commission's evaluation questionnaire is any indication.
  • Data transfers: The Commission will conduct the first periodic evaluation of the EU-U.S. Data Privacy Framework in spring 2024. We may also see some legal challenges emerging, putting the future of EU-U.S. data transfers under the microscope again and potentially forcing many organizations to reassess and reprioritize their compliance approach. The Commission also plans to host an international gathering of the 70-plus jurisdictions with adequacy capabilities this year.
  • If you want to ease your way into predicting what 2024 holds, the IAPP Research and Insights team together with our AI governance in-house expert will discuss trends and predictions on an upcoming LinkedIn Live.

If there is one conclusion I draw from the last year, it is that our community is only getting bigger and more diverse, and so are the professional issues we all face. Intelligence gathering and experience sharing among fellow privacy pros continues to be critical.