As we reach the end of the year, I wanted to put generative artificial intelligence to the test. My prompt to an undisclosed source: a 600-word editorial summarizing notable privacy and data protection developments in Europe in 2024. One new year's resolution from yours truly: I might do that again but only for entertainment. Here is what came out — output edited for brevity.
The generative AI tool listed "Regulation and Enforcement" as the first theme, perhaps rightfully so, stating the EU General Data Protection Regulation "continued to be the cornerstone of privacy protection across Europe. In 2024, several high-profile enforcement actions highlighted the GDPR's influence, with substantial non-compliance fines levied on tech giants.”
The term "cornerstone" suggests a somewhat immutable concept. Yet, the daily jurisprudence from the courts and regulators have made the GDPR very much a living regulation. Many pivotal decisions, opinions and rulings have paved 2024 on issues of interpretation of the GDPR in the face of new business models, its interplay with new technology, and its articulation with newer pieces of legislation. The new year will be no different.
"Among the most significant enforcement actions was the fine imposed on Meta Platforms, Inc. for GDPR violations related to targeted advertising practices. The company was accused of not obtaining proper consent from users for its data processing activities. This action further solidified the GDPR's importance in regulating Big Tech, serving as a reminder to other companies about the need for comprehensive data privacy strategies," the generative AI tool said.
European regulators have made no secret of seeing some compelling virtue in issuing major fines and mandating corrective actions against "Big Tech." The effectiveness of this posture, though, should be nuanced in light of the actual capacity of regulators to collect the fines. A recent Irish Times article explained that while Ireland's Data Protection Commission issued the highest amount of fines in 2024, only 0.6% was effectively collected. The reason? A mix of ongoing litigation and procedural hoops to jump through.
The funniest theme listed by generative AI was international data transfers, recounting the — hold on to your hats — "Schrems IV Case" as follows: "in 2024 (…), the (CJEU) ruled that the EU-U.S. Data Privacy Framework, designed to replace the invalidated Privacy Shield, did not meet the required standards for protecting EU citizens' data from U.S. government surveillance. This decision called for tighter safeguards and additional measures to be implemented by companies transferring data across the Atlantic."
Rest assured, you haven't missed the sequel and there is no Schrems IV ruling, or Schrems III for that matter. The latter may emerge in 2025 as the European Data Protection Board pointed to concerns about the lack of specificity on how the U.S. interprets and applies necessity and proportionality. Going into 2025, this could anchor critics in future looming court challenges.
Generative AI wrapped up its digest addressing future trends and challenges, namely "challenges posed by technological advancements and international agreements." We already know there will be a lot more to 2025, but for now, let's all agree to enjoy a well-earned holiday season. May it be joyful and peaceful, whatever your plans may be.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
