The European Data Protection Board and European Data Protection Supervisor presented their 2024 annual reports during the latest Committee on Civil Liberties, Justice and Home Affairs meeting. This EDPS report is of special significance, as it marks the 20th anniversary of the institution and concludes the EDPS's 2020–24 mandate.
EDPS Wojciech Wiewiórowski provided an overview of EDPS's activities over the past year, including providing 97 legislative consultations, receiving over 100 admissible data breach notifications and closing all cases up to 2022.
Wiewiórowski highlighted the EDPS's evolving role following the introduction of the Artificial Intelligence Act, which mandates it to be the competent market surveillance and notifying authority and notifying body for EU bodies. To tackle additional responsibilities, it created an AI Unit and set up the AI Correspondents Network that is similar to its existing Data Protection Officer network. Wiewiórowski revealed that the EDPS is considering establishing a regulatory sandbox for EU bodies but deems it difficult without additional resources.
When asked if EU institutions should only work with EU-made AI, Wiewiórowski shared his critical stance on localization solutions. He concluded with encouraging, "Don't be afraid of AI," but clarified stating that while the AI Act only deals with high-risk AI solutions, which accounts for 5 to 10% of all AI, all solutions have to comply with the EU General Data Protection Regulation when it comes to data protection.
Chair of the EDPB Anu Talus presented its annual report. Among its key 2024 highlights, Talus noted EDPB's 2024-27 strategy, consistency opinions issued last year, four new guidelines and continuous efforts to make them more accessible through translations and summaries, efforts to increase stakeholder engagement through topic-specific stakeholder events and enhanced cross-regulatory cooperation.
Talus explained that the institution is evolving, and its current focus is shifting to make guidelines more accessible to small- to medium-sized enterprises and establishing effective cross-regulatory cooperation following the arrival of the EU Digital Rulebook.
Talus also addressed the EDPB's primary challenge of a lack of staffing and funding.
First DMA fines
As everyone was starting to get impatient, the European Commission delivered its decisions concluding Apple and Meta's alleged noncompliance with obligations of the Digital Markets Act. As a result, both companies are facing massive fines, 500 million euros and 200 million euros, respectively.
The Commission found the Apple Store's steering rules, which prevent app developers and consumers from accessing alternative and cheaper options outside the App Store, are not necessary and proportionate, and therefore are incompatible with the DMA. To avoid further enforcement measures, Apple will have to remove such steering restrictions and refrain from any conduct with a similar effect in the future.
The Commission's decision on Meta's noncompliance decision is based on its "Consent-or-Pay" advertising model, a matter widely discussed in the privacy sphere. The Commission found this model incompatible with the DMA, which requires gatekeepers to obtain users' consent to combine their personal data from different services, and in the absence of such consent, provide them with a less personalized but equivalent alternative. This decision is without prejudice to the Commission's ongoing assessment of an alternative free personalized ads model, which Meta introduced in November 2024.
These decisions raise questions about the evolving relationship between data protection and competition laws. It remains to be seen whether the upcoming EDPB guidelines on the intersection between the GDPR and DMA will provide enough clarity on this topic.
Difficulties keeping up with deadlines
It was reported that the European standardization body CEN-CENELEC is expecting to miss the August 2025 deadline to finish developing the AI Act's standards. The technical standards that will translate the AI Act's legal requirements into practical guidelines will not be ready before next year. Such standards are expected to provide more clarity on certain AI Act requirements, but it looks like they will only see the light shortly before the regulation's full application kicks in.
CEN-CENELEC is not the only body struggling to keep up with the deadlines set by the European Commission. It appears multiple EU member states still have not transposed the NIS2 Directive into national law, half a year after the transposition deadline. The directive aims to enhance cybersecurity across the EU by providing a harmonized set of rules on protecting the EU's critical sectors and their infrastructure. This is rather problematic given that cybersecurity has been identified as one of the Commission's areas of focus during its current mandate.
Laura Pliauškaitė is European operations coordinator for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
