This is the second article in a two-part series. The first article can be accessed here.

Published: March 2024

Navigate by Topic

The period before an election is a good time to take stock of the finishing legislative mandate. What was promised? What was achieved? What is still in the making? What has been discarded or forgotten? What may come next?

In Brussels, these questions echo with a few pragmatic realities:

  • The European Commission, the EU's executive arm, was primarily set up to propose new laws and enforce existing ones. Despite regular calls to slow down the regulatory train, there will be more regulation from Brussels. It's the cycle of EU life.
  • The EU is a vast array of Eurocrats, lobbyists and policymakers representing 27 member states and a gordian knot of interests. Agreeing on new legislation has become increasingly challenging. At times it leads to rushed and chaotic endings, such as with the AI Act and unfinished business, such as with e-privacy , and all too often it results in unclear or contradictory rules.
  • The EU policymaking process is lengthy and will inevitably bridge electoral terms. New legislative proposals need to go through preparatory steps, including roadmaps, advisory expert groups and public consultations, that take months, if not years. But when a proposal is made, it inevitably crosses the finish line 99% of the time.

Under current President Ursula von der Leyen, the Commission deployed an ambitious agenda back in 2019 and many files adopted under the EU Strategy for Data are well into the implementation phase. These include the Data Governance Act, the Digital Services Act, the Digital Markets Act and the Data Act, as well as more discreet initiatives such as the e-evidence package and the Digital Operational Resilience Act regulation. The Artificial Intelligence Act and the Cyber Resilience Act will join the cohort later this year, alongside privacy-tangential initiatives such as the regulation on political advertising transparency, the highly debated EU Media Freedom Act, the European Digital Identity Wallets and the Product Liability Directive, which has been revised to account for technology developments.

Unsurprisingly, not all of the strategy's components will have come to fruition by June's elections. As explained in our previous article, files that are not be finalized will carry over to the next term. As a result, many important files for privacy professionals are still in the works and will not be adopted until the end of 2024 at the earliest. Here is a nonexhaustive overview:

Nonexhaustive overview of files carrying over to next European Commission term:

  • The General Data Protection Regulation procedural harmonization proposal for cross-border enforcement is expected to enter trialogue negotiations right after the new parliament takes office, provided the European Council reaches its general approach in May as anticipated.
  • Two data-space proposals, addressing health data and financial data respectively, are currently underway, though the former is more advanced that the latter. The mobility data space will soon be proposed.
  • The European Council and Parliament agreed to prolong an interim measure on the child sexual abuse material regulation until April 2026, while the Council continues to negotiate its general approach.
  • The AI Liability Directive, proposed alongside the AI Act, was put on pause before the process truly began. Now that the AI Act is done and the PLD directive is updated, AI liability discussions are expected to resume after the summer, though the relevance of the Commission's initial proposal may be questioned.

Reasonable expectations from the next European Commission

Drafting the possible contours of the future EU legislative agenda entails a bit of divination. The following is a nonexhaustive list of recurring drumbeats across the EU bubble that may be helpful for predictions.

Cookies and other recipes

After years of agony, the ePrivacy proposal may be recalled by the Commission as it gets ready to formalize its voluntary Cookie Pledge in the spring. The Commission is not garnering the industry support it expected. Should the voluntary path prove unsuccessful, it is preparing an initiative that would introduce mandatory obligations on dark patterns, influencer marketing, addictive use of digital products and personalization practices, among others.

Cloud, software and cyber

The current mandate addressed software and cloud through various forms — data sharing, data flows, digital product requirements and competition to name a few — but the emphasis on cybersecurity is expected to bridge into the next mandate. Of the many possibilities, the expected revision of the Cybersecurity Act and its certification component for cloud services will be one to watch. It ties directly into data sovereignty ambitions across some member states and will be a strong indication of the next Commission's intent in that respect. In parallel, Parliament will make a strong push for a coordinated European response and a legislative proposal to address intrusive spyware, following the Pegasus scandal.

More AI

Building on the AI Act's completion, the Commission will tackle covered areas at a framework level that may require sector-specific approaches and legislative areas that need revisiting due to the passage of the law — bearing in mind most of the act will become applicable spring 2026, which does not leave much time to assess its impact in practice. Though there are not many details to go on at this time, observers fully expect AI in employment, intellectual property, health and life sciences to be on the shortlist for more EU policymaker attention, in addition to the AI liability proposal that is already on the books.

The IAPP will continue to report on EU developments as the leadership changes and policy plans crystallize. In the meantime, rulemaking should keep privacy pros busy. One thing is for sure: you should never take their sight off Brussels for too long.

Additional resources

Credits: 2

Submit for CPEs