The Chair’s Address

In the ever-changing landscape of data protection, every year is a busy year for data protection professionals and 2024 will certainly be no exception. I would expect the following topics to be keeping us all busy in the coming twelve months.

Technology is always a key driver for change, and with the rapid development of new AI tools, and in particular generative AI applications, data protection professionals can expect AI-related data issues to be landing in their in-trays very soon. With the promise of greater efficiencies, companies are under increasing pressure to deploy AI technologies, perhaps more quickly than is advisable. This will inevitably create new data protection risks, so DPIAs will have to be adapted to deal with the identification and mitigation of these novel risks to personal data.

On the legislation front, and sticking with AI, the ink is very nearly dry on the EU’s Artificial Intelligence Act. After a titanic struggle in the final trilogue in December, the EU institutions are close to finalising the text and we can expect to see this in February. We should all be paying close attention to this Act and focusing on the areas of overlap with data protection responsibilities. Additionally, it is not yet clear where many of the new AI governance responsibilities will lie in organisations. To the extent that that the data protection profession is asked to take the lift on this, we must all examine what this means for our roles, particularly from the perspectives of resourcing, knowledge and, potentially, conflicts of interest.

In terms of regulatory action, one to watch out for this year will be the Meta so-called ‘pay or okay’ approach to consent for targeted advertising. The only difficulty with Meta’s approach is that it is not at all clear that paying will make anything ‘okay’. The nub of the matter is that Meta has offered EU users the choice to either use Facebook and Instagram for free in exchange for their data or pay a monthly subscription fee and, so, see no ads. However, given that consent under the GDPR needs to be ‘freely given’, the inherent incentivisation model at play here would seem to be very much at odds with the letter and spirit of the GDPR. This is currently being investigated in the European courts and by the EDPB, so the outcome of this will be of critical importance for how online services use our data for targeted advertising.

Finally, for the Irish data protection profession, and indeed the EU at large, with the news that current data protection commissioner, Helen Dixon, will stand down on 19 February, we know that we will have a new data protection commissioner and a new era beginning at the helm of the Data Protection Commission. We will, no doubt, see throughout 2024 what changes this brings for the profession in Ireland, and across Europe, where Ireland is often the lead supervisory authority on major regulatory investigations.

What else to look out for:

• An increased focus on the protection of children’s data.
• More scrutiny of the role of the data protection officer following on from the EDPB’s 2023 Coordinated Enforcement Action report in this area.
• The rise of privacy-enhancing technologies, including advanced encryption technologies.
• More privacy laws in the US: Eight US states passed data privacy legislation in 2023, and laws in five of those states will come into effect in 2024.
• Progress on the ePrivacy Regulation, maybe.
• Enforcement beginning on the Digital Services Act (DSA) and Digital Markets Act (DMA).
• On cybersecurity, the significant potential fines in the expanded Network and Information Security 2 (“NIS2”) Directive, which requires member states to apply implementing measures from October 2024.
• Increased use and reliance on EU-US Data Privacy Framework.
• The possible arrival of the UK’s Data Protection and Digital Information Bill and the implications this may have for UK adequacy.
• Yet more important data protection caselaw emanating from the CJEU.

Deirdre Miller is our feature writer this month, and as it happens she is also our ADPO Executive Committee Member of the Month. Deirdre has put together a compilation of updates covering important topics such as Data Protection Claims in the Courts and the recent EDPB report on the Designation and Position of Data Protection Officer.