When was there last a year not packed with incident when it comes to data and cyber security? Certainly not 2023. A particular highlight was the agreement of new EU and UK frameworks to replace the Privacy Shield. We've also seen huge progress in important areas of regulation in the EU, and to a lesser extent, in the UK. Meanwhile, GDPR enforcement hit the big time with the Irish Data Protection Commissioner at the centre of some of the most high-profile penalties this year. And we saw the end of the Schrems litigation – or did we?
Before we've even had time to recover from this year's events, let's take a look at what 2024 might bring - it certainly promises not to be boring.
US transfers will remain a hot topic…
Both the EU and the UK adopted adequacy decisions in relation to frictionless data transfers to the US where importing organisations are signed up to the EU-US Data Privacy Framework (and UK Data Bridge). Sadly, this is unlikely to be the end of the story and transfers will remain a hot topic in 2024. Many organisations have already self-certified under the DPF. Others are wondering whether it's worthwhile. This is not least because the DPF is highly likely to face scrutiny from the ECJ.
The Schrems litigation appeared to draw to a close in May (subject to appeal) when Meta was fined a record €1.2bn for GDPR breaches, but NOYB, the organisation founded by Max Schrems, has already said it will challenge the DPF in what will undoubtedly be dubbed 'Schrems III'. While an attempt to strike it down by French MP Philippe Latombe, has stalled, largely due to procedural issues, it remains to be seen whether the DPF, like its predecessors, will ultimately be declared invalid. Crucial to its chances of survival are the extent to which the redress mechanism for EU citizens is deemed effective, and whether it can be demonstrated that access to personal data by US intelligence services is genuinely restricted to what is necessary and proportionate to protect national security. With some sort of challenge a near certainty, businesses will need to bear in mind that the DPF may not be here to stay, although we're not expecting it to go anywhere next year, at least.
…but we're all potential 'third countries'
It's not just EU and UK data transfers to what they deem 'third countries' which will be an issue in 2024. As more and more countries adopt regulations for transfers to third countries, the EU and UK are themselves 'third countries' in the eyes of many data exporters.
China is a case in point. The new Chinese SCCs become mandatory in December 2023, so will become particularly relevant in 2024 – not only for exporters in China, but also for data recipients in the EU, UK and other countries across the globe. Despite the fact the Chinese SCCs are fairly new, the responsible Chinese authority is likely to adjust their scope in 2024. At the end of September 2023, before the end of the transition period on 30 November, the authority issued a draft of “Provisions on Regulating and Promoting Cross-Border Data Flows”. These aim to define use cases in which no SCCs are required. Although this document is only a draft, it shows that the authority has recognised the importance of enabling third country transfers.
Beyond China, new regulations on data transfers came into force in South Korea on 16 October, 2023. While these were previously only possible with the consent of the data subjects, the new regulations now provide for alternative transfer mechanisms. Accordingly, data can be transferred to recipients outside South Korea if the recipient has received a certification by the competent South Korean authority or if the recipient country has a data protection law that is deemed equivalent to the South Korean system – similar to the GDPR adequacy system. The procedures for certifications and issuing adequacy decisions are still being defined. Unlike in China and the EU, South Korean data protection law does not provide for the possibility of concluding SCCs.
Other countries will follow suit (India is one to watch) and requirements for international data transfers will become more onerous during 2024. It will be increasingly challenging to keep track of the various national requirements, particularly for intra-group data transfers, which regularly involve many different jurisdictions and therefore have to comply with a variety of national requirements.
The GDPR will have to move over…
We're not predicting the decline of the GDPR (although the UK GDPR is another story as we discuss below). It will, of course, continue to dominate personal data processing in the EU, but it will have to share an increasingly crowded space.
In mid-November this year the EU Parliament adopted the Data Act which is expected to enter into force beginning of 2024 and apply in 2026. However, businesses will need to start considering its requirements of the Data Act next year. The Data Act aims to remove barriers to data sharing, give businesses access to data they contribute to creating, and individuals more control over all their data (not just personal data). It will empower users of connected devices to access and share data they generate with third parties, as well as switch cloud and edge service providers, and help SMEs onto a level data playing field.
The AI Act is also around the corner as we discuss here and will have an impact on the personal data processing which is an inextricable element of many AI models. It's hard to over-estimate just how intertwined AI and data regulation are – one of the reasons the UK, which is not planning to legislate on AI – has emphasised the role it expects the ICO to play in AI regulation.
Then we have a variety of proposals on Common European Data Spaces, not to mention the various new cyber laws, new financial data laws and more. But would we predict that the ePrivacy Regulation will join the throng in 2024? Well, we've been wrong on that before so we'll abstain, although it is still part of the European Commission's 2024 workplan.
All this new legislation shows we are no longer just concerned with the protection of personal data, but also the handling of and access to product and service related data. Businesses will be facing much more comprehensive regulations and will need to adapt (including by creating and implementing respective internal processes, training employees etc.). One thing is certain, regulation of data, personal or otherwise will no longer be dominated by the GDPR in the EU.
…while the UK GDPR will (probably) be consigned to history
The GDPR became the UK GDPR after the end of the Brexit transition period and has long been a government target for post-Brexit reform. The Data Protection and Digital Information Bill was originally published in July 2022 and then republished in March 2023 as the Data Protection and Digital Information Bill No.2. The Bill was reintroduced to Parliament on 8 November without its No.2 suffix. During its passage through the Commons prior to its re-introduction, amendments were accepted in relation to clauses 1-7. The government has now tabled 124 pages of further amendments. While these are described as "common-sense changes", some go further and may be politically contentious.
Whether or not the DPDI Bill passes in 2024 remains to be seen, not least because there will be a general election next year. However, even if it does pass more or less in its current form, the UK GDPR will not be entirely banished from memory. This is because the DPDI Bill retains a good deal of the GDPR and is certainly in the same spirit. There will be differences, but they are unlikely to be sufficiently significant to, for example, jeapordise EU adequacy. You can read more about the DPDI as originally introduced here and about changes made by the No. 2 Bill here.
The USA is unlikely to go federal on data protection in 2024
In November 2023, President Biden issued an Executive Order on safe, secure and trustworthy AI (EO). Significant space in the EO is taken up with the issue of data privacy and privacy enhancing technologies and the EO notably calls on Congress to pass bipartisan data privacy legislation. There is no doubt that the evolving data protection framework in the US becomes more complex almost by the day as individual States enact privacy laws. However, again, 2024 is an election year and it's highly unlikely that there will be space for new federal personal data protection law, although the related areas of cyber security and AI safety may prove more pressing.
The effect of AI will be fully felt in cyber security
While AI has been incorporated into cyber security defence tools for some time now, the use of generative AI to combat cyber threats is on the rise. Of course, every cyber security software provider has to talk up any AI incorporated into its products to avoid losing out to the competition. Aside from the hype though, AI-driven automation can materially increase the volume of threat assessments that can be conducted and significantly reduce the amount of time cyber analysts require to detect, triage and respond to meaningful attacks. We will expect some of these tools to become as standard as firewalls, and multifactor authentication, on any list of technical security measures soon.
Unfortunately, just as threat prevention, detection and response is coming to embrace AI, so too are threat actors. The use of generative AI by threat actor groups to create everything from malicious code to really plausible phishing emails came as no surprise to anyone, with perhaps the exception of large language model (LLM) developers. As industry reports highlighted the use of generative AI by threat actor groups in 2023, LLM developers scrambled to modify their user interfaces to restrict the use of prompts designed to assist cyber criminals. As ever, hackers seem to be largely one step ahead and for 2024 we expect regulators and law enforcement to express a lot of interest in the efforts taken by LLMs to ensure their services are not used for nefarious purposes.
Cyber security regulation and reporting will come into its own
Historically treated as part of the data privacy regulatory sphere, 2024 will witness an increase in cyber breach reporting obligations for specific sectors and industries, which will sit in addition to reporting obligations under the GDPR or other privacy regulations in the EU. Although the EU’s Digital Operational Resilience Act (DORA) doesn’t take full effect until 2025, reporting obligations across the EU are being developed now for businesses that fall within its scope (largely the financial services sector). The NIS2 Directive must be implemented by Member States by 17 October 2024, and the Cyber Resilience Act which introduces common security rules for consumer digital services (particularly connected devices), is likely to be completed in 2024 with political agreement on the legislation reached at the end of November.
The focus on cyber security is by no means confined to the EU and UK so cross-border businesses will be operating in an increasingly regulated sphere. Duties to report to regulators other than privacy regulators are not new, though we will see an increase in such obligations in 2024. What is a new, and frankly unwelcome development, is threat actor groups using non-compliance with reporting obligations by their victims as another tool to exert pressure while extorting ransoms from those they have attacked. One US firm recently experienced the threat actor group which had hit it with ransomware filing a complaint with the SEC arguing that its victim had failed to report the breach as required under SEC rules. Luckily for the company, the rules in question are not yet in force, but while many cyber security professionals hope that this will not become a trend in 2024, the ability of threat actors to use every trick available to them means that such hopes may be dashed. This makes it all the more important to ensure robust cyber security is in place.
Keeping on top of developments in 2024
We'll continue to keep you up to date with data and cyber news in 2024 with our GDH newsletter, and our in-depth features on hot topics and new legislation on our Global Data Hub. You can also use our Digital Legislation Tracker to keep up with the latest legislative developments in the EU, UK and Germany, over a wide range of areas including data and cyber security.