Subscriber OnlyBusiness

You think last year was big for data protection? Brace yourself for 2024

Privacy legislation is set to mushroom with huge implications for Ireland

Dozens of data-related pieces of legislation are on the agenda for 2024, with many coming from the EU.
Dozens of data-related pieces of legislation are on the agenda for 2024, with many coming from the EU.

For anybody trying to peer into the next business year and imagine what it may bring, the fast-shifting technology sector is generally one of the most difficult to make predictions about. Just cast your mind back over 2023 to one single explosive event. Many industry watchers thought artificial intelligence was advancing in notable ways, but who could have envisaged the seismic repercussions last year after a small company called OpenAI quietly released an AI chatbot called ChatGPT at the close of 2022?

As 2023 rolls over into 2024, one technology sector prediction is easy to make, though, and it’s one in which AI has its own prominent part. Data protection and privacy regulatory challenges for the globe’s technology companies will mushroom, affecting companies small, large – whether swift-growing AI start-ups such as OpenAI (now valued in the billions) – and the giants whose names are familiar to all.

The past year was already one of regular discomfort for big tech. Some significant fines made headlines everywhere, with the Republic the instigator of several of those, given our supersized role in policing the tech giants. The Irish Data Protection Commission’s (DPC’s) record €1.2 billion levied on Meta in May, relating to inadequate protections for EU data transferred to the US, was up at the very top. In addition, new legislation was in train or put into place in many places around the world, including Ireland’s potentially far-reaching Online Safety and Media Regulation Act of 2022, which was commenced in March 2023. But really, these developments, and several big legislative steps in the EU such as the initial launch of the massive Digital Markets and Digital Services Acts (DMA and DSA), were just 2023 data and regulatory hors d’oeuvres for 2024.

Outgoing Data Protection Commissioner Helen Dixon set to move to ComRegOpens in new window ]

Because the EU is a consumer and business market at least as significant as the US, EU regulation is by default the defining digital and data protection legislation for much of the world. Global tech companies, most of them from Silicon Valley in the US, have mandatory obligations in EU markets and, just as important but often overlooked, outside of them because EU data has to be given equivalent protection if transferred to locations outside the EU. That has generally meant that at least some protections mandated in the EU end up benefiting users outside the EU. But it has also created additional problems for tech companies from countries – such as the US – that have weaker data protections, especially regarding access for law enforcement and national security agencies.

READ MORE

All of this will shape 2024 for big tech and most definitely not to its liking. The sector regularly argues, as it has for decades, that regulation constricts “innovation” – a conveniently non-specific term. Yet the time-amplified consequences of unfettered “innovation” have made adequate data and privacy protection so difficult. In addition, many of today’s digital services were, and continue to be, built on presumptions of relatively unshackled data acquisition and privacy trivialisation.

Police officers resigned and moved house after PSNI data breach revealed personal informationOpens in new window ]

But that permissive, exploitative landscape is changing. Dozens of data-related pieces of legislation are on the agenda for 2024, with many coming from the EU. For a start, we’ve not even begun to see how the DSA or DMA will play out, as only the initial elements were commenced in 2023. The rubber hits the road in 2024, already signalled by the EU announcement of its first formal DSA investigation, against Twitter/X, in December. The DSA is mega-legislation, placing new obligations in February on social platforms, digital marketplaces, app stores, content-sharing sites, and online travel and accommodation sites. It will impose stricter oversight on online profiling and how algorithms take decisions, and on advertising. As with GDPR, the DSA also imposes a huge regulatory burden on the State, as so many of the big online services companies base their EU headquarters here. Much of that DSA regulatory task will fall to Ireland’s newly launched Coimisiún na Meán.

The US still doesn’t have a federal data protection and privacy law, and still allows its security agencies access to data in ways that, up to now, have been seen to be too secretive and not robust enough to guarantee EU citizens’ data won’t be arbitrarily gathered up too

The DSA’s partner legislation, the DMA, kicks into action in March, when it tightens the responsibilities and obligations of “gatekeeper” companies, those with significant market share, impact and influence. The DMA also has data-profiling and data-based advertising elements, and will impose more transparent consent requirements for the use or combining of data for such activities. User data must also be more portable – enabling users to move to other services – and accessible to consumers and businesses.

Another major bit of legislation is the EU’s Artificial Intelligence Act, which just managed to squeeze into existence during a contentious December European Parliament vote. Now begins the horsetrading as its elements are finalised in 2024, but companies will want to begin dovetailing their operations to fit the Act’s headline risk-based requirements of transparency, fairness and compliance with the General Data Protection Regulation (GDPR).

Privacy campaigner wants to be part of Meta case against data watchdogOpens in new window ]

Of the more significant European data-related legislation, the EU is also approaching final negotiations on a whistleblowing directive, which will have important data protection and privacy elements for disclosures by whistleblowers, and to protect whistleblowers. Discussions will also continue on the long-delayed amendment to the EU’s 2002 eprivacy directive, which would see it evolve into a Regulation on Privacy and Electronic Communications. There’s also a major draft Cyber Resilience Act and European Cybersecurity Certification Scheme for Cloud Services which will be on the discussion timetable in 2024, and the EU’s network and information security (NIS 2) directive comes into effect in October 2024, by which time individual EU members, including Ireland, need to have their national implementation of the cybersecurity law in place. The new EU Data Act, which will harmonise rules on fair access and use of data, will also likely be argued into its final form in 2024.

The UK too has various pieces of data protection, data privacy, data transfer and online safety legislation rolling in. Whether some of that is considered adequate for moving data across borders has yet to be determined by the EU, but would have major implications for Ireland, given the economic and business relationship between the two countries and, of course, the hybrid market in the North.

The mother of all data-transfer issues, however, involves those between the EU and US, two of the world’s most valuable markets. US-EU data transfers lie behind trillions of annual euro in transatlantic business and form the foundation for many essential day-to-day online and offline activities. The validity of such transfers – whether they comply with GDPR by guaranteeing equivalent protections in the US to EU data – has twice been struck down by the EU Court of Justice (ECJ) in the two cases brought by data protection activist Max Schrems. Those invalidated two successive EU-US data-transfer agreements, The third and latest one will likely be challenged by Schrems, and yet again, end up in the Irish DPC’s “Oh No” inbox reserved for its most daunting regulatory headaches. Don’t forget, that big 2023 €1.2 billion Meta fine arose from these Schrems judgments, and he, and this issue, most certainly haven’t gone away.

TikTok can pursue challenge to €345m fine by Irish data commission over children’s privacyOpens in new window ]

The US still doesn’t have a federal data protection and privacy law, and still allows its security agencies access to data in ways that, up to now, have been seen to be too secretive and not robust enough to guarantee EU citizens’ data won’t be arbitrarily gathered up too. Meanwhile, US states continue to bring in their own laws, many scheduled in 2024, fracturing the US data regulatory market into ever more shards. That might at last prompt the US congress in 2024 to move on a federal law, which then might convince the ECJ that EU data can be properly protected.

As if 2024 wasn’t looking spicy enough on the data front, Ireland will totally overhaul the DPC’s office, with current Data Protection Commissioner Helen Dixon exiting after a decade, and a new three-commissioner structure coming into place. The new commissioners will have to hit the ground running given the tidal wave of new or just-commenced legislation that will bring many more responsibilities.

The ability of Ireland, an EU minnow, to regulate the world’s most powerful companies in accordance with this prodigious pile of legislation is already contentious and will only grow to be more so internationally and at home. Adequate funding for the DPC and the Coimisiún now and in the years ahead will be a weighty national nettle to grasp on a recurring basis – only this year, the Dáil failed to meet the DPC’s budgetary request. Also, funding these offices, and investigations that can be lengthy and costly, is a burden that will fall squarely on Irish taxpayers, who might justifiably begin to baulk at paying for the lion’s share of EU data investigations simply because the EU decided to impose this “one-stop shop” mechanism late in the negotiation of the GDPR.

Finally, an unconsidered and unwanted outcome of this proliferation of EU (and unsynchronised global) legislation may be the reverse of intention: a chilling effect on complaints and investigations. People, and concerned organisations, might find it overwhelming to determine where to take an issue. A national body? An EU body? Which one? Arguably the DPC may end up a first port of call, as the GDPR underlies all these data and privacy regulations. But then, that’s even more work for a DPC that has much long-prolonged and unfinished work on its desk as is. Perhaps the best piece of data legislation in 2024 would be to restructure the GDPR and related laws away from Ireland, to a more centralised handling mechanism.