The field of data protection underwent rapid transformation in 2024, shaped by new regulations, landmark legal decisions, and the early signs of a global movement towards responsible artificial intelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc.. These changes reflect a growing emphasis on safeguarding personal dataInformation which relates to an identified or identifiable natural person., fostering innovation responsibly, and addressing emerging technological risks.
In this blog, Data Protection 2024: key trends and predictions for 2025, we look back at the year’s highlights, including the introduction of innovative legislation, groundbreaking decisions by the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court., and the global adoption of stronger privacy frameworks. We also look ahead to 2025, anticipating global trends and upcoming legislation.
First introduced in July 2022, the Data Protection and Digital Information (DPDI) Bill aimed to reform the UK’s data protection framework. However, it raised a number of concerns, including the potential impact on adequacy between the UK and EU, and how that would affect organisations operating across jurisdictions. The Bill was officially abandoned due to the dissolution of parliament on 30 May 2024.
On 23 October 2024, the Data (Use and Access) Bill was introduced to the House of Lords. It aims to modernise the UK’s approach to data regulation, proposing amendments to the UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) and Data Protection Act (2018), plus a restructure of the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.).
The DUA Bill builds on many of the ideas, provisions, and objectives outlined in the abandoned DPDI BillThe proposed Data Protection and Digital Information (DPDI) Bill aims to amend and supplement the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (2018) and the Privacy and Electronic Communications Regulation (PECR). but leaves out some of the most controversial aspects of the previous proposal.
Read a DPO’s perspective on the DUA Bill in our news story.
The European Artificial Intelligence Act (AI Act) officially entered into force on 1 August 2024. It’s the world’s first comprehensive legal framework that aims to harmonise rules on the development and use of artificial intelligence systems. The Act takes a risk-based approach to the classification of AI systems, balancing innovation with regulation to prevent harm to health, safety, and fundamental human rights.
Under the AI Act, organisations fall into one of six distinct roles, each with its own set of obligations. Understanding the requirements of the AI Act and what will apply to your organisation is crucial for compliance.
To learn more about the timeline of the Act’s provisions and the requirements for organisations, read our blog series: Compliance with the AI Act.
On 5 September 2024, Lord Chancellor Shabana Mahmood signed the Council of Europe Framework Convention on Artificial Intelligence. The agreement is the first legally binding international treaty on AI and aims to strengthen safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... against risks to human rights, democracy, and the rule of law by providing a common approach to AI systems.
Participating states will need to demonstrate compliance with the treaty by implementing domestic requirements around transparency and risk mitigation. In the King’s Speech, the government confirms plans to enhance regulations to align with its obligations.
Read our DPO insights on proposed UK legislation
By 17 October 2024, all EU Member States were required to transpose the Network and Information Systems Directive 2 (NIS2) in national law. The Directive aims to enhance the resilience and security of critical infrastructure within the EU by establishing stricter security requirements and expanding its scope to more sectors.
Under NIS2, in-scope organisations must enhance their cybersecurity measures and establish incident reporting procedures. To support organisations in complying with their requirements, the European Union Agency for Cybersecurity has developed comprehensive NIS2 guides.
The Court of Justice of the European Union (CJEU) has made significant decisions this year that will have implications for businesses worldwide. Two noteworthy cases were Lindenpotheke and the Royal Dutch Lawn Tennis Association vs Autoriteit Persoonsgegevens (KNLTB (C-621/22)).
In the Lindenpotheke case, the CJEU ruled businesses can sue competitors over GDPR violations under certain unfair competition laws. As a result, alleged GDPR infringements now expose organisations to potential anti-competitive business litigations, as well as private litigation from affected data subjects and possible regulatory enforcement action.
As part of the ruling, the CJEU also expanded the definition of ‘health data’ to include information from online pharmacy orders, including names, delivery addresses, and product details. This could affect many organisations in the Life Sciences, Healthcare, and Consumer Goods sectors, who will face stricter GDPR protections relating to special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal....
In KNLTB (C-621/22), the CJEU confirmed that Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. can include commercial interests under the GDPR, when subject to specific restrictions. This landmark decision is expected to provide more flexibility for businesses in processing personal data for commercial purposes, but data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. must comply with strict privacy measures when doing so.
Colorado became the first US state to pass a comprehensive artificial intelligence regulation when it signed the Colorado AI Act (CAIA) into state law on 17 May 2024. The CAIA aims to protect consumers by mitigating the risk of algorithmic discrimination. It requires developers and users of high-risk AI models to employ strict compliance measures, such as implementing adequate risk management policies, conducting impact assessments, and providing full transparency to regulators and the public.
The CAIA comes into effect on 1 February 2026, giving organisations time to understand and implement the necessary operational changes.
On 15 January 2024, the European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. renewed Canada’s adequacy under the GDPR, noting their ongoing efforts to modernise data privacy laws. Bill C-27 will bring updates to parts of the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as introducing new sections around stricter consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. rules, enhanced individual rights, stronger enforcement mechanisms, and AI regulations.
However, with the federal election approaching in October 2025, certain stakeholders have expressed concerns over whether the Bill will pass before then. The Standing Committee on Industry and Technology (INDU) paused their clause-by-clause review of the Bill on 29 May 2024, confirming it will remain paused until at least February 2025.
The final stages of Quebec’s Law 25 came into effect on 22 September 2024, strengthening privacy rights for individuals and updating organisational requirements. The law applies to all businesses that collect, processA series of actions or steps taken in order to achieve a particular end., use, or disclose the data of Quebec residents, regardless of size, revenue, or location of the business.
In-scope organisations should, among other requirements:
To learn more about your obligations, read our blog: Quebec’s Law 25: A guide to support and compliance.
In 2024, the number of data protection laws worldwide expanded significantly. Several countries have introduced new data protection laws or updated existing regulations to enhance privacy and data security. Notable examples include:
We have also seen increasing protections for biometric and neural data. California passed Senate Bill 1223 in May and Colorado’s House Bill 24-1058 came into effect in August, both expanding the definition of ‘sensitive data’ to include neural and/or biometric data.
Singapore also updated its Personal Data Protection Act to include stricter regulations on the collection and use of biometric data. This includes requirements for explicit consentA clear and unambiguous expressed statement of consent. This can be provided in writing, by filling out online forms using electronic signatures, or even via oral statements (so long as the conditions for valid consent have been met). and enhanced security measures.
To keep up to date with advancing data protection laws, sign up to our newsletter, The DPIA.
There has been a global movement towards responsible AI governance that balances innovation with safety. Several countries have introduced regulations that emphasise similar principles to the EU AI Act, such as transparency and risk management.
In the US, Senators introduced the Content Origin Protection and Integrity from Edited and Deepfaked Media (COPIED) Act, which aims to combat harmful deepfakes by addressing transparency standards and allowing creators to have better control over their work. As part of the Act, AI tool providers must enable creators to attach provenance information to their work.
On 9 September 2024, China’s National Cybersecurity Standardisation Technical Committee published an Artificial Intelligence Safety Governance Framework. The Framework aims to ensure the safe and ethical development and application of AI technologies, outlining inherent safety risks relating to algorithms, data, and AI systems.
For organisations, an effective AI governance programme ensures responsible and compliant AI deployment, reduces risk, and helps organisations keep ahead of regulatory demands. Learn how AI governance can help your business.
As we move into 2025, we anticipate a growing emphasis on consumers’ data rights. This trend is likely to be driven by heightened awareness of privacy issues, stricter regulations, and a greater demand for transparency. Businesses will need to prioritise data protection measures and ensure compliance with evolving legislation to maintain consumer trust and avoid potential penalties.
Read our blog to learn how data protection builds customer trust and loyalty.
We also expect to see significant growth in cybersecurity across 2025. According to Check Point Research, Q2 2024 saw a 30% year-on-year increase in cyber-attacks globally, reaching 1,636 attacks per organisation per week. As a result, the cybersecurity industry is poised for substantial expansion as businesses prioritise safeguarding their digital assets.
The advancement in global data protection regulations will continue into 2025. In the US, eight new privacy laws will take effect across various States:
In Canada, it is hoped the INDU will continue their review of Bill C-27 early next year. Should the Bill pass through Royal Assent prior to the federal election, global privacy expert, Constantine Karbaliotis, believes it could take 18-24 months to come into effect.
Read more about key privacy updates in Canada and North America
As we enter 2025, businesses should endeavour to stay ahead of the evolving data protection landscape by prioritising compliance strategies, AI governance, and international data compliance.
With the introduction of new regulations, such as the UK’s proposed DUA Bill and the NIS2 Directive, businesses need to prioritise compliance. Stay up to date with global and local data protection laws, conduct regular audits, update data protection policies, and ensure all staff are trained on the latest requirements.
The global movement towards AI governance, including the EU’s leading AI Act, underscores the importance of robust AI governance frameworks. Businesses should implement transparent AI practices, conduct regular impact assessments, and ensure ethical AI usage.
With international advancements in data protection, such as Australia’s Privacy and Other Legislation Amendment Bill 2024 and Quebec’s Law 25, businesses operating globally must navigate a complex web of data protection laws. Developing a comprehensive international compliance strategy, including understanding local regulations, cross-border data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. requirements, and maintaining up-to-date records is crucial for maintaining seamless operations in global markets.
To learn more about the future of data governance and emerging trends for the year ahead, watch our webinar, The new frontier: What’s up and coming in 2025?
______________________________________________________________________________________________________________________________
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible