EDPB 2024: Navigating the Complexities of Data Protection in a Rapidly Evolving Digital Landscape

The year 2024 marked another significant period for the European Data Protection Board (EDPB), which continued its mission to uphold the fundamental right of privacy and data protection in an increasingly complex digital world. As outlined in its 2024 annual report, the EDPB focused on strengthening, modernizing, and harmonizing data protection across Europe through various key activities, guided by its newly adopted 2024-2027 Strategy.

The EDPB Secretariat, providing crucial analytical, administrative, and logistical support, was instrumental in facilitating the Board's work, ensuring effective functioning and a consistent approach to data protection across Europe. The Secretariat's work reflected the growing complexity and breadth of GDPR implementation, managing a significant increase in meetings and IT support requests in 2024.

European Union Adopts Cyber Resilience Act (CRA): A Landmark in Global Cybersecurity Regulation

The European Union (EU) has taken a major step toward enhancing the cybersecurity of digital products by officially adopting the Cyber Resilience Act (CRA). This new regulation introduces EU-wide cybersecurity requirements for products with digital elements, covering a broad spectrum of devices from smart doorbells and baby monitors to industrial

Compliance Hub WikiCompliance Hub

Key Areas of Activity in 2024

The EDPB's efforts in 2024 spanned several crucial domains:

1. Consistency Opinions: Consistency opinions are a crucial tool for the consistent application of the GDPR by Data Protection Authorities (DPAs), particularly in the context of new technologies. In 2024, the EDPB observed a sharp increase in requests for opinions on questions of general application under Article 64(2) GDPR. While the EDPB did not issue any Article 65 binding decisions in 2024, it adopted eight Article 64(2) GDPR opinions. These opinions provide authoritative guidance on cross-border data protection measures and address challenges unique to the rapidly evolving digital landscape. Notable opinions adopted in 2024 included:
   • Opinion 08/2024 on 'Consent or Pay' models: This opinion addressed whether consent is valid and "freely given" when users of large online platforms are presented with a choice between allowing data processing for behavioural advertising or paying a fee. The EDPB concluded that most current implementations of 'Consent or Pay' models by large online platforms are unlikely to meet the GDPR’s strict requirements for valid consent. The Board found that these models often fail the principles of necessity, proportionality, fairness, accountability, granularity, transparency, and conditionality. Key issues identified include the imbalance of power held by large platforms, the detriment users may suffer for refusing consent (such as exclusion from services or prohibitive fees), and the lack of genuine alternatives to intrusive advertising. The EDPB will develop further guidelines on this topic.
   • Opinion 04/2024 on the notion of main establishment: This opinion clarified the concept of a data controller's "main establishment" in the Union under Article 4(16)(a) GDPR. This is pivotal for determining the lead DPA responsible for overseeing a controller's GDPR compliance and impacts the one-stop-shop mechanism. The EDPB determined that a "place of central administration" in the EU is the main establishment only if it makes decisions on the purposes and means of processing personal data and has the authority to implement those decisions.
   • Opinion 11/2024 on the use of facial recognition at airports: This opinion addressed the data protection concerns raised by the increasing deployment of biometric systems at airports. The EDPB assessed different storage solutions for passengers' biometric data. It found that only solutions where biometric data is stored in the hands of the individual or in a central database with the encryption key solely in the individual's hands could be compatible with data protection principles (integrity, confidentiality, data protection by design and default, security of processing). Centralised storage without the individual holding the encryption keys was deemed incompatible.
   • Opinion 22/2024 on obligations regarding processors and sub-processors: This opinion, requested by the Danish DPA, clarified controllers' obligations when engaging processors and sub-processors, particularly concerning Article 28 GDPR and accountability. The EDPB stated that controllers should always have information on the identity of processors and sub-processors. Controllers must engage processors providing "sufficient guarantees", and while the initial processor proposes sub-processors, the ultimate decision and responsibility lie with the controller. The level of verification required from the controller varies based on risk. For transfers outside the EEA, the processor drafts documentation (like Transfer Impact Assessments), but the controller must assess it and be able to show it to the DPA. The opinion also discussed the wording of controller-processor contracts regarding processing instructions.
   • Opinion 28/2024 on data protection aspects of processing personal data in the context of AI models: This opinion addressed conditions for AI models trained on personal data to be considered anonymous and the use of legitimate interest as a legal basis for training AI models. The EDPB highlighted that AI models trained on personal data cannot always be considered anonymous and require case-by-case assessment. For legitimate interest as a legal basis, the opinion recalled the three-step test (identify legitimate interest, necessity, balancing exercise) and provided examples like fraud detection. It also assessed the implications of unlawful processing during AI model development. The EDPB confirmed that AI developers can use legitimate interest for model training under certain conditions, providing a three-step test to determine lawfulness.

GDPR & ISO 27001 Compliance Assessment Tool

Comprehensive tool for security leaders to evaluate GDPR and ISO 27001 compliance and prioritize remediation efforts

GDPRISO.com

1. General Guidance: The EDPB provides general guidance in the form of Guidelines to clarify the application of data protection rules. In 2024, the EDPB adopted several important Guidelines:
   • Guidelines 01/2024 on processing of personal data based on Article 6(1)(f) GDPR (Legitimate Interest): These guidelines offer an in-depth exploration of legitimate interest as a legal basis, detailing the three cumulative conditions that must be met: identification of a legitimate interest, necessity of processing, and a balancing exercise against individuals' rights and freedoms. Dedicated sections cover specific contexts like fraud prevention and direct marketing.
   • Guidelines 02/2024 on Article 48 GDPR: These guidelines clarify the application of Article 48 GDPR, which regulates access to personal data by third-country courts and authorities, and its interaction with Chapter V GDPR. Key recommendations state that disclosing data in response to a request from a third country authority constitutes a transfer under Chapter V, requiring a legal basis and a ground for transfer. Case-by-case assessments are needed, considering international agreements or GDPR derogations.
   • Guidelines 01/2023 on Article 37 of the Law Enforcement Directive (LED): Adopted after public consultation.
   • Guidelines 02/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive: Adopted after public consultation. These guidelines address challenges from modern online tracking technologies like URL/pixel tracking, local processing, and tracking based on IP only, clarifying the scope of the consent requirement for accessing or storing information on users' terminal equipment. The EDPB continued its efforts to make guidance accessible for non-experts, including launching summaries of guidelines and making the Data Protection Guide for Small Business available in 18 languages. They also started developing information sheets to share guidelines' core messages and began including executive summaries and examples in guidelines in response to stakeholder feedback.

Global Privacy & Compliance Explorer

Interactive map for exploring global privacy regulations and compliance requirements. Navigate GDPR, CCPA, PIPEDA, and more.

Interactive Regulatory MapLovable

1. Statements on Legislative Developments: The EDPB actively engaged with the evolving digital legislative landscape, issuing statements on significant developments. This included statements on proposals regarding child sexual abuse, the financial data access and payments package, the role of DPAs in the Artificial Intelligence Act (AI Act) framework, procedural rules for GDPR enforcement, recommendations on law enforcement access to data, and the second report on GDPR application. Regarding the AI Act, the EDPB highlighted the importance of a human-centric approach and recommended that DPAs should be designated as Market Surveillance Authorities (MSAs) for high-risk AI systems. The EDPB also supported ensuring effective law enforcement access to data but raised concerns about recommendations that could lead to serious intrusions on fundamental rights, such as a broad, general obligation for service providers to retain data, questioning its necessity and proportionality.

Baseline Cyber | Cybersecurity Compliance Assessment Tool

Evaluate your organization’s security posture against essential security controls and get actionable recommendations aligned with industry frameworks.

Baseline Cyber Assessment ToolBaseline Cyber Team

1. Enforcement Cooperation and Enforcement by DPAs: Strengthening GDPR compliance through enforcement cooperation is a key priority.
   • Coordinated Enforcement Framework (CEF): The EDPB launched its third coordinated enforcement action focusing on the right of access under Article 15 GDPR. This was chosen due to the significance of the right and the number of related complaints. 30 DPAs participated, assessing data controllers' compliance through questionnaires and formal investigations. The initiative evaluated 1,185 controllers on response times, clarity, completeness, and overall compliance. Findings showed a mixed level of compliance, with bigger organizations generally more compliant than SMEs. Challenges included inconsistent interpretations of limits to the right and barriers for individuals. A comprehensive report adopted in January 2025 identified seven areas for improvement and provided recommendations.
   • Support Pool of Experts (SPE): The SPE continued providing technical expertise to DPAs. In 2024, nine projects were launched, and deliverables for seven projects were published, including a case digest on security of processing/data breaches, an updated Website Auditing Tool, a Standardised Messenger Audit project, DPO training, and projects addressing privacy risks and auditing methodologies for AI systems (like OCR and NER). The EDPB also organized a Mobile Apps Bootcamp for auditors.
   • Memorandum of Cooperation with PEReN: In April 2024, the EDPB signed an agreement with the French expertise centre PEReN to enhance technical collaboration, focusing on areas like mobile application auditing, data science, algorithmic transparency, and tools to support trustworthy AI.
   • ChatGPT Taskforce: Prompted by the rapid advancements in AI and the absence of a unified enforcement mechanism for OpenAI (which had no EU establishment until February 2024), the EDPB created this taskforce. It adopted a proactive approach, developing a standardized questionnaire for DPAs to investigate ChatGPT's practices uniformly. Key investigation areas included data accuracy, transparency, fairness, and compliance with individual rights. Preliminary findings highlighted challenges like risks from web scraping, processing personal data in model training, and generating outputs that might violate GDPR. The taskforce emphasized embedding "data protection by design and by default" in AI systems and reinforced the EDPB's role in addressing emerging AI challenges.
   • National Cases: The annual report includes a selection of national enforcement actions by DPAs across EEA countries, illustrating the diverse regulatory responses to GDPR infringements. These cases range from investigations and compliance orders to significant sanctions and fines. Many highlight recurring challenges such as unlawful processing (often infringing Articles 5, 6, 9 GDPR), infringement of data subjects' rights (Articles 15-22 GDPR), infringement of cooperation obligations, data breaches, lack of legal basis for processing, unlawful direct marketing/spam, and issues with cookie banners. The report includes specific examples from various countries. Many cases were resolved through the one-stop-shop cooperation mechanism, demonstrating coordinated efforts.

CMMC & NIST 800-171 Compliance Assessment Tool

Evaluate and improve your organization’s cybersecurity compliance with CMMC and NIST 800-171 standards.

cmmcnist.tools

1. Stakeholder Consultation: The EDPB actively engages with stakeholders through public consultations and events to foster transparency, inclusivity, and collaboration, ensuring its guidance is relevant and practical. In 2024, consultations concluded on Guidelines concerning the ePrivacy Directive's technical scope and legitimate interest, and a new consultation was launched on Article 48 GDPR. Stakeholder events focused on pressing issues like 'Consent or Pay' models and AI Models and GDPR compliance, facilitating dialogue among diverse groups including consumer rights advocates, data protection experts, industry representatives, academia, and NGOs. A survey evaluated the effectiveness and clarity of EDPB guidance, opinions, and consultations. Stakeholders found guidelines and opinions helpful but suggested improvements like more explicit analysis, additional guidance on challenging topics, clearer explanations of new definitions, and timely official translations. The EDPB confirmed its commitment to using this feedback for future guidance.
2. International Role: The EDPB participated in international fora, with Chair Anu Talus delivering contributions at numerous high-profile events, addressing evolving priorities and fostering global dialogue. This included discussions on cybersecurity, cross-border enforcement, AI governance and ethics, and the harmonization of global data protection policies. Deputy Chair Irene Loizidou Nicolaidou also participated in international engagements. The EDPB aims to influence global policy discussions, strengthen partnerships, and share best practices.

Looking Ahead

As the EDPB implements its 2024-2027 Strategy, it remains committed to adapting to the rapidly evolving technological and regulatory landscape. The work in 2024, including addressing complex issues like AI and 'Consent or Pay' through opinions, guidance, and enforcement cooperation, underscores the EDPB's vital role as a guardian of individuals' digital rights in Europe and beyond. The organization also acknowledged the need for additional resources to address the growing complexity of data protection challenges and expanding responsibilities.

AI Compliance Guide: Regulations & Implementation Strategies

Navigate complex AI compliance requirements with expert guidance on regulatory frameworks, risk assessments, and implementation strategies for responsible artificial intelligence.

Compliance Hub WikiCompliance Hub