Privacy developments – looking back and looking forward
In this article, we give you a high-level snapshot of the key data protection and privacy developments in the UK and EU in 2024 as well as developments we anticipate for 2025.
Looking back on 2024
| Date | Development |
| January | The ICO fines HelloFresh £140,000 for sending millions of spam marketing messages across a seven-month campaign period in contravention of regulation 22 of the Privacy and Electronic Communications Regulations. Data Dispatch |
| The CNIL fines Amazon France Logistics €32 million for various breaches of the GDPR regarding the company's monitoring practices towards its employees that were found to be disproportionate. Data Dispatch | |
| February | The EDPB clarifies in an opinion that a “main establishment” must be based in the EU and take the decisions on the purposes and means of the processing of personal data and have power to have these decisions implemented. Snapshots |
| The ICO publishes new guidance on how organisations can comply with data protection laws, specifically the UK GDPR and DPA 2018, when it comes to deploying or providing content moderation services. Snapshots |
|
| March | The ICO publishes guidance on how it will assess if a fine should be imposed for data protection law breaches and how it decides on the amount as well as the proactive and reactive steps organisations can take to minimise the risk and quantum of fines. Data Dispatch |
| April | The ICO closes its consultation on 'consent or pay' business models with the initial view that access mechanisms are not likely to comply with expectations in data protection law for consent to be “freely given” where they do not provide people with a free choice about whether to receive personalised ads. Snapshots |
| May | The Data Protection and Digital Information Bill fails to make it through parliamentary 'wash up'. Blog |
| June | The EU AI Act is signed. The Act establishes a risk-based framework that imposes obligations on AI providers and users (eg transparency, safety and accountability) with stricter requirements for high-risk AI applications and general purpose AI models. Snapshots |
| August | The Dutch DPA publishes a record €290 million fine on Uber for transferring personal data of European taxi drivers to the US without using an appropriate transfer tool between 2021 and 2023. Snapshots |
| The ICO puts several social media and video sharing platforms on notice to improve their children's privacy practices. Snapshots | |
| September | The ICO concludes a series of consultations focused on data protection and generative AI. The consultations aimed to address key challenges related to the responsible use of personal data in AI systems, ensuring compliance with UK GDPR and the DPA. Data Dispatch |
| The European Commission announces its intention to launch a public consultation on a new module of the Standard Contractual Clauses which will cover data transfers where both the data exporter and data importer are subject to the EU GDPR. | |
| October | The UK government introduces the Data (Use and Access) Bill to Parliament which, in addition to making GDPR-specific changes, introduces a new Smart Data scheme (that allows for the sharing and access of customer and business data), new digital verification services, and changes to the structure of the ICO. Blog |
| The ICO, together with fifteen other data protection supervisory authorities around the world, have released a joint statement for social media companies to adopt proactive measures to deal with data scraping. Data Dispatch | |
| The EDPB issues advice on controllers' responsibilities with multiple processors and sub-processors, alongside opening consultation on legitimate interest requirements. Data Dispatch | |
| November | The ICO releases its AI tools in recruitment audit outcomes report which sets out recommendations for both AI providers and developers to ensure their AI recruitment tools protect job seekers' privacy rights. Data Dispatch |
| December | The ICO responds to its generative AI consultation and is due to publish final guidance on 'consent or pay' and storage and access technologies. |
Looking forward to 2025
| Date | Development |
| January to March | In the Privacy Laws & Business event held on 25 November, the UK government announced that the Data (Use and Access) Bill is expected to be debated in the House of Commons in early 2025 with Royal Assent following in Spring. |
| Early 2025 | The EDPB has selected the right of erasure as the topic for its fourth Coordinated Enforcement Action amongst data protection authorities which will be launched in early 2025. The report on the outcome of the 2024 coordinated action on the right of access is also expected in early 2025. |
| Spring 2025 | The ICO is due to publish final guidance on consumer Internet of Things and anonymisation/ pseudonymisation. |
| Summer 2025 | The EDPB expects to release draft Standard Contractual Clauses for where the data exporter and importer are both subject to the EU GDPR in late 2024/early 2025. The European Commission is then expected to adopt these by Q2 2025. Data Dispatch |
| November 2025 | Implementation of key obligations under the EU Cyber Resilience Act begins. Blog |
| 2025 | The EDPB has said that it will issue guidance on the use of 'consent or pay' models by all providers operating in the EU in 2025. Snapshot |
| In its 2024-2025 work programme, the EDPB also identified anonymisation, pseudonymisation and children's data as being the subject of further guidance being developed. | |
| The Coalition for Privacy Compliance in Advertising expects to finalise an ICO-approved certification for adtech. | |
| Unknown | In the Privacy Laws & Business event held on 25 November, the ICO identified children's privacy, AI and biometrics, online tracking, cyber, and supporting innovation as its current priorities. |
Stay connected and subscribe to our latest insights and views
Subscribe Here