New European Privacy Legislation in 2024
European regulations and directives regarding privacy and data protection are rapidly evolving. This blog post provides an overview of all enacted legislation and upcoming measures for this year.
The following initiatives are covered:
- Digital Market Act (DMA)
- Digital Service Act (DSA)
- Digital Governance Act (DGA)
- Network and Information Security Act (NIS2)
- Digital Operational Resilience Act (DORA)
- Data Act
- AI Act
- European Health Data Space (EHDS)
The AI Liability Directive and Cyber Resilience Act (CRA) are beyond the scope of this post.
Digital Markets Act (DMA)
This regulation came into effect in May 2023. The Digital Markets Act (DMA) aims to make digital markets fairer, thereby promoting competition.
It focuses on so-called ‘gatekeepers,’ the major (often American) digital platforms with core platform services, including Alphabet (Google Search, YouTube), Amazon, Apple (Appstore), ByteDance (TikTok), Meta (Facebook, Whatsapp), and Microsoft (Windows, LinkedIn).
The DMA imposes obligations (‘do’s’) and prohibitions (‘don’ts’) on these gatekeepers. For example, they must allow third parties to ‘interoperate’ with their services in certain situations, such as sending messages from one platform to another. They must also provide transparency to advertisers and businesses advertising on their platform. At the same time, they are prohibited from favoring their own services in rankings or preventing users from uninstalling their software.
Non-compliance with the DMA can have significant consequences, including fines of up to 10% of a company’s annual global revenue, increasing to 20% for repeated violations. Periodic fines can amount to 5% of daily revenue.
Gatekeepers must comply with the provisions of this regulation starting from March 2024.
Digital Service Act (DSA)
The DSA, the twin of the Digital Markets Act, has multiple goals, such as reducing online deception and misinformation and facilitating digital commerce.
The DSA targets various online services, including online marketplaces, social networks, content-sharing platforms like videos, and online travel and accommodation platforms. Like the Digital Market Act, it involves the largest service providers, the gatekeepers. Currently, 19 gatekeepers have been designated, including X (formerly Twitter), AliExpress, and Snapchat, in addition to the previously mentioned names.
These major digital services (gatekeepers) must conduct annual assessments of the risks of harmful online practices on their platforms. This includes illegal goods or content and the spread of misinformation.
Online marketplaces must gather more information about the companies selling products or services on their platform to discourage and identify fraudulent traders, eliminate unfair competition, and make it easier for consumers to assert their rights.
Social networks must be more transparent about moderation practices, particularly regarding the removal of information or users. Personalizing ads based on factors like belief or sexual orientation is prohibited. Additionally, children must receive extra protection.
For citizens, this means enhanced protection of fundamental rights, more control and choice, stronger protection of children online, and reduced exposure to illegal content. For providers of digital services, the DSA offers legal certainty and a unified set of rules for the EU.
The regulation came into effect on August 25, 2023.
Digital Governance Act (DGA)
This law has faced criticism, and its precise scope is yet to be established in practice.
The DGA concerns access to government data, which should, in principle, be freely available and not exclusively shared with one party. For instance, when using anonymized medical data for new drug research, governments are already obligated to share information but must register their ‘reuse policy’ with a central information point.
The DGA also regulates data sharing by companies and consumers through so-called data intermediation services (or data brokers). These services must now register and cannot use data for other purposes. The DGA aims to protect data while providing an alternative to a limited number of larger companies currently dominating the data market.
The DGA came into effect on September 24, 2023.
Network and Information Security Act (NIS2)
NIS2 aims to enhance the cybersecurity and resilience of essential services in EU member states.
NIS2 is a European directive, not a regulation, meaning that EU countries must transpose this directive into national legislation. Work is currently underway in various member states to develop implementing laws.
One area requiring clarification is which organizations exactly fall under the scope of this law. It includes organizations that provide services crucial, essential, or critical to the functioning of society or the economy, such as those in energy, transportation, banking, healthcare, drinking water, and government.
Essential services have a duty to secure their services and a reporting obligation, meaning incidents must be reported to a regulator, along with details on how the incident is being resolved. This reporting obligation is similar to that in the GDPR. Organizations may also be required to certify themselves.
Various national governments advise not to wait for the final legislation and to start preparations now, such as conducting risk analyses of physical and digital risks that could disrupt the services of organizations. They also recommend implementing measures to make organizations resilient and establishing procedures to detect, monitor, resolve, and report incidents that could disrupt business processes.
The law takes effect from October 2024.
Digital Operational Resilience Act (DORA)
DORA specifically applies to the financial sector.
Its goal is to ensure the continuity of critical processes by setting requirements for ICT risk management, including third-party ICT. The underlying idea is that the financial sector has become increasingly dependent on information technology and digital information, which has also increased the risk. The new regulation aims to minimize the chance of disruptions to the financial system.
Organizations falling under DORA must test their digital resilience and exchange information about incidents and threats with each other and regulators.
The regulation comes into effect on January 1, 2025.
Data Act
The Data Act applies to any company that collects data or sells smart devices.
The Data Act ensures that consumers retain control over their own data. EU rules will be established on who has access to and can use data from smart devices (Internet of Things). This gives consumers and businesses more control and the ability to switch between cloud services or connect services.
The EU Data Act also establishes rules for data sharing, including fair compensation to companies for making data available, proper dispute resolution, and addressing any unfair contract terms.
Mechanisms will be established for government agencies to use data in emergencies. Finally, the Data Act will include rules to promote interoperability.
The goal is for the Data Act to come into effect around mid-2025.
AI Act
The AI Act applies to providers of AI services and products.
The purpose of this law is to promote innovation in a safe manner by setting conditions. The European Parliament emphasizes that AI systems must be safe, transparent, traceable, non-discriminatory, and environmentally friendly. Human oversight is advocated to prevent harmful consequences.
The AI Act classifies AI systems based on the risk they pose to users, and obligations are imposed accordingly.
Systems with unacceptable high risks, such as those for behavior manipulation or social scoring, are prohibited. Systems with high risks have requirements such as conformity assessments, the use of high-quality data, and explainability of decisions. Systems with low or minimal risks face milder requirements, primarily related to transparency, such as disclosing that content was generated by AI when using ChatGPT.
An agreement on the text of the law was reached at the end of 2023. The European Parliament still needs to formally vote on it, so it is not yet clear when the AI law will come into effect.
European Health Data Space (EHDS)
A relatively recent initiative is the European Health Data Space (EHDS). The goal is to better utilize the potential of health data, primarily applicable to healthcare organizations and providers of electronic patient records.
EHDS has two pillars:
- Supporting individuals in managing their health data. EU citizens should be able to access their health data immediately and free of charge.
- Promoting the use of health data for better healthcare, research, innovation, and policymaking. Healthcare organizations will need to share their data in anonymous form.
Another goal is to make smartwatches and patient records interoperable.
The legislative process has just begun and will take shape over the coming years.
Conclusion
The European legislative agenda brings about significant changes. It is crucial to closely monitor the aforementioned (initiative) laws and their implementation.