Navigating privacy in an era of disruption
To mark this year’s Data Protection Day, our Privacy and Data lawyers reflect on the state of privacy in today’s ‘intelligent age’. In the wake of innovative technologies such as GenAI and the competition for valuable data intensifying, it is imperative for businesses to get data protection right.
Introduction
Businesses nowadays are facing various disrupting factors in their existential need to constantly deliver top performance. For most executive leaders, geopolitical conflicts, cyber risks and technological disruption represent key threats for their organisations in the next 12 months, according to PwC’s 28th Annual Global CEO Survey.
In a bid to stay competitive, CEOs are taking significant actions to change how their company creates and delivers value, be it by competing in new sectors or developing innovative products and services. However, the rapid pace of change in the digital and AI landscape has introduced a number of data protection challenges for organisations - and concerns for consumers. Supporting innovation with an effective privacy strategy will be critical in ensuring trust whilst unlocking technology’s full potential.
To what extent has your company taken the following actions in the last five years?
Source: PwC's 28th Annual Global CEO Survey
In this context, we are highlighting below key data protection considerations to help your organisation be prepared for its upcoming digital and business reinvention challenges.
Data protection remains a key enabler for successful tech adoption
Only recently Artificial Intelligence (AI) has appeared on executive agendas, and organisations around the world are adopting it at scale after experiencing its transformative value. That said, AI can also raise ethical and regulatory risks when implemented incorrectly, prompting the EU to be on the front foot and adopting a comprehensive regulation to govern AI systems and models. The overlap with the General Data Protection Regulation (GDPR) is also apparent in instances where AI systems and models use personal data.
In December 2024, the European Data Protection Board (EDPB) adopted its opinion on the use of personal data in the context of AI models, stressing that in instances where a controller relies on its legitimate interests as a legal basis, the obligation to carry out and document a three-step legitimate interest assessment (to determine whether it is in fact an appropriate legal basis) remains crucial. The EDPB also reminds that if the purpose of the AI system is possible without the processing of personal data, ‘then processing personal data should be considered as not necessary’. Similarly, in April 2024 the French regulator published a series of recommendations in respect of the development of AI systems, providing detailed guidance on complying with principles of purpose limitation, transparency and accountability.
Regulators are also ramping up enforcement actions related to technology. The Dutch regulator fined Clearview AI €30.5 million last September for non-compliance of its facial recognition technology with principles of transparency and lawfulness. The Italian data protection authority, ‘Garante per la protezzione dei dati personali’, imposed a sanction of €15 million on OpenAI for inter alia failing to notify it of a personal data breach and processing personal data to train its GPT model without an appropriate legal basis.
Your next move:
Technology’s disruptive potential is high and its impact can help organisations achieve unprecedented efficiency and profitability. To realise these gains, a comprehensive and systematic approach to the GDPR is required to allow businesses to innovate confidently. Particularly, prioritising the implementation of effective policies and notices, conducting thorough data and risk mapping exercises and building workforce awareness, should prove to be no-regret moves in the long term.
The GDPR is a challenging framework. It is also in constant development
The GDPR is subject to ongoing interpretation and guidance by various actors, such as the EDPB, the Court of Justice of the European Union (CJEU) and national regulators. Accordingly, it is imperative for organisations to stay informed and up-to-date on such a dynamic data protection landscape.
In the case of ND v DR (Case C-21/23) for instance, the CJEU was asked to determine inter alia whether personal data (such as name, delivery address and product details) entered online by customers for ordering pharmacy-only medicines amounted to health data under Article 9(1) of the GDPR. The CJEU in this regard ruled that such data would indeed qualify as ‘data concerning health’ under the GDPR on the basis that:
First, a broad interpretation is required to ensure a high level of protection of the fundamental rights and freedoms of natural persons (especially for sensitive information) and
Second, “even if such medicinal products are intended for persons other than the customers, it may be possible to identify those persons and draw conclusions about their health status”.
Moreover, in the case of Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (Case C-621/22), the CJEU was asked to interpret what constitutes legitimate interests in terms of the GDPR. Specifically, the KNLTB - which is the Royal Dutch Lawn Tennis Association - had shared personal data of its members to two sponsors in exchange for payment, arguing that such sharing was carried out on the basis of its legitimate interest. In this regard, the CJEU argued that a legitimate interest ‘is not limited to interests enshrined in and determined by law’ but rather must be a lawful interest. It then ruled that a commercial interest ‘which consists in the promotion and sale of advertising space for marketing purposes’ can be considered as a legitimate interest provided that necessary safeguards are in place.
Your next move:
Aside from the GDPR, businesses are also impacted by a wider nexus of guidelines and interpretations related to data protection. Such sets of rules can create new opportunities or risk and alter business imperatives. On this basis management should be receptive and remain up-to-date to privacy trends. It is imperative to understand how changing interpretations and regulations may impact the business.
Data and digital regulations are evolving. A coherent compliance strategy should be favoured over siloed practices.
Technology is fast-moving, and while it is creating many opportunities for innovation, this constant evolution has also brought a multifaceted regulatory environment that European organisations must get right.
Besides the GDPR, organisations for instance need to also understand the interplay between applicable data protection rules (such as those governing consent) and the provisions of the ePrivacy Directive when deploying tracking technologies such as cookies and beacons on the terminal equipment of end users. In October 2024, the EDPB revisited its Guidelines 2/2023 related to the ePrivacy Directive due to the emergence of new tracking methods and tools such as ‘intermittent and mediated Internet-of-Things (IoT) reporting’.
The cyber regulatory landscape has also gone through a major shift after Directives such as the NIS2 and the CER entered into force, key rules which aim to enhance the cyber risk management requirements and strengthen critical infrastructures against physical threats respectively. On 17 January 2025, the Digital Operational Resilience Act (DORA) started to apply to in-scope European financial entities, requiring them inter alia to maintain a robust third-party risk management framework through appropriate contractual clauses and registers of information.
The Digital Services Act (DSA) and the Digital Markets Act (DMA) are legislative initiatives that seek to create a safer and more equitable digital space. While the DSA focuses on increasing transparency and accountability of intermediary service providers such as online platforms, the DMA aims to prevent anti-competitive practices by large digital gatekeepers. Together, these acts form part of the EU’s Digital Services Act Package.
Your next move:
A siloed approach to the current regulatory landscape will stretch thin in-house compliance teams and result in both labour and cost-intensive exercises. On the other hand, a comprehensive compliance framework should ensure alignment with the various regulations and help identify early on any regulatory risks to the organisation and enable organisations to manage such risks effectively and efficiently.
Contact us
