Foresight is crucial in a fast-moving field like data protection. So as 2023 draws to a close, the web is becoming saturated with privacy predictions for next year.
But let’s put the crystal ball aside and consider some events that are unlikely to occur in 2024, with a focus on US privacy law, transatlantic data flows, and AI regulation.
1. The US probably won’t pass a Federal Privacy Law
Make no mistake—the US is getting serious about privacy. Here are just some of the US state privacy laws taking effect in 2024:
- 31 March: Washington My Health My Data Act
- 31 March: Nevada’s SB370 (health privacy law)
- 1 July: Texas Data Privacy and Security Act
- 1 July: Oregon Consumer Privacy Act
- 1 July: Colorado Privacy Act “universal opt-out” provisions
- 1 July: Florida Digital Bill of Rights
- 1 October: Montana Consumer Data Privacy Act
- 1 October: Connecticut Data Privacy Act children’s privacy provisions
Combined with possible enforcement action under the five state privacy laws enacted throughout 2023 (in California, Virginia, Connecticut, Colorado, and, as of 31 December, Utah), US businesses are in for a busy year.
A federal privacy law would apply the same baseline requirements across the entire US, alleviating some confusion and uncertainty for businesses operating in multiple states.
But for several years running, federal politicians have failed to agree on such a bill. And given the divided state of US politics, those disagreements are unlikely to be resolved in 2024.
Throughout next year, businesses will continue having to navigate an ever-increasing number of state and sectoral privacy requirements.
2.The EU-US and UK-US Data Transfer Frameworks probably won’t be invalidated
Washington and Brussels ended three years of legal limbo this July when the EU-US Data Privacy Framework (DPF) finally took effect. In October, the UK piggybacked off the European Commission’s hard work with its “UK-US Data Bridge”.
But many European and US businesses are hesitant to rely on the DPF given the fate of its predecessors, the “Safe Harbor” and “Privacy Shield” frameworks, both of which were invalidated following complaints by Austrian privacy campaigner Max Schrems.
From the outset, Schrems has been clear that he plans to take on the DPF as well. But he appears not to have submitted his complaint yet, and the case should take several years to reach the Court of Justice of the European Union (CJEU) in Luxembourg.
Another privacy enthusiast, French politician Philippe Latombe, has attempted a fast-track route to invalidate the DPF via a judicial review of the European Commission’s adequacy decision. But similar cases have previously failed, and Latombe’s is off to a shaky start.
And the UK’s “Data Bridge” is, in this respect, entirely separate from the EU’s adequacy decision. Schrems can’t touch UK law, and the US Department of Commerce could keep the DPF running for UK organisations even if EU businesses can’t use it.
So, while there’s nothing wrong with taking a cautious approach, don’t expect transatlantic data transfers to be disrupted again in 2024.
3.Nobody will be fined for violating the EU AI Act
Contrary to some reporting on the topic, the EU AI Act has not “passed”.
The EU’s Council and Parliament have struck a provisional deal on how the law should look, but technical issues remain to be ironed out, and we don’t yet have the final text.
We know that the AI Act’s risk-based approach remains, that the law will apply to users of AI systems as well as their developers and distributors, and that certain AI practices will be prohibited entirely.
With fines of up to 7% of global annual turnover on the table, it’s not surprising that businesses are eager to understand the rules. It will likely be at least 2026 before the AI Act becomes enforceable, but there’s plenty of work to do before then.
Several respected standards bodies have published voluntary AI frameworks, and laws such as Biden’s executive order on AI and California’s automated decision-making rules should start to kick in before the EU takes action under its new regulation.
So, while EU AI Act enforcement remains a distant threat, there’s no better year than 2024 to address AI governance in your organisation.
As a global B Corp organisation, HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed.