Privacy governance challenges for 2024

2024 is set to be a year of significant change. Geopolitical change. Technological change. Social change. While change can, of course, be an opportunity to do things better and that should be our constant aspiration, the changes ahead will bring considerable challenges – many outside our control and some within our control. Those of us working in data protection, privacy and cybersecurity will find ourselves at the forefront of this process and face some real tests of knowledge and good judgment. The issues before us may sometimes appear disguised as technical legal conundrums, but their real world implications will transcend legal theory and affect everyone’s lives and reality. Here some of the big challenges that we are going to have to tackle:

• Justifying evolving data processing activities – As uses of data become more creative and ambitious, finding a justifiable legal basis for that processing will be a constant and elusive exercise, particularly given the increasingly restrictive interpretations of “contractual necessity” and “legitimate interests”. We will need to operate within the boundaries set out by courts while continuing the debate with policy makers and regulators.
• Narrowing role of vendors as processors – The growth and creativity in the uses of data for things like machine learning and product improvement are testing like never before the role of service providers as humble processors. The instinctive thinking may be to move into a controllership situation where those service providers become masters of their own data processing activities, but this brings with it some challenging situations to overcome given the lack relationship with data subjects. Therefore, exploring the boundaries of what a processor can do with data while still being a processor will be a constant task.
• Weaponisation of rights – In a world where polarisation is the order of the day, relying on data subjects’ rights as a tool to fight wider causes, which may have little to do with the protection of data is an obvious reality. Regulators will be a victim of this trend as much as organisations acting as controllers. The question will be how to ensure that data protection rights are properly honoured without diminishing their crucial value.
• Hostility towards automated decision-making – When the Court of Justice of the EU (CJEU) takes a particularly strict view on a data protection issue, you know this is going to attract the regulators’ attention. The recent CJEU jurisprudence on automated decision-making that significantly affects individuals is bound to do exactly that precisely at the time when this type of practice grows exponentially. Expect a toughening of approach on any uses of technology that may be seen as blind reliance on the “computer says no” doctrine.
• Regulators becoming legislators - A particularly growing trend in the US facilitated by various state privacy laws, will likely amplify the effect of emerging legislation in this space.? From California to New Jersey and beyond, we are going to see local regulators adopting a creative approach to their function and passing their own home-made regulations. Just being up to speed with these new rules will be a job in itself, let alone complying with them.
• Global data flows in an increasingly autocratic world - The EU-U.S. Data Privacy Framework may have taken off some of the immediate pressure affecting Transatlantic transfers of personal data, but the hard core interpretation of Schrems II has not gone away. Apply that thinking in today’s context of autocratic leaders and governments seeking unrestricted access to data and the picture is not pretty. Are we heading towards an environment of generalised distrust on the global sharing of data? That is a question that we will be grappling with for the foreseeable future.
• Mastering DPIAs - Judging by how privacy regulators are approaching pretty much every investigation, having a solid and compelling story to tell as demonstrated by a well-reasoned DPIA is an absolute priority. In practice, that means deploying a system that spots when to do a DPIA and being as robust as possible in the assessment itself. The importance of DPIAs as a tool to identify data protection risks and address any weaknesses cannot be overemphasised. Those who master the art of doing DPIAs will be the true privacy gurus.
• Transition of privacy accountability towards AI governance – And then, the biggest topic of our time: AI. All signs seem to indicate that privacy and data protection professionals are going to end up taking a leading role in managing AI regulatory compliance. This is a new area of governance which appears so close and yet so far from the issues we are used to dealing with. Many transferable skills will need to be applied to a completely new set of requirements. The challenge here is truly served.

So as the year progresses and the shaky reality of the world engulfs us, each of us will play a significant role in getting these issues right. And while there is always room for debate and the positions may not necessarily be aligned, we must remember that it is in everyone’s interest to find a workable path to these challenges. Extreme positions in any debate are usually the loudest but hardly ever the correct or most helpful ones. The greater our dose of responsible pragmatism in addressing the privacy governance challenges in front of us, the greater our chances of success will be.

This article was first published in Data Protection Leader in January 2024