William Fry’s tech experts explore the major legal topics and reforms that businesses need to be aware of this year.
As companies start into a new year, in addition to changes to existing technology and privacy frameworks, there is a significant development which needs to have a prominent place in 2024 business planning – the seismic shift in technology regulation represented by the EU’s Digital Reforms Package. This package is already underway and represents an overhaul in the legal and regulatory rules impacting how companies (in particular, technology companies) do business in and through Europe.
The EU’s Digital Reforms Package covers the areas of AI, content, data, cyber and platforms and continued data protection regulation and enforcement. In some areas, the EU is introducing ‘first-of-a-kind’ laws (eg AI, content and platforms); while in others, it is building on existing rules (eg cyber and data protection). As with the EU’s flagship privacy law, the GDPR, these new laws are expected to lead the way in influencing new global standards.
The new laws aim to drive innovation for companies and increase protections for EU citizens. However, they will also present challenges for businesses given their complex and multilayered impact. Leveraging GDPR compliance, starting a roadmap to readiness and ensuring board-level involvement will get any business off to solid start.
Data protection: a new regulator, more reforms and continued enforcement
We will see the end of Helen Dixon’s trailblazing term as Ireland’s privacy regulator. After her 10 years at the helm of European data protection regulation, a new commissioner or commissioners (currently unknown) will be appointed to the Data Protection Commission of Ireland. Given Ireland’s location as the lead privacy regulator for many EU-based tech companies, this anticipated development is being closely monitored, particularly to gauge whether it will mark a new approach and appetite to data protection supervision and enforcement in Ireland and the EU.
The new ‘GDPR Procedural Regulation’ is also on the table of proposed legislation in 2024. Almost six years into the GDPR’s regime, this regulation is intended to streamline enforcement of the GDPR by standardising cooperation between the EU’s privacy regulators in cross-border cases (eg data subject complaints and investigations) – an often-thorny issue, as showcased in 2023, due to certain tensions created by the GDPR’s ‘one-stop-shop’ mechanism.
Enforcement of the GDPR remains a steadfast priority for European privacy regulators. Businesses of all sizes can expect to see privacy regulators continuing to use their powers (such as suspension of processing orders) and a continued growth in the rich body of case law, guidance and decisions on the GDPR’s rules. Businesses can also forecast a persistence in privacy-related litigation by individuals seeking damages against businesses for breaches of the GDPR. While damages awarded by national courts have (to date) been low, the legal costs and associated reputational impacts are issues for which businesses need to be cognisant as we move towards this next era of data protection regulation.
Online reforms and increased regulation
Content – Digital Services Act (DSA)
The DSA is designed to ensure a safer digital space, with a particular focus on the responsibilities of online platforms. Already in force for large online platforms and search engines, it mandates enhanced transparency in online advertising, algorithms (recommender systems), and content moderation processes. This requirement for transparency not only necessitates technological investment in content moderation tools but also a re-evaluation of digital strategies to align with these new norms.
Platform – Digital Markets Act (DMA)
The DMA is targeted at major tech companies referred to as ‘gatekeepers’. It seeks to ensure fair competition in the European digital market. It imposes rules to prevent these companies from abusing their dominant positions, which includes prohibitions on preferential treatment of their own services. This Act compels large platforms to re-assess their business models and operational practices to avoid hefty penalties. The impact is particularly significant for multinational companies, which may have to modify global strategies to comply with European standards.
Together, the DSA and DMA require companies to effect new processes, procedures, terms and conditions, and compliance monitoring at a level previously not seen.
Data – AI and new compliance requirements
The Artificial Intelligence Act (AI Act) represents a significant regulatory development and is a first of its kind in regulating AI. It categorises AI systems based on their risk to health, safety and fundamental rights, with stringent requirements for high-risk AI systems. The AI Act is sector-agnostic, it will mandate companies to conduct in-depth risk assessments, conformity assessments and adhere to strict compliance requirements, including transparency and data governance protocols. This necessitates a significant investment in compliance infrastructure and could potentially slow down AI innovation and deployment. Recent legislative developments in the EU suggest that only six months (ie mid to late 2024) will be allowed for compliance with the obligations on prohibited systems, and only 12 months for general purpose AI systems, like large language models.
Cybersecurity – enhanced rules
The Cyber Resilience Act (CRA) is focused on cybersecurity and demands robust security standards for digital products, including IoT [internet of things] devices. It requires companies to adopt comprehensive cybersecurity measures throughout a product’s lifecycle, from design to disposal. The implications are vast, particularly for manufacturers and suppliers of digital products, who must integrate advanced cybersecurity features and ensure continuous monitoring and updates.
The Network and Information Security 2 Directive (NIS2D) will also take effect in 2024. NIS2D marks the EU’s commitment to binding legal measures which boost the overall level of cybersecurity within the European block. It modernises the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape.
Path forward for 2024
The EU Digital Reforms Package and changes to existing frameworks will demand direction and oversight from boards and management teams; investment in adequate resources; planning and allocation of legal budgets; and a multidisciplinary approach, in order to meet compliance standards. In particular, these new legal rules need to be translated into business opportunities for boards and management teams so that the opportunities they bring can be quantified.
Companies affected by the package are dealing with not just one new law, but multiple laws affecting their processes, procedures, revenue and compliance risks. Now is the time for businesses to begin navigating the impacts of the package to their operations – be that to specific products, services or AI systems. Many companies are, and have been, triaging how this package will affect their business and are proactively benchmarking their readiness projects early, learning and leveraging from their experience with the GDPR.
By Leo Moore, Barry Scannell and Rachel Hayes.
Leo Moore is a partner and head of William Fry’s technology group. Barry Scannell is a senior solicitor and consultant in William Fry’s technology department. Rachel Hayes is a senior associate in William Fry’s technology department.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.