Client Alert
Privacy + Data Security Predictions for 2024
11 Dec 2023
Keep up with the latest legal and industry insights, news, and events from MoFo
The Morrison Foerster Privacy + Data Security team is unmatched in its ability to provide creative and practical advice concerning all stages of the information life cycle, from counseling on compliance with complex privacy laws, to resolving breach situations, to litigating privacy and data security claims and defending enforcement actions. We tapped our Privacy team—thought leaders in the field—to get their opinions on what is likely to happen in the privacy and data security sector in 2024.
New and Revised Privacy Laws in Asia, Africa, and the Middle East
General Privacy and Data Protection Litigation
Diversity, Equity and Inclusion
Cybersecurity
Extort Me Once, Extort Me Twice
Miriam Wugmeister (Privacy + Data Security) – Prediction for the year ahead:
Cyber crime is becoming a volume business. Despite the promises of cyber criminals to delete stolen data, we expect that re-extortion over exfiltrated data by cyber criminals will increase in 2024.
NIS2’s October Deadline
Alex van der Wolk (Privacy + Data Security) – Prediction for the year ahead:
By October 2024, EU member states will need to have transposed the NIS 2 Directive into their national laws. NIS 2 introduces a number of cybersecurity obligations, both with regard to security as well as reporting of incidents. In addition, NIS 2 significantly broadens its scope of applicability as compared to its predecessor. Companies in affected sectors will want to take note of the national implementations as they become required over the course of 2024.
Increasing Reach of EU Cybersecurity Laws (NIS 2)
Michelle Si-Ting Luo (Technology + Transactions, Privacy + Data Security) – Prediction for the year ahead:
Next year, EU Member States will begin national implementation of the NIS 2 Directive to meet the October 17, 2024, deadline. Both EU and non-EU based organizations will have to come to grips with the widened scope of NIS 2—figuring out whether NIS 2 applies to them (or whether it can indirectly affect them through an in-scope, third-party organization’s supply chain obligations) and tightening up their cybersecurity practices where needed.
NIS 2: A sequel worth watching
European Digital Compliance: Key Digital Regulation and Compliance Developments
European Digital Compliance: Key Digital Regulation and Compliance Developments Part 2
Cyber Resilience Act (CRA)
Alex van der Wolk (Privacy + Data Security) – Prediction for the year ahead:
The EU’s draft Cyber Resilience Act (CRA) is expected to gain further traction during 2024. The CRA is intended to bolster the cybersecurity posture of connected products and services placed on the EU market, which includes both B2B and B2C as well as components. Once finalized, the CRA will provide for a transition period, but companies will still want to take note of how the new cyber framework is shaping up to account for applicability as well as requirements.
Cybersecurity and the Securities and Exchange Commission
Miriam Wugmeister (Privacy + Data Security) – Prediction for the year ahead:
The new SEC cybersecurity rules which come into force in December 2023, plus the SEC’s SolarWinds complaint will continue to create concerns from CISOs, senior management, and boards of directors regarding the level of detail to disclose in annual filings and the amount of information to share with the board, and may result in less useful information being shared with investors.
Jasmine Arooni (Privacy + Data Security) – Prediction for the year ahead:
Building a strong privacy communications strategy will become increasingly important for large organizations in light of a growing number of data breaches. More organizations will begin taking a proactive approach to data breach response communications through collaborative efforts between legal, information security, communications, and leadership teams in order to prepare for data breaches before they emerge. We expect organizations will continue to proactively establish data breach communication strategies and engage in active collaboration between legal, information security, communications, and leadership teams in preparation for data breaches.
Haimavathi Marlier (Securities Litigation, Enforcement, and White-Collar Defense; Privacy + Data Security) – Prediction for the year ahead:
In 2024, we will see an increase in SEC enforcement actions based on cybersecurity incident practices and risk disclosures, as well as disclosure and other internal controls related to cybersecurity escalation and reporting. The SEC’s SolarWinds enforcement action signals a move away from the SEC’s historic focus on whether individual customer PII was accessed during a cyber incident to an industry focus on cyber disclosures and risks by tech companies that provide software and other solutions to customers. I expect that we will also see changes in how public companies describe their cybersecurity incidents, practices, and risks as they begin to comply with the SEC’s now-final rule for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
Top 5 SEC Developments | Morrison Foerster (mofo.com)
SEC Adopts Cybersecurity Disclosure Rules | Morrison Foerster (mofo.com)
The SEC Expands Focus on Cybersecurity Risk | Morrison Foerster (mofo.com)
Communicating with the SEC | Morrison Foerster (mofo.com)
Connected and Electric Cars, Cyber Attacks, and Your Privacy
Damian Mencini (Privacy + Data Security) – Prediction for the year ahead:
As the number of connected and electric vehicles continues to climb around the globe, we expect to see increases in (i) targeting of auto manufacturers, supply chains, and infrastructure for cyber attacks, (ii) regulatory requirements focused on automotive data privacy, and (iii) law enforcement requests for automakers to provide driver and vehicle-related information.
U.S. State Privacy Laws
The States and AI
Miriam Wugmeister (Privacy + Data Security) – Prediction for the year ahead:
The wave of laws regulating AI around the world is coming. We will continue to see more U.S. states adopt omnibus state privacy laws and laws specifically aimed at regulating AI.
The Flood of New State Privacy Laws Continues
Mary Race (Privacy + Data Security) – Prediction for the year ahead:
2023 saw a flood of new state consumer privacy laws and 2024 looks to follow suit. Privacy laws in Florida, Tennessee, Montana, Oregon, and Texas come into effect next year, along with new regulations under existing California and Colorado laws. Look for other states to jump in and pass their own privacy laws in 2024 and watch for regulatory activity around these state laws to pick up pace. It can feel overwhelming, but there’s some good news – most of these laws are similar in scope and obligations, so compliance efforts can be streamlined.
Join our webinar, State Privacy Law Round-Up: What’s in Store for 2024 (and Beyond), on January 30, 2024, to learn more about these laws and key action steps for businesses.
Children’s Privacy
Enforcement Over Children’s Privacy in the UK Is Reaching Its Adolescence
Annabel Gillham, Mercedes Samavi, Dan Alam (Privacy + Data Security) – Prediction for the year ahead:
Having assessed industry reactions to the Children’s Code, the UK Information Commissioner’s Office will ramp up efforts to monitor and enforce against noncompliance and also identify any areas that need additional regulatory guidance or alignment with other regulators.
Protecting Against Content That Harms Children
Annabel Gillham, Mercedes Samavi, Dan Alam (Privacy + Data Security) – Prediction for the year ahead:
The UK’s Online Safety Act recently came into force. It requires user-to-user services and search engines to take steps to protect users against illegal content and content deemed “harmful to children.” In-scope businesses should pay close attention to new guidelines and codes from Ofcom (the UK’s communications regulator tasked with oversight of the Act), as this will provide key direction for how organizations can comply with the Act.
Online Age Checks
Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:
In 2024, a main focus of regulatory and supervisory authorities around the world will be children’s online safety and they will clamp down on digital service providers not implementing appropriate age checks. A watershed moment was May 22, 2023, when the U.S. Surgeon General, special advisor to President Biden, as well as the White House, issued parallel public warnings that the United States is experiencing an unprecedented youth mental health crisis and there is undeniable evidence that social media use has contributed to this mental health crisis, flagging that current controls on access by children are not working and the minimum age requirements are easily circumvented. With mounting evidence, watertight age checks will become a prerequisite to avoid liability.
Is a Federal U.S. Children's Privacy Law in Our Future?
Julie O'Neill (Privacy + Data Security) – Prediction for the year ahead:
So many states are passing legislation – or bringing lawsuits – aimed at protecting children that 2024 may be the year that we see a federal children’s privacy law that eclipses COPPA.
Direct Marketing
AdTech Litigation Expands: Increasing Wiretap Claims Based on Various Marketing Technologies
Elisabeth (“Liz”) Hutchinson (Privacy + Data Security) – Prediction for the year ahead:
The litigation trend concerning the use of marketing technologies being challenged as illegal “wiretapping” will continue to grow. We saw it first with website AdTech such as session replay, cookies/pixels, and chatbots, and we expect the plaintiffs’ bar will continue to broadly test marketing and other online technologies relating to personal information.
AI and Ethical Technology
Compliance Innovations: How Companies Will Insure Ethical Use
Marijn Storm (Privacy + Data Security) – Prediction for the year ahead:
In 2024, there will be a global trend towards more comprehensive and nuanced regulation to ensure the ethical use, privacy, and security of AI. As more and more companies use AI, they will be confronted with various standards for transparency, accountability, and fairness, which will require companies to be innovative in order to comply with them.
Finalizing the EU AI Act – What That Means for You
Marijn Storm (Privacy + Data Security) – Prediction for the year ahead:
In 2024, the EU AI Act will be finalized but will be in its transition period and not enforced yet. In this period, companies will face anticipatory compliance questions. EU data protection authorities will likely begin urging companies to already meet the EU AI Act’s material requirements, based on the GDPR requirements for fair, lawful, and transparent use of personal data in AI processes. Companies adapting early to these rigorous standards will be able to navigate the evolving regulatory landscape more efficiently, while embedding robust data ethics in their day-to-day operations.
Consistent Approaches to Compliance
Linda Clark (Privacy + Data Security) – Prediction for the year ahead:
Chief Information Security Officers and their teams will be eager to look into how AI can be used to enhance an organization’s detective and preventative capabilities, and regulators will begin to wrestle with the privacy implications of the implementation of this technology—with inconsistent approaches around the globe—creating a need for organizations to determine a consistent compliant approach.
A Move from Data Security to Online Safety
Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:
With all eyes on GenAI, some think the metaverse is sinking, while actual numbers show the various metaverse worlds keep steadily growing. In the metaverse, we will see security‑by‑design requirements extending to safety by design, where security breaches in the metaverse lead to new risks to the safety of users. Hardware (like headsets) can be weaponized by bad actors to physically harm users. Sexual harassment and grooming are already issues on current digital platforms, and “groping” in virtual reality can be interpreted by our brains as an actual threat and equally traumatic. In other words, we will see security by design extending into the broad assessment of safety by design.
The Threat of Threat Actors
Jasmine Arooni (Privacy + Data Security) – Prediction for the year ahead:
Threat actors will use AI to carry out more complex and sophisticated phishing attacks, which will allow them to diversify the way they carry out phishing schemes (i.e., by using a voice) and make phishing more difficult to detect. Companies will have to update employee training on phishing accordingly to keep pace with the risk of advanced AI attacks.
Ramping Up Bug Bounties
Jasmine Arooni (Privacy + Data Security) – Prediction for the year ahead:
We will see companies start to utilize their bug bounty programs to the fullest extent and offer larger payouts for the discovery of vulnerabilities specific to artificial intelligence.
Watch Out for “Data Poisoning” Attacks
Jasmine Arooni (Privacy + Data Security) – Prediction for the year ahead:
New attack vectors will become prominent with the growing attention to AI. For example, threat actors will start tampering with AI training data to affect the outcomes of the model’s decision‑making processes. Such “data poisoning” attacks could cause incorrect or biased outputs for AI trained with the “poisoned” data.
Abuse of AI Platforms
Michael Burshteyn (Privacy + Data Security Litigation) – Prediction for the year ahead:
Abuse of AI platforms will grow in 2024 due to their increasing adoption and use. Scammers, criminals, and fraudsters will also leverage AI to scale their efforts to abuse traditional social media and online platforms as well. This escalation will create challenges for trust, safety, and platform enforcement teams as they design and operate new AI and other Internet products. We will see offensive litigation in this area. Issues around terms of use violations, content moderation, online trespassing, and the Computer Fraud and Abuse Act—previously litigated in the traditional web context—will come around again through these new lenses.
Bot-on-Bot Attacks Are Not a Game
Michael Burshteyn (Privacy + Data Security Litigation) – Prediction for the year ahead:
2024 will be the year of bot-on-bot attacks and litigation. AI is unleashing armies of bots trading in traditional and crypto markets. Nefarious actors will leverage their own bots to manipulate those of their competitors, and seek to misappropriate sensitive data and funds. This will create a new paradigm for security controls, investigations, and litigation.
Generative AI and the PIPC in Japan
Yukihiro Terazawa (Privacy + Data Security) – Prediction for the year ahead:
In 2023, the Personal Information Protection Committee (PIPC) announced the written heads-up notice regarding generative AI service and thermal camera users. PIPC has kept its eyes on the new technologies and new services to determine where personal information may be misused or used for purposes other than those originally disclosed to the data subjects. PIPC has acknowledged that guidelines for the new technologies/services will be necessary at the next G7 meeting, but it has not issued guidelines for Generative AI, while it did issued guidelines for thermal camera users in 2023. Therefore, we expect that PIPC will issue certain guidelines for generative AI in 2024 and enforce its power over the new service providers, such as generative AI service providers and/or thermal camera operators, once those service providers have violated the 2023 guidelines.
ESG
ESG and Responsible Tech
Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:
In 2024, we will see the trend of “responsible tech” coming into its own. Where privacy specialists focus on the specific AI regulations and guidance popping up around the world, the investment community is focused on incorporating ESG criteria into their investment screening and due diligence processes, requiring their portfolio companies to integrate social, environmental, ethical, consumer, and human rights concerns into their business strategies and operations. The privacy community will have to be able to translate privacy and security requirements into “responsible tech,” which is way beyond mechanical compliance with specific statutory data rules but is about the ability to mitigate business risk in novel areas where regulatory approaches have not yet coalesced.
EU/U.S. Privacy Framework
New EU Data Regulations
Lokke Moerel (Privacy + Data Security) – Prediction for the year ahead:
Despite the U.S.-EU Data Transfer Agreement, 2024 will again see data transfers enter the political arena. The upcoming EU Data Act will provide an even stricter data transfer regime for regular data, and the draft European Cybersecurity Certification Scheme for Cloud Services (EUCS) basically provides for data localization requiring that all data, including diagnostic data, must be hosted in the EU. Things may get worse, as the EUCS currently also requires European customers to use European cloud providers by imposing mandatory nationality requirements for cloud services in specific circumstances. This is in line with the French CNIL interpreting the GDPR as imposing such requirements on cloud use by the public sector in France. Establishing certification under the EUCS will be a necessity to serve customers in critical infrastructure sectors under general EU cybersecurity legislation, such as the NIS2 Directive.
EU’s Digital Services Act and Digital Markets Act
Marta Hovanesian (Privacy + Data Security) – Prediction for the year ahead:
The year 2024 is going to be a big year for the new EU data regulations. All obligations under the Digital Services Act (DSA) will start to apply to intermediary services (e.g., online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms) as of February 17, 2024. Known as the regulation for content moderation on social platforms, the DSA also includes obligations for increased transparency around automated decision-making and profiling and stricter rules related to advertising.
Marta Hovanesian (Privacy + Data Security) – Prediction for the year ahead:
Companies that are designated as “gatekeepers” under the Digital Markets Act (DMA) will also have to start complying with the obligations of the DMA as of March 2024. The DMA includes consent requirements for combining or cross-using personal data, or using personal data from third parties, for the purpose of providing online advertising services and requirements around profiling activities, as well as additional data portability and access requirements for businesses and end-users.
EU Data Act
Marta Hovanesian (Privacy + Data Security) – Prediction for the year ahead:
Data-driven tech companies will want to take note of the final text of the Data Act, which is expected to be adopted in 2024. The Data Act includes obligations for companies that provide connected products (i.e., products that can communicate data) or related services to provide access to data generated by the use of their connected products.
Data Transfers
Binding Corporate Rules
Marta Hovanesian (Privacy + Data Security) – Prediction for the year ahead:
In the last quarter of 2023, the UK’s ICO took measures to speed up the approval process of Binding Corporate Rules (BCRs) for companies that already have approved BCRs for the EU. Those companies can either (1) self-certify that their UK BCRs comply with the relevant requirements under the UK GDPR or (2) append a UK BCRs Addendum to their EU BCRs. We will find out in 2024 whether these new instruments will lead to an increase in approved UK BCRs and a more harmonized approach between EU and UK BCRs. On the EU front, we expect the EU regulators to publish a new application form and requirements table for processor BCRs.
GDPR and ePrivacy
EU’s Whistleblowing Directive
Alja Poler De Zwart (Privacy + Data Security) – Prediction for the year ahead:
With the national implementation of the EU Whistleblowing Directive hurdling towards the finish line, organizations in scope now need to prepare for the next phase of regulatory guidance and possible enforcement by the newly established whistleblowing authorities in various EU Member States. This means regular monitoring of national developments and strategic adjustments/updates to the hotline’s reporting intake and subsequent handling of reports. Organizations will also be taking a closer look at their anti-retaliation policies and whether additional training is needed to ensure the workforce does not unintentionally retaliate against whistleblowers. Perceived retaliation is an issue that needs taken care of in 2024.
We Hear More Whistles in 2024
Alja Poler De Zwart (Privacy + Data Security) – Prediction for the year ahead:
Historically, organizations have received limited numbers of whistleblowing reports. If 2023 is a marker for what is to come in 2024, organizations can expect either steady or a substantial rise in the number of such reports. This means organizations should ensure that their current processes and procedures can support more investigations per year than they needed to previously. Whether 2024 is the year where whistleblowers will start discovering the benefits of the internal reporting system remains to be seen. But organizations should also prepare for whistleblowers preferring external hotlines of the newly established whistleblowing authorities, and subsequent queries from such regulators.
Whistleblowing Resource Center | Morrison Foerster (mofo.com)
AI in Whistleblowing and Internal Investigations
Alja Poler De Zwart and Marijn Storm (Privacy + Data Security) – Prediction for the year ahead:
Organizations are looking at the possibilities of using artificial intelligence in the context of whistleblowing and internal investigations. They focus on using AI for locating and extracting information, protecting whistleblowers’ identities, communicating with whistleblowers, identifying potential retaliation, etc. Such AI use will likely take flight in the coming years, although it is questionable whether any AI will be up to the task in 2024. This process will confront organizations with a host of new issues, including incorrect or incomplete AI outputs that can be detrimental for the integrity of investigations. The AI compliance programs need to address the issues in a strategic and thoughtful manner.
Artificial Intelligence (AI) | Morrison Foerster (mofo.com)
Cookies and Similar Technologies
Alja Poler De Zwart and Marijn Storm (Privacy + Data Security) – Prediction for the year ahead:
With the growing number of laws, guidance, and caselaw around the world, organizations need to take a closer look at the rules for cookies and similar technologies. To date, many organizations have mostly focused on the EU ePrivacy rules. Given that more countries have relevant rules that flow from regulators, caselaw, or privacy laws, even when such countries do not have specific laws dedicated to the use of cookies and similar technologies, multinational organizations will need to rethink their approach to compliance on a global scale. 2024 might be the year for many organizations to complete this project.
Catching up on cookies: regulatory guidance outside the EU | Morrison Foerster (mofo.com)
Please see our Whistleblowing Resource Center for the latest news: Whistleblowing Implementing Laws At-a-Glance | Morrison Foerster (mofo.com).
Employee Data Protection
Hanno Timner (Privacy + Data Security) – Prediction for the year ahead:
After the European Court of Justice declared the German regulations on employee data protection invalid, the federal government announced that it has started the legislative process for a comprehensive new employee data protection act. The responsible ministry has published the first key points of the draft law and it is expected that the German Federal Parliament (“Bundestag”) will pass the law in 2024. Companies in Germany will have to review their employee data processing in light of the expected new regulations.
Health Privacy
How is Your Health Info Being Shared?
Melissa Crespo (Privacy + Data Security) – Prediction for the year ahead:
The use of pixel tracking technologies by healthcare companies was an area of heavy scrutiny for FTC in 2023. We expect continued enforcement in this area with the FTC leveraging its authority under the newly resurrected FTC Health Breach Notification Rule. While OCR issued guidance on pixel tracking in late 2022 and jointly issued warning letters with the FTC to hospital systems and telehealth providers in July 2023, it has yet to bring enforcement in this area, but enforcement is likely in 2024. We will be keeping an eye out for enforcement and how this will shape future pixel tracking practices.
Melissa Crespo (Privacy + Data Security) – Prediction for the year ahead:
2024 will bring new health privacy laws in Washington and Nevada, which largely come into effect in March 2024. We will be keeping an eye out for further guidance from the AGs and enforcement to help better understand the practical applications of these laws, particularly in light of the broad definitions of regulated entities and covered data and the extensive obligations around transparency and choice.
Nathaniel Mendell (Privacy + Data Security) – Prediction for the year ahead:
2024 will see qui tam relators using the False Claims Act to sue healthcare providers, alleging that companies failed to provide adequate cybersecurity and privacy protections to federally insured patients. Spoiler alert: Plaintiffs will follow the headlines and target companies that suffer data breaches and ransomware attacks.
Jasmine Arooni (Privacy + Data Security) – Prediction for the year ahead:
Strong relationships between information security and legal teams will become increasingly important for companies handling health information. The Office for Civil Rights at the U.S. Department of Health and Human Services has highlighted the privacy and security risks related to using third-party tracking tools under HIPAA. The FTC has also recently exercised its authority to protect health information from “potential misuse and exploitation.” In light of increased regulatory scrutiny, legal teams may pursue data mapping exercises to assess how a company collects, analyzes, and shares health information through tracking tools. As a result, legal teams will have to work closely with marketing and information security teams to carry out data mapping and determine if a company needs to update its practices to meet its compliance obligations.
Unfair Practices in Processing Biometric Data
Julie O'Neill (Privacy + Data Security) – Prediction for the year ahead:
We usually focus on BIPA when we think about biometric data. But last spring, the FTC issued a very broad policy statement, identifying, among other things, the practices it believes are unfair with respect to the processing of biometric data. Look for the FTC to bring its first enforcement action pursuant to the policy statement in 2024.
Neuroprivacy
Devices that Read and Write to the Mind
Kristen Mathews (Privacy + Data Security) – Prediction for the year ahead:
With the advent of devices, like hats, headbands, and ear buds, that can read the mind’s emotions, and even affect them, neuroprivacy will become a new, challenging issue for businesses and consumers to contend with. Ceasing the evolution of technology is not possible, so we will have no choice but to ask and answer the questions: What privacy rights should we have to our inner thoughts and feelings? Must we now affix into society an individual’s ability to exist on this earth without their mind being opened to others to read?
Crypto
Lions, And Tigers, and Crypto in a Bear Market
Michael Burshteyn (Privacy + Data Security Litigation) – Prediction for the year ahead:
Crypto-related litigation will continue its explosion in 2024. Fallout from the bear market has caused disputes over tokens, DAO governance, liquidity partnerships, and other issues. Defamation claims in Web3 communities increased in 2023 and are unlikely to subside. Litigation arising from smart contract exploits will continue to test the boundaries of code and law. Cases filed by regulators such as the Securities and Exchange Commission and the Commodity Futures Trading Commission will continue shaking up the regulatory landscape for crypto while perhaps offering some semblance of clarity to new projects. Buckle up for another wild year in Web3.
China Privacy Laws
PIPL – New Regulations Coming
Paul McKenzie, Gordon Milner, Chuan Sun, Tingting Gao (Privacy + Data Security) – Prediction for the year ahead:
International businesses keenly await the issuance in final form of the new Cyberspace Administration of China (CAC) regulations on the regulatory filings required for cross-border transfers of personal data under the Personal Information Protection Law (PIPL). This is likely to happen before the end of 2023. Some of the details may differ, but the final regulations will potentially follow the broad outlines of a September 2023 draft, exempting small volume data controllers from having to make any regulatory filings, exempting transfers undertaken for purposes of HR administration from any regulatory filings, and raising the volume threshold that triggers the requirement to do a full CAC-led security assessment. This will ease the regulatory burden for many companies in the short term and likely help resolve the bottleneck among provincial CACs reviewing the large volume of filings they have already received based on current rules. But this apparent good news may also give rise to challenges in 2024.
If CAC’s scrutiny of data transfer practices of individual companies is reduced, then a side effect may be that the burden of making judgment calls as to what practices do and don’t comply with the PIPL will shift from CAC itself to companies. Clarifications concerning many aspects of China’s cross-border data transfer regime would then play out less during CAC’s review of security assessment applications and standard contractual clauses filings and more gradually via enforcement campaigns by CAC and breach claims pursued by data subjects. 2024 will likely see an increase in both.
China’s Data Security Law
Paul McKenzie, Gordon Milner, Chuan Sun, Tingting Gao (Privacy + Data Security) – Prediction for the year ahead:
A major concern among international businesses operating in China since the Data Security Law (DSL) was issued in June 2021 is the lack of clarity concerning the scope of “important data,” given the restrictions on cross-border transfers of important data and other compliance requirements. 2024 will likely see greater efforts by various Chinese industry regulators to clarify the scope of “important data” within individual industries, which will allow businesses to mitigate compliance risk more effectively under the DSL as well as China’s Counter-Espionage Law.
New and Revised Privacy Laws in Asia, Africa, and the Middle East
Miriam Wugmeister (Privacy + Data Security) – Prediction for the year ahead:
While privacy is not viewed as a fundamental human right in many jurisdictions in Asia, Africa, and the Middle East, many jurisdictions wish to attract business and believe that having a privacy and data security law is key to attracting investments. In addition, several jurisdictions have expanded the jurisdictional reach of their laws to ensure that they continue to have access to information regarding their citizens or residents even if it is being handled by companies outside of their jurisdiction. Thus, we anticipate that rather than an increase in the number of data localization laws, we will see the continuation of laws seeking to broaden the jurisdictional scope and impose more stringent data security obligations on organizations operating in those jurisdictions.
General Privacy and Data Protection Litigation
EU Privacy Litigation
Alex van der Wolk (Privacy + Data Security) – Prediction for the year ahead:
The field of privacy litigation in the EU continues to be in full development. With a few landmark cases at the European Court of Justice having been issued in 2023, a number of very compelling decisions are anticipated for 2024. Among others, issues that are expected to be decided are: the degree of proof for plaintiffs to show immaterial damages (the Netherlands and ECJ), the quality of class support for collective privacy claims (the Netherlands), and the ability to attribute a privacy violation to a legal entity without determining whether an individual at the company committed the violation (Germany).
Diversity, Equity and Inclusion
Lokke Moerel and Annabel Gillham (Privacy + Data Security) – Prediction for the year ahead:
Companies’ monitoring of diversity, equity and inclusion (DEI) within their European workforce is picking up pace. Solid research confirms that greater diversity in leadership teams correlates to financial outperformance over time. It is no surprise that global institutional investors are increasingly tracking DEI statistics to inform and evaluate their investments, putting pressure on their EU portfolio companies to contribute their DEI statistics.
Lokke Moerel and Annabel Gillham (Privacy + Data Security) – Prediction for the year ahead:
In addition to the existing mandatory gender pay gap reporting regime and board diversity reporting in the UK (see our article), we see a trend towards voluntary ethnicity and disability pay gap reporting. As DEI pay gap reporting becomes mainstream, it will likely shine a light on DEI pay gaps in industry sectors, in turn encouraging EU companies within scope of the Corporate Sustainability Reporting Directive (CSRD) to include DEI data as a “material” workforce factor in their CSRD reporting.
Lokke Moerel and Annabel Gillham (Privacy + Data Security) – Prediction for the year ahead:
Gone are the days of the blanket argument that GDPR blocks the monitoring of the diversity, equity and inclusion of their workforce (see why GDPR does not prohibit DEI monitoring here and listen here). We predict that in 2024 companies will be asking how to collect DEI data in the EU rather than whether they may collect. Key will be to build employee engagement and trust, to be clear with all stakeholders on data use, implement secure and privacy-friendly collection and retention processes (e.g., using trusted third parties) and, of course, accounting for local and regional sensitivities. Watch the MoFo space for new publications and guidance on how to collect DEI data on your European workforce.
Stay up to date by visiting our Privacy + Data Security page for links to our Privacy Library and our CCPA + State Privacy, GDPR + European Privacy, China Privacy, and Cybersecurity Resource Centers.
Miriam H. WugmeisterPartner
Alex van der WolkManaging Partner, Brussels
Linda K. ClarkPartner
Annabel GillhamManaging Partner, London
Haimavathi V. MarlierPartner
Paul D. McKenziePartner
Nathaniel R. MendellPartner
Gordon A. MilnerPartner
Alja Poler De ZwartPartner
Chuan SunManaging Partner, Shanghai
Yukihiro TerazawaPartner
Hanno TimnerPartner
Lokke MoerelSenior Of Counsel
Mary RaceOf Counsel
Marijn StormOf Counsel
Dan AlamAssociate
Jasmine ArooniAssociate
Tingting GaoAssociate
Marta HovanesianAssociate
Elisabeth HutchinsonAssociate
Michelle Si-Ting LuoAssociate
Mercedes SamaviOf Counsel
Damian T. MenciniSenior Cyber Advisor
Practices