GDPR Turns Six: Six Things To Expect And Plan For

William Fry


William Fry is a leading full-service Irish law firm with over 310 legal and tax professionals and 460 staff. The firm's client-focused service combines technical excellence with commercial awareness and a practical, constructive approach to business issues. The firm advices leading domestic and international corporations, financial institutions and government organisations. It regularly acts on complex, multi-jurisdictional transactions and commercial disputes.
This regulatory regime is only the beginning. To mark this anniversary, our Technology group takes stock of six key areas businesses should prepare for in the near term.
European Union Privacy
To print this article, all you need is to be registered or login on

25 May 2024 marks six years of the GDPR being the global standard for data protection rules for companies doing business across Ireland and Europe.

This regulatory regime is only the beginning. To mark this anniversary, our Technology group takes stock of six key areas businesses should prepare for in the near term.

1. GDPR and the EU's Digital Reforms Package

The net of regulation for entities doing business across Ireland and the EU is getting wider, particularly around the processing of data and personal data. The EU's Digital Reforms package introduces new laws to regulate the areas of AI, content, data and cybersecurity, each of which interplay with and share similarities with the GDPR. To help guide compliance, we have prepared an EU Technology Regulation Playbook, which gives an overview of what is to come and the expected impact on your business.

What to expect and plan for?

Leverage existing data protection governance frameworks for these new laws.

2. Data Protection and Artificial Intelligence

The EU AI Act will take effect (in part) towards the end of 2024. Given the reliance of AI systems on data (including personal data), businesses deploying or developing AI systems must consider GDPR compliance.

What to expect and plan for?

Prepare to combine data protection and AI governance frameworks; understand the challenges and solutions that AI systems present for the GDPR's rules (e.g. data protection principles).

3. Protection of Children's Data Online

EU regulators will continue to focus on protecting children's personal data, particularly in the online world. Companies will continue to face scrutiny on transparency, parental consent and parental controls, age assurance and age verification, children's privacy, and content regulation for children (including under the Online Safety and Media Regulation Act 2022).

What to expect and plan for?

Guidance from the European Data Protection Board (EDPB) on processing children's personal data is expected.

4. One-Stop-Shop Mechanism: Centralised Enforcement?

Where ultimate decisions concerning the processing of personal data by group companies with an EU headquarters are made outside of the EU, businesses may be unable to argue that their "main establishment" is in the EU. In recent guidance, the EDPB has clarified that the One-Stop-Shop mechanism may not apply in such circumstances. The proposed 'GDPR Procedural Regulation' is also on the table and aims to centralise cross-border enforcement of the GDPR among EU data protection authorities.

What to expect and plan for?

A possible shift in the enforcement of the GDPR via the One-Stop-Shop Mechanism and proposed new legislation.

5. Increased Privacy Litigation

Businesses will likely face increased privacy litigation as individuals become increasingly aware of their data subject rights and lower courts have jurisdiction to adjudicate data subject actions. Following the Austrian Post Case (C-300/21), businesses must consider the legal costs and reputational impact associated with a mere infringement of the GDPR for (non-)material damage. To date, non-compliance with the GDPR's basic principles has been at the centre of privacy litigation.

What to expect and plan for?

To see continued and increased privacy litigation for infringements of the GDPR.

6. EU and US Transfers

In July 2023, the European Commission adopted a US adequacy decision under the EU-US Data Privacy Framework (DPF), allowing the free flow of personal data from the EU to the US for certification companies. The possibility of a Schrems III remains a topic of discussion, but regulators on both sides of the deal are confident it will remain valid.

What to expect and plan for?

To see meaningful procedural action from the EU regulators to bring the DPF redress mechanism to EU-based individuals and for any challenge to the adequacy decision to be robustly defended by the European Commission.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More