Downloads
Blog
Who we are
Our customers
Contact
Software
Advice
Training & E-learning

All wrapped up: 2024’s privacy highlights

January 14, 2025
Blog overview
/
All wrapped up: 2024’s privacy highlights
Extraterritorial fines, the introduction of the AI Act, and discussions on digital sovereignty are only some of the hot topics of 2024. Already forgot what happened last year? This blog will catch you up on the defining moments in data protection of 2024.

Noteworthy news and high profile court cases

In August 2024, the arrest of Pavel Durov made waves. The Telegram CEO was indicted for alleged complicity in illegal activities facilitated through the messaging platform. Telegram was known for its resistance to complying with law enforcement requests, profiling itself as a protector of free speech.1 The arrest raised questions about the balance between privacy and public safety, and the limits of free speech. Ultimately, it led to Telegram amending its privacy policy to allow cooperation with authorities in specific cases.

Later in the year, the Court of Justice of the European Union (CJEU) ruled against Meta on the topic of targeted advertisement.2 In brief, the court found that aggregating, analysing and processing all personal data obtained by a controller is not in line with the principle of data. Moreover, the fact that Schrems had made a statement about his sexual orientation during a public panel discussion did not authorise Facebook to process other data relating to his sexual orientation (with the goal to offer him personalised advertising).3 This ruling has implications for all other advertisement companies that fail to delete collected data – they cannot simply use all the data they have for advertising purposes.

Following an ongoing debate within the Netherlands, the CJEU ruled that the commercial interests of the controller may be regarded as necessary for the purposes of the legitimate interest pursued by that controller. This is contrary to the view that the Dutch data protection authority had adopted earlier, that purely commercial interests could not constitute a legitimate interest.5 The court also reiterated that legitimate interest does not have to be determined by law, but must be lawful. Good to know!

Another key topic within the Netherlands this past year was digital sovereignty. As concerns grow over the country’s reliance on foreign cloud providers, the government has announced it will introduce an updated cloud policy in 2025. Among other things, the new policy will zoom in on digital sovereignty and challenges arising from AI and other new technologies.6

Consent or pay – is it okay?

Internet users will have seen it more often this year – a pop-up that offers them the choice to either consent to the processing of their personal data for targeted advertising or pay a fee to access the service without such data processing. The practice, often referred to as Pay or Okay, is highly debated and raises the question on the meaning of free and valid consent under the GDPR. The EDPB released an opinion on the matter, stating that consent or pay models generally do not meet the requirements for valid consent under the GDPR. Online platforms are advised to develop a third option: an ‘equivalent alternative’ of the service without personalised advertising.7 Online platforms and other stakeholders alike are awaiting upcoming guidelines that will further clarify the EDPB’s stance.

To fine or not to fine…

European DPA’s have issued at least 510 fines in 2024.8 The top 3 highest fines include:

  1. A 310 million euro fine for LinkedIn for not having a valid legal basis for processing user data for personal advertising purposes, issued by the Irish DPA.
  2. A 290 million euro fine for Uber for transferring personal data of European drivers to the USA without sufficient privacy safeguards, issued by the Dutch DPA.
  3. A 251 million euro fine for Meta for taking insufficient technical and organisation measures to ensure information security issued by the Irish DPA.

Another noteworthy fine includes the 30.5 million euro fine issued to Clearview AI by the Dutch DPA, which highlighted the difficulty of enforcing the GDPR extraterritorially. Read what we wrote about it here.

Not only commercial companies, but also the EU Commission has faced supervisory action. The European Data Protection Supervisor (EDPS) issued formal warning under the “EU GDPR”9 to the EU Commission for political micro-targeting. The EU Commission targeted citizens using sensitive personal data on their political views, thereby influencing or trying to influence political views in the Netherlands. The EDPS considered that a fine was not necessary, as the EU Commission had stopped the practice.10

2024 at Privacy Company

Whew, and that wasn’t even all that happened in 2024. Luckily, at Privacy Company, we still managed to get things done between all the news notifications. We finished DPIAs for SURF and Rijk on CoPilot, provided trainings on AI, welcomed students at our inhouse days and celebrated our 10-year anniversary!

2025: What’s to come?

The upcoming year, we can look forward to EDPB Guidelines on consent or pay, partial implementation of the AI act, and the national adoption of several other EU directives and regulations in the Netherlands. Luckily, you don’t have to keep up with all the developments yourself. 

In need of someone who keeps on top of all things privacy related, interested in a training, or curious about one of our other services? See what we can offer you, and don’t hesitate to reach out! In the meantime, stay tuned for our upcoming blogs.


 

1 NRC, Telegram-oprichter Doerov in staat van beschuldiging gesteld, 28 augustus 2024, URL: https://www.nrc.nl/nieuws/2024/08/28/telegram-oprichter-pavel-doerov-voorgeleid-ook-arrestatiebevel-voor-doerovs-broer-a4864045.

2 CJEU, C-6446/21, Maximilian Schrems v Meta Platforms Ireland Limited, formerly Facebook Ireland Limited (October 4th, 2024).

3 Court of Justice of the European Union, PRESS RELEASE No 166/24, URL: https://noyb.eu/sites/default/files/2024-10/CP240166EN.pdf.

4 CJEU, C-621/22, Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (October 4th, 2024).

5 Autoriteit Persoonsgegevens, Normuitleg grondslag ‘gerechtvaardigd belang’, URL: https://autoriteitpersoonsgegevens.nl/uploads/imported/normuitleg_gerechtvaardigd_belang.pdf.

6 Kamerbrief, Evaluatie Rijksbreed Cloudbeleid, 16 oktober 2024, URL: https://open.overheid.nl/documenten/4a4f7ec7-a241-46bc-94a5-cb4c1587a974/file.

7 EDPB, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, adopted on 17 April 2024.

8 GDPR Enforcement Tracker, URL: https://www.enforcementtracker.com/.

9 Regulation (EU) 2018/1727.

10 Noyb, Political Microtargeting by EU Commission illegal, 13 december 2024, URL: https://noyb.eu/en/political-microtargeting-eu-commission-illegal.

Download
Suzette
Consultant
The Hague
Maanweg 174
2516 AB Den Haag
+31 708209690
info@privacycompany.nl
Berlin
Friedrichstrasse 68
10117 Berlin
+49 16098404354
info@privacycompany.nl
© Privacy Company
ImpressumPrivacy StatementCookie Statement