Looking back + forwards, 4 big topics for me on LinkedIn in 2024 & likely still for 2025 are the following:
– ePrivacy
– “Consent or Pay”
– AI & personal data
– Cybersecurity
The key ePrivacy topic was the European Data Protection Board’s guidelines on the technical scope of Art. 5(3) of the ePrivacy Directive – basically, “to which techniques (URL-based analytics, pixel-based tracking, etc.) does the ‘cookie’ rule apply?”. I contributed to 2 responses to the public consultation following the publication late 2023 of an initial version of the EDPB’s guidelines, and the final version published in October 2024 all but ignored the issues I and many others had flagged.
I continue to believe that the EDPB’s approach is bad in terms of legal interpretation, bad for the future of the Internet, bad for privacy-enhancing technologies. I hope companies and organisations see the importance of challenging it in 2025 – and am always available to assist them.
On Consent or Pay, within 24h after the EDPB published its “Consent or Pay” Opinion in April, I had published the first in-depth critical analysis thereof, and many then heard me speak on the topic at webinars + in-person conferences across Europe.
When the EDPB organised its “stakeholder event” in November on this issue, with a view to its adoption in 2025 of guidelines on “pay or ok”, this time not only for “large online platforms” (whatever that means), I was able again to get certain points across. To be seen whether the EDPB takes them into account.
2025 will be intriguing for this. Will the EDPB seek to define its idea of “large online platforms” further? Will it say that what it prohibited in practice for them, everyone else is permitted to do? How will it justify its position? The guidelines themselves could also be challenged when they come – as I keep on telling clients (also re ePrivacy & AI), just because the EDPB behaves like no one can hold it to account, doesn’t make that true!
On AI and the GDPR, the recent Opinion is again flawed in my opinion – more on that soon, but I published earlier an in-depth article on whether there even is any processing of personal data through the operation of an AI model such as an LLM. I find the EDPB’s approach dangerous, notably re anonymisation.
2025 will likely be the year of the first in-depth legal cases on these issues – whether through a challenge to the EDPB or through CJEU referrals.
On cybersecurity, NIS2 was a topic, but the hit LinkedIn topic for me on cyber was whether unavailability due to e.g. a DDoS is a personal data breach.
In 2025, I expect more of these discussions, partly because of NIS2 & the CRA but also because GDPR regulators are increasingly looking at technical measures. A cyber incident isn’t necessarily a GDPR infringement – but it can reveal one. So a good cybersecurity strategy is really important from a compliance perspective too.
2025 should prove interesting!
Links:
1. ePrivacy:
Post on why the EDPB’s position creates issues for privacy-enhancing technologies (+ with links to in-depth articles): https://www.linkedin.com/posts/petercraddock_eprivacy-dpc24-payorok-activity-7265668826346786817-Lmqa
Similar based on decision by Austrian court:
https://www.linkedin.com/feed/update/urn:li:activity:7270438880821104640/
2. Consent or Pay:
Critical analysis of EDPB Opinion 08/2024: https://www.linkedin.com/pulse/op-ed-critical-analysis-edpbs-pay-consent-opinion-peter-craddock-obl3e/
Write-up of EDPB stakeholder event on the topic: https://www.linkedin.com/posts/petercraddock_gdpr-adtech-privacy-activity-7264292949629321216-SdGe
3. AI & GDPR:
Write-up of EDPB stakeholder event on the topic: https://www.linkedin.com/posts/petercraddock_ai-gdpr-dataprotection-activity-7259578683852558336-8O97
In-depth article on whether AI models involve the processing of personal data: https://www.linkedin.com/pulse/op-ed-ai-training-data-non-personal-consent-really-peter-craddock-ko4ie/
4. Cybersecurity:
See discussion on CrowdStrike incident here: https://www.linkedin.com/posts/petercraddock_dataprotection-gdpr-cybersecurity-activity-7220066550601449475-iqSI/