The 2024 Baker McKenzie “Top 10” Predictions on Global Data Privacy and Cybersecurity Risks

This past year brought the rapid rise of ChatGPT and other generative AI platforms, accompanied by several noteworthy legal and regulatory developments. 2024 promises to continue with technology advances, making it a pivotal year for businesses navigating global data privacy and cybersecurity risks. Our Baker McKenzie Top 10 predictions for 2024 follow.

AI-enhanced cyber threats will increase globally. Threat actors will continue to leverage AI for increasingly sophisticated attacks, exploiting new technologies to enable highly-personalized phishing, social engineering, and MFA bypass. In parallel, companies will counter with moves to implement phishing-resistant authentication methods, enhanced training, and other defenses.
Privacy class actions and regulatory investigations will intensify in the United States (US). Privacy class action litigation and regulatory actions will intensify, with a particular focus in the US on cookies/adtech and cybersecurity/data breach actions in the consumer, technology, financial, and healthcare verticals.
Collective actions will take off in the European Union (EU). The EU Collective Redress Directive will pave the way for new types of class actions in the EU, and supplement the already robust enforcement activity of EU data protection supervisory authorities on cookies/adtech, cybersecurity/data breach, and cross-border data transfers.
China will sharpen enforcement in the Year of the Dragon. China will sharpen enforcement priorities for the three pillars of the Personal Information Protection Law, the Security Law, and the Cybersecurity Law. Despite the trend in the last quarter of 2023 to relax formalities for cross-border approvals and enforcement for the market generally, China will sharpen its regulatory focus on critical infrastructure and companies that handle “important data.”
The EU will continue to drive on AI and cybersecurity regulation. The EU AI Act will significantly influence the multi-year AI strategies for both enterprises and regulators alike. Despite its two-year transition period generally, the EU AI Act will start to impact how companies address global AI governance, including the design, testing, training, validation and implementation of AI systems. On cybersecurity, the significant potential fines in the expanded Network and Information Security 2 (“NIS2”) Directive, which requires member states to apply implementing measures from October 2024, will make cybersecurity a board-level issue for virtually all industry sectors.
US states will add another dozen comprehensive data privacy laws. Following a bonanza of state consumer privacy legislative activity in 2023, which brought the total number of comprehensive US data privacy laws to twelve, state lawmakers will be even more prolific in 2024. A dozen more US states will adopt comprehensive data privacy laws with varying types of requirements on key issues such as children’s privacy, biometrics, geolocation, automated decision-making and AI, as well as health data.
The Asia-Pacific (APAC) and Latin America (LATAM) Regions will continue to develop new regulations. As the region with perhaps the greatest diversity in approaches to data privacy and cybersecurity regulation, APAC will continue to present significant challenges. 2023 was the year Vietnam’s Personal Data Protection Law came into force and India adopted its Digital Personal Data Protection Act. In October 2024, Indonesia is set to undergo a pivotal transformation with the commencement of the enforcement of its Personal Data Protection. In LATAM, among other developments, Brazil will finalize its regulations, increase enforcement of its General Data Protection Law, and continue to consider draft AI regulations.
As M&A activity expands into increasingly regulated spaces like AI, automated decision-making and data, cyber and privacy risk will take the spotlight in transactions. As companies aim to stay in step with technology advancements and market-leading innovation, M&A and other financing activity will grow in spaces that are undergoing significant review by regulators. Acquirers will need to focus on potential compliance gaps with the target, particularly given the shifting legal landscape, and post-close integration planning will begin earlier in the transaction with a focus on isolating perceived privacy and cyber risk, and shifting the weight to the target in ways that will not decrease transaction momentum.
The SEC cybersecurity rules will result in faster and more public notification of cybersecurity incidents. The four-day notification requirement under the new Securities and Exchange Commission (SEC) cybersecurity rules will result in faster notifications of material cybersecurity incidents than we have seen to date. To stay in compliance with reporting requirements, companies will invest heavily in better internal incident response plans including incident detection and communication. Companies will also benchmark how and when their competitors are reporting both their overall cyber readiness and incident response.
EU-US Data Privacy Framework (DPF) on the Uptick. By the end of 2024, more companies will have enrolled in the EU-US DPF than had participated in the predecessor arrangement, the EU-US Privacy Shield. DPF carries legal benefits over other mechanisms for cross-border transfer, and the closer integration between EU and US businesses will drive greater registrations. Max Schrems’ challenge of the DPF will be filed in early 2024, but will not be decided by the ECJ until the end of 2025.

As is evident, 2024 will be a critical year for global data privacy and cybersecurity. We welcome your thoughts and predictions. Please feel free to reach out to any among the Global Data Privacy and Cybersecurity Leadership Team (listed below) or your Baker McKenzie contacts.

Author Flavia Amaral

Flavia is a partner at Trench Rossi Watanabe* and is based in São Paulo. She has more than 15 years of experience in the areas of intellectual property, franchise, technology transfer, social media and unfair competition. *Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.

Author Vinod Bange

Vin leads our London Data Privacy practice and is also a member of our Global Privacy & Security Leadership team bringing his vast experience in this specialist area for over 22 years, advising clients from various data-rich sectors including retail, financial services/fin-tech, life sciences, healthcare, proptech and technology platforms.

Author Cynthia Cole

Cynthia is an Intellectual Property Partner in Baker McKenzie's Palo Alto office. She advises clients across a wide range of industries including Technology, Media & Telecoms, Energy, Mining & Infrastructure, Healthcare & Life Sciences, and Industrials, Manufacturing & Transportation. Cynthia has deep experience in complex cross-border, IP, data-driven and digital transactions, creating bespoke agreements in novel technology fields.

Author Elisabeth Dehareng

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author Rachel Ehlers

Rachel Ehlers is a partner in Baker McKenzie's Intellectual Property and Technology Practice Group, based in the Firm's Houston office. Rachel's practice focuses on technology transactions, data privacy and cybersecurity. She has extensive experience advising clients on data incidents and breach response, cross-border transfers, and data privacy and cybersecurity issues related to mergers and acquisitions.

Author Dr Lukas Feiler

Dr. Lukas Feiler, SSCP, CIPP/E, has more than eight years of experience in IP/IT and is a partner and head of the IP and IT team at Baker McKenzie • Diwok Hermann Petsche Rechtsanwälte LLP & Co KG in Vienna. He is a lecturer for data protection law at the University of Vienna Law School and for IT compliance at the University of Applied Science Wiener Neustadt.

Author Diego Ferrada

Diego Ferrada has 20 years of experience working on mergers and acquisitions, including stock and asset transactions, as well as project finance transactions.

Author Francesca Gaudino

Francesca Gaudino is the Head of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology.

Author Brian Hengesbaugh

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author Bryant Isbell

Bryant Isbell is the Managing Director of the Global eDiscovery and Data Advisory Group at Baker McKenzie. Bryant has more than 20 years of experience focusing on information governance, data privacy, full EDRM lifecycle execution and management, and data analytics.

Author Andy Leck

Andy Leck is the head of the Intellectual Property (IP) Practice Group and a member of the Dispute Resolution Practice Group in Singapore. He is a core member of Baker McKenzie's regional IP practice and leads the Myanmar IP Steering Committee.

Author Theo Ling

Theo heads Baker McKenzie's Canadian Information Technology/Communications practice and is a member of the Firm's Global IP/Technology Practice Group, and Technology, Media & Telecoms and Financial Institutions Industry Groups.

Author Cristina Messerschmidt

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author Teresa Michaud

Teresa advises on all aspects of dispute resolution, primarily complex business disputes, class actions, intellectual property and international arbitration. She is the Co-Chair of the North American Class Action Subgroup.

Author Carolina Pardo

Carolina Pardo is a lawyer and specialist in International Contract Law graduated from Universidad de los Andes. She obtained a LL.M. with specialization in International Private Law and Competition Law from the London School of Economics and Political Science. Over 20 years, she has advised major national and international clients on matters related to compliance with data protection, competition and consumer law rules. She has also successfully coordinated and prepared proposals for submission to national authorities on behalf of major industrial groups in Colombia.

Author Anne Petterd

Anne is a partner based in Sydney. Her practice focuses on IT and telecommunications supply arrangements; understanding regulatory issues for online, telecommunications and IT businesses (in particular for data management); and trade regulatory and commercial contracting advice.

Author Justine Phillips

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author Elizabeth Roper

Elizabeth Roper is a partner in Baker McKenzie's North America Litigation and Global Dispute Resolution Practice. She is based in the New York office. Prior to joining the firm, Liz served in the Manhattan District Attorney's Office as Bureau Chief of the Cybercrime and Identity Theft Bureau (CITB). In this role, Liz directed the investigation and prosecution of all types of cybercrime impacting Manhattan, including sophisticated cyber-enabled financial crime such as identity theft, payment card fraud, and money laundering; network intrusions, hacking, ransomware, and "middleman" attacks; intellectual property theft; "dark web" trafficking of contraband; and the theft and illicit use of cryptocurrencies.

Author Kensaku Takase

Kensaku Takase is a partner in Baker McKenzie’s Tokyo office and is the Group Leader of the office's IP/IT/EC Practice Group. Mr. Takase is bilingual (Japanese and English) and focuses on intellectual property law, media law, and information technology law since 1999. He has assisted many companies in various industries with cross-border transactions in the trademark, copyright and design fields.

Author Jerome Tomas

Jerome has extensive experience representing clients in government litigation and enforcement investigations before the SEC, DOJ, various United States Attorneys Offices and the Commodities Futures Trading Commission .

Author Cyrus R. Vance Jr.

Cyrus Vance Jr. is a partner in Baker McKenzie's North America Litigation and Government Enforcement Practice as well as the Firm's Global Compliance and Investigations Practice. He is based in New York and serves as Global Chair of the Cybersecurity Practice.

Author Carlos Vela-Trevino

Carlos is one of Mexico's most active privacy, data protection and information security lawyers. He has implemented privacy management compliance programs for over 100 companies, including several Fortune 500 companies. He advises on corporate and commercial matters where privacy is an issue, including e-discovery, FCPA investigations, e-commerce, direct marketing, privacy in the workplace, litigation and M2M communications.

Related Posts

Canada: Competition Bureau seeks comments on the effects of artificial intelligence on competition

U.S. Prohibits Data Brokers from Making U.S. Sensitive Data Available to Foreign Adversaries

A legal framework for NFTs and other tradeable assets in video games: the Great French Experiment