This past year brought the rapid rise of ChatGPT and other generative AI platforms, accompanied by several noteworthy legal and regulatory developments. 2024 promises to continue with technology advances, making it a pivotal year for businesses navigating global data privacy and cybersecurity risks. Our Baker McKenzie Top 10 predictions for 2024 follow.
- AI-enhanced cyber threats will increase globally. Threat actors will continue to leverage AI for increasingly sophisticated attacks, exploiting new technologies to enable highly-personalized phishing, social engineering, and MFA bypass. In parallel, companies will counter with moves to implement phishing-resistant authentication methods, enhanced training, and other defenses.
- Privacy class actions and regulatory investigations will intensify in the United States (US). Privacy class action litigation and regulatory actions will intensify, with a particular focus in the US on cookies/adtech and cybersecurity/data breach actions in the consumer, technology, financial, and healthcare verticals.
- Collective actions will take off in the European Union (EU). The EU Collective Redress Directive will pave the way for new types of class actions in the EU, and supplement the already robust enforcement activity of EU data protection supervisory authorities on cookies/adtech, cybersecurity/data breach, and cross-border data transfers.
- China will sharpen enforcement in the Year of the Dragon. China will sharpen enforcement priorities for the three pillars of the Personal Information Protection Law, the Security Law, and the Cybersecurity Law. Despite the trend in the last quarter of 2023 to relax formalities for cross-border approvals and enforcement for the market generally, China will sharpen its regulatory focus on critical infrastructure and companies that handle “important data.”
- The EU will continue to drive on AI and cybersecurity regulation. The EU AI Act will significantly influence the multi-year AI strategies for both enterprises and regulators alike. Despite its two-year transition period generally, the EU AI Act will start to impact how companies address global AI governance, including the design, testing, training, validation and implementation of AI systems. On cybersecurity, the significant potential fines in the expanded Network and Information Security 2 (“NIS2”) Directive, which requires member states to apply implementing measures from October 2024, will make cybersecurity a board-level issue for virtually all industry sectors.
- US states will add another dozen comprehensive data privacy laws. Following a bonanza of state consumer privacy legislative activity in 2023, which brought the total number of comprehensive US data privacy laws to twelve, state lawmakers will be even more prolific in 2024. A dozen more US states will adopt comprehensive data privacy laws with varying types of requirements on key issues such as children’s privacy, biometrics, geolocation, automated decision-making and AI, as well as health data.
- The Asia-Pacific (APAC) and Latin America (LATAM) Regions will continue to develop new regulations. As the region with perhaps the greatest diversity in approaches to data privacy and cybersecurity regulation, APAC will continue to present significant challenges. 2023 was the year Vietnam’s Personal Data Protection Law came into force and India adopted its Digital Personal Data Protection Act. In October 2024, Indonesia is set to undergo a pivotal transformation with the commencement of the enforcement of its Personal Data Protection. In LATAM, among other developments, Brazil will finalize its regulations, increase enforcement of its General Data Protection Law, and continue to consider draft AI regulations.
- As M&A activity expands into increasingly regulated spaces like AI, automated decision-making and data, cyber and privacy risk will take the spotlight in transactions. As companies aim to stay in step with technology advancements and market-leading innovation, M&A and other financing activity will grow in spaces that are undergoing significant review by regulators. Acquirers will need to focus on potential compliance gaps with the target, particularly given the shifting legal landscape, and post-close integration planning will begin earlier in the transaction with a focus on isolating perceived privacy and cyber risk, and shifting the weight to the target in ways that will not decrease transaction momentum.
- The SEC cybersecurity rules will result in faster and more public notification of cybersecurity incidents. The four-day notification requirement under the new Securities and Exchange Commission (SEC) cybersecurity rules will result in faster notifications of material cybersecurity incidents than we have seen to date. To stay in compliance with reporting requirements, companies will invest heavily in better internal incident response plans including incident detection and communication. Companies will also benchmark how and when their competitors are reporting both their overall cyber readiness and incident response.
- EU-US Data Privacy Framework (DPF) on the Uptick. By the end of 2024, more companies will have enrolled in the EU-US DPF than had participated in the predecessor arrangement, the EU-US Privacy Shield. DPF carries legal benefits over other mechanisms for cross-border transfer, and the closer integration between EU and US businesses will drive greater registrations. Max Schrems’ challenge of the DPF will be filed in early 2024, but will not be decided by the ECJ until the end of 2025.
As is evident, 2024 will be a critical year for global data privacy and cybersecurity. We welcome your thoughts and predictions. Please feel free to reach out to any among the Global Data Privacy and Cybersecurity Leadership Team (listed below) or your Baker McKenzie contacts.