The European Data Protection Board (EDPB) has unveiled its 2024 Annual Report, outlining a comprehensive overview of its work and strategies for the coming years. Over 2024, the EDPB made significant advancements in ensuring the consistent application of the General Data Protection Regulation (GDPR) while adapting to emerging challenges in a rapidly evolving digital world. This report underscores the board’s commitment to safeguarding fundamental rights to privacy and data protection within the EU.
One of the hallmark achievements highlighted in the report is the adoption of the EDPB Strategy 2024-2027, which sets clear goals for strengthening data protection enforcement, modernizing the regulatory framework, and addressing cross-regulatory coordination challenges. The emphasis on cross-border and global cooperation marks a critical step toward bolstering the influence of the EU’s data protection principles internationally. Key priorities include improving collaboration between enforcement bodies, navigating the intersection of the GDPR with new digital regulations such as the Digital Markets Act (DMA) and Artificial Intelligence Act (AI Act), and providing greater guidance to businesses and individuals.
A noteworthy development in 2024 was the surge in Article 64(2) consistency opinions, wherein the EDPB adopted eight pivotal opinions. These rulings focused on high-impact topics, such as ‘Consent or Pay’ schemes by major digital platforms, applications of facial recognition at transportation hubs, and the use of personal data for training artificial intelligence (AI) systems. For instance, the EDPB’s stance on ‘Consent or Pay’ models — where users are restricted from accessing services without consenting to invasive data collection — addresses growing concerns about users’ rights being compromised in exchange for service access, reaffirming GDPR’s purpose to ensure meaningful and voluntary consent.
The board has also actively guided various legislative developments, issuing statements on GDPR enforcement procedures and the role of data protection authorities (DPAs) in AI frameworks. For example, its engagement with negotiators on the AI Act highlighted the potentially sensitive intersections between AI development and GDPR requirements. Furthermore, the EDPB augmented its guidance resources in 2024, releasing four new sets of guidelines, including one on legitimate interest and another on cross-border data transfers — areas fraught with complexities for multinational businesses and regulatory authorities alike.
From an ethical perspective, the EDPB’s work in championing transparency and providing educational resources in accessible formats is central to fostering public trust. The translation of its Small Business Data Protection Guide into 18 languages, and the introduction of clear, non-technical guideline summaries, strongly signals its commitment to inclusivity, ensuring that even non-experts and smaller enterprises can understand their rights and duties under GDPR in a straightforward manner.
Industry implications of the EDPB’s initiatives are profound. The increased scrutiny of practices like AI data usage and facial recognition sets a precedent for how emerging technologies must align with privacy norms. Companies leveraging advancing technology platforms will need to heighten their compliance frameworks to adapt to stricter guidance. For digital players with global operations, the EDPB’s contributions to global consensus-building signal the EU’s intent to export its regulatory philosophy worldwide.
Looking forward, robust public consultations and stakeholder engagement remain at the forefront of the EDPB’s strategy. The stakeholder events on ‘Consent or Pay’ models and AI guidelines demonstrate the board’s openness to dialogue, creating a platform for industry adaptation and alignment with regulatory expectations. Overall, the EDPB’s 2024 report reflects a balance between enforcement, education, and international collaboration, positioning the EU as a global privacy leader in a rapidly evolving digital era.