Tech Law 2024

The evolving tech law landscape in 2024 will be characterized by a surge in regulations governing cloud computing, artificial intelligence, data, services, and cybersecurity. The intricate web of legal requirements, both within individual nations (such as the US and UK) and larger regional organizations like the EU, poses challenges for compliance. Notably, the implementation of these regulations may exhibit fragmentation in implementation, rather than alignment even within a single geographic area like the UK, further complicating compliance considerations for organizations in a globalized, post-Brexit market.

The EU has established new regulations, such as the EU Data Act 2023 (EDA) on 27 November 2023, which aims to establish rules for the sharing of data generated by using connected products such as cloud computing. Other new regulations in the EU include the Digital Services Act 2022 (DSA), coming into force on February 17th, 2024; and the Digital Markets Act 2022 (DMA), which takes effect on March 6th, 2024. Both acts are aimed at creating safer online platforms for consumers, such as app stores, messenger services and digital marketplaces.

The UK government foresees the Data Protection and Digital Information (DPDI) bill, presently under parliamentary scrutiny, becoming law by mid-2024. Organizations will have to determine whether they should follow the EU rules throughout their enterprise, or have a distinct data protection approach in the UK for example. The up-and-coming DPDI seeks to reform key regulations, including the UK General Data Protection Regulation (GDPR), Data Protection Act (DPA) 2018; and Privacy and Electronic Communications Regulations (PECR) 2003.

The most impactful changes effectuated through the DPDI include amendments to core definitions, principles, and roles of existing data protection laws. These changes include redefining "personal data," eliminating the legitimate interests balancing test, removing the consent requirement for cookies, replacing Data Protection Impact Assessments with Assessments of High-Risk Processing; and substituting the appointment of a Data Protection Officer with a Senior ResponsibleIndividual. These modifications reflect a comprehensive effort to modernize dataprotection regulations and enhance compliance in the evolving landscape of information governance in the UK.

Moreover, organizations engaged in EU/UK-US data transfers must also remain vigilant of the EU-US Data Privacy Framework (DPF), extended to the UK in October 2023. The Framework simplifies the transfer of personal data to the US. However, concerns persist about the Framework's resilience to potential legal challenges in 2024. These concerns are mainly due to the lax regulation, or lack thereof, regarding personal data in the US and its free transfer to US intelligence agencies and third countries. So far it seems that the US does not have adequate safeguards when it comes to data privacy, so the UK and the EU must take further action in protecting personal data transferred to the US.

In light of the upcoming changes, organizations should adopt a more holistic approach when dealing with personal data by instilling the basic pillars of data protection into the design of all processes and seeking opportunities to make their enterprise more data protection oriented. In doing so, organizations may need to revisit current data and cybersecurity policies and begin implementing AI into theirprocesses with local laws in mind. The year 2024 is anticipated to witness a rapid development new legal challenges, calling for organizations to be mindful of the multifaceted nature of data in the contemporary business landscape and the changing regulations coming this year.