1. Strategy 2024-2027: Recommendations of the EDPB
The EDPB has adopted its strategy for the 2024-2027 period1 defining its priorities around four pillars.
- Strengthen the harmonization of practices and promote compliance with data protection rules ;
- Focus on improving the culture of GDPR compliance and cooperation between data protection authorities ;
- Need to protect personal data in a constantly evolving and interregulatory digital environment ;
- Importance of contributing to international dialogue to promote high standards of data protection.
2. Consent or pay models » (p19-20):The EDPB denounces unbalanced consent
In April 2024, the EDPB issued Opinion 08/20242 relating to the validity of the “Consent or Pay” models » (Consent or Pay) used by major online platforms. The EDPB believes that these models often do not allow for the collection of a freely given consent, as users are required to choose between consenting to the collection of their data or paying. He highlights the risks of an imbalance of power between platforms and users and prejudice for the latter. He recommends that platforms offer alternatives without behavioral advertising and that subscription fees are proportionate.
3. Facial recognition in airports (p20-21):
In May 2024, the EDPB published Opinion 11/20243 regarding the use of facial recognition to facilitate passenger flows in airports. It stipulates that this technology must be used only with the consent of passengers and when it is legally required. The EDPB recommends that biometric data (sensitive) be stored securely, preferably directly in the hands of passengers or in encrypted databases.
4. Artificial intelligence and GDPR (p22-23):
The EDPB has issued Opinion 28/20244 adopted in December 2024, which deals with the protection of personal data in the development of AI models. It clarifies that AI models trained on personal data cannot always be considered anonymous, requiring a case-by-case assessment. The EDPB emphasizes that legitimate interest may be a legal basis for data processing, but must respect a necessity and proportionality test. The opinion also addresses the consequences of illegal data processing in the development phase AI within the framework of GDPR and its impact on their deployment.
5. Investigation on the right of access as stipulated in the GDPR (p30-31): towards a harmonization in the EUcord?
The EDPB launched in 2024 a coordinated action on the right of access provided for in Article 15 of the GDPR, involving 30 national data protection authorities. This initiative aimed to assess compliance by data controllers, verifying adherence to guidelines 01/20225 on the right of access. The first phase involved the assessment of 1,185 data controllers, with varied results, some large companies being more compliant than SMEs, given their resources. The main challenges identified relate to inconsistent interpretations of the right of access and obstacles encountered by the subjects concerned in exercising their right.
6. Events for stakeholders (p27):
Regarding a more focused sensitization/consultation aspect, the EDPB organized events with stakeholders on current topics, such as the “Consent or Pay” models and the application of GDPR to AI models. One of the topics explored primarily concerned the compliance of these models with GDPR, particularly as to whether consent is truly freely given and whether alternatives to it are equitable. The second event addressed more specifically the challenges related to the transposition of GDPR principles to AI models, including in relation to transparency and accountability of actors.
7. European cooperation within the framework of the GDPR (p32-33):
In 2024, the EDPB’s cooperative initiatives enabled the processing of 350 cross-border cases and the launch of 982 procedures through the one-stop shop mechanism, with 485 final decisions made. These figures demonstrate the effectiveness of GDPR and the importance of close collaboration between national authorities and the EDPB, in order to ensure compliance of organizations regardless of their location. Our law firm assists its clients to ensure their GDPR compliance
8. Memorandum of Cooperation with PEReN (p31): which cooperation around AI ?
In April 2024, the EDPB signed a memorandum of cooperation with the PEReN6, digital regulation hub and intergovernmental structure under the joint authority of the French ministries of Economy, Culture and the Digital Affairs. The Agreement aims to strengthen technical cooperation to address emerging data protection challenges. PEReN is notably recognized for its expertise in data science and algorithmic transparency. It will provide technical support to authorities and administrations. The PEReN-EDPB Agreement will focus, among other things, on the audit of mobile applications, the transparency of algorithmic systems, with an emphasis on the compliance of AI systems (SAS) with the GDPR.
9. Report on the application of the GDPR (p26):
A decision 6/2024 was published by the EDPB in December 2024 regarding the application of the GDPR. This decision highlights the importance of ensuring coherence between the GDPR and new digital regulations, such as the AI Act/RIA. The EDPB emphasizes the need to improve understanding of data protection principles, particularly for SMEs and non-experts. It also calls for increased resources to address the growing challenges of data protection and to ensure proper application of the GDPR across the EU.
10. Corrective measures at the EU level – 2024 (p37-39):
In a more repressive context, in 2024, the data protection authorities took corrective measures to ensure compliance with GDPR. The results of these corrective measures are detailed in the table below, illustrating the intensity and impact of the actions taken :
The report highlights that the actions and sanctions taken by the authorities reveal recurring and fundamental breaches, such as:
- Insufficient technical and organizational measures to secure personal data ;
- Treatments carried out without an appropriate legal basis, including the absence of consent ;
- Illicit processing of sensitive data, such as health-related data ;
- The absence of clear information regarding processing activities and the failure to respect individual rights, such as the right to erasure and the right of access ;
- The failure to report data breaches or an inadequate assessment of associated risks.
Aumans Avocats: specialists in IT/Data, data protection and outsourcing of the DPO
As a law firm specializing in IT/Data and data protection, we are at your disposal to accompany you in all your projects. Whether you are a startup, a SME or group of companies, our expertise will enable you to navigate smoothly within the complex landscape of regulation and compliance. Do not hesitate do not contact us for personalized advice and secure your future digital.
Sources :
- https://www.edpb.europa.eu/news/news/2024/edpb-sets-out-priorities-2024-2027-and-clarifies-implementation-dpf-redress_fr – EDPB, strategy and priorities 2024-2027 ↩︎
- https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-082024-valid-consent-context-consent-or_fr – EDPB, Opinion 08/2024 on the validity of consent in the context of “consent-or-pay” models implemented by major online platforms ↩︎
- https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_fr – EDPB, Opinion 11/2024 on the use of facial recognition technologies to streamline passenger flows in airports ↩︎
- https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-282024-certain-data-protection-aspects_en – EDPB, Opinion 28/2024 on certain aspects of data protection related to the processing of personal data in the context of AI models ↩︎
- https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_fr – EDPB, Guidelines 01/2022 on the rights of individuals concerned — Right of access ↩︎
- https://www.peren.gouv.fr/ – PEReN – Digital Regulation Expertise Hub ↩︎
