At the foundation of this regulatory shift lies the General Data Protection Regulation (GDPR). By enshrining user rights over their personal data, emphasizing informed consent, and demanding accountability from businesses, the GDPR has set a new standard for data protection.

Despite initial efforts, GDPR compliance has proven more complex than anticipated. Increased awareness among European citizens has led to a surge in complaints and regulatory investigations. The number of fines and investigations has risen steadily, indicating greater scrutiny and enforcement by authorities.

Compliance strategies have evolved from early initiatives focused on visible actions to a more mature understanding of best practices and standards. However, effective implementation of privacy compliance remains challenging for many organizations. Key issues include the lack of practical experience among staff, fragmented roles within organizations, and inadequate involvement of senior management.

Having worked with a variety of industry clients on a myriad of data privacy-related projects, including end-to-end data privacy programs, FLI has identified some of the most common pitfalls organizations face on their data privacy compliance journey under GDPR:

1. Data Protection Officers (DPOs): DPOs play a crucial role in monitoring privacy compliance, but they are often appointed from existing staff without sufficient independence, resources, or access to senior management. This lack of autonomy can be problematic, especially if detected by data protection authorities. Today, more organizations choose to appoint an external DPO over an internal candidate. This offers several advantages including objectivity, impartiality, independence, experience, and insight into best practices. FLI Local Counsel regularly takes on the external DPO role for clients in key jurisdictions in the EU, inc. Germany, Spain, Italy, Austria; and abroad, inc. China, USA, UK, Mexico, Brazil, among others.

2. Privacy Policies and Related Corporate Documentation: Many organizations have overly legalistic, lengthy, and contradictory privacy policies that fail to adequately inform data subjects, including the employees and staff. They often lack specificity regarding the purpose, method, and timing of data processing activities. This issue is further exacerbated when multinationals attempt to apply a “one-size fits all” approach by administering polices and notices in all countries where they operate without sufficient regard for the local law requirements. This also applies to EU jurisdictions, where local supervisory authorities may have more stringent compliance requirements than those listed under GDPR.

3. Record of Processing Activities (RoPA): RoPA is essential for maintaining an updated overview of data processing activities within an organization. The basic purpose of RoPA is to serve as evidence or an audit trail, giving the supervisory authority a clear picture of how your organization treats the processing of personal data and if it is in compliance with applicable privacy laws. However, many organizations lack a formalized approach to collecting such information, and as a result these records are often incomplete, outdated, and lack detailed information, making it challenging for DPOs to identify compliance issues.

4. Retention Period Schedules: Stemming from the above issue, many organizations overlook the importance of establishing clear retention period schedules for personal data. Without defined timelines for data retention, organizations risk retaining data longer than necessary, increasing exposure to privacy breaches and non-compliance with GDPR requirements. Additionally, the absence of retention period schedules complicates data management processes and makes it difficult for DPOs to ensure compliance with data protection principles such as data minimization and storage limitation.

The Digital Services Act (DSA) and the Digital Markets Act (DMA), collectively known as the "Digital Services Package," represent the European Union's efforts to establish a safer digital environment that upholds the fundamental rights of all digital service users while fostering innovation, growth, and competitiveness. Jointly the DSA and DMA aim to

• Create a safer digital space in which the fundamental rights of all users of digital services are protected.
• Regulate the influence of major technology firms and cultivate a fair and competitive landscape in both the European single market and on a global scale.

Digital Services Act

The DSA tackles the spread of harmful and illegal content online. Its tiered approach places escalating responsibilities on platforms based on their size and risk potential. For all users, the DSA promises greater clarity and mechanisms to challenge content moderation decisions. The regulation is essentially based on three key factors:

1. Liability of intermediary service providers (inc. hosting providers, registries and registrars), who will be subject to new rules for the removal of illegal and harmful content.
2. Rights of consumers, which are strengthened, in particular with regard to the transparency of product information and the protection of personal data.
3. Competition, which will be improved, in particular, through the promotion of interoperability between digital services and the prevention of abuse of dominant position.

The DSA entered into force in November 2022, initially with partial application only to Gatekeepers, i.e. those digital platforms that play a systematic role in the market (with more than 45 million active users), including both Very Large Online Platforms (“VLOPs”) and Very Large Online Search Engines (“VLOSEs”), as designated by the European Commission pursuant to Article 33 of the DSA.

From 17 February 2024, however, the DSA began to apply to all intermediary service providers in the EU, including platforms or search engines with fewer than 45 million active users.

Digital Markets Act

The rise of seemingly unassailable tech giants has prompted the EU's DMA. The concept of "Gatekeepers" – companies that control the key points of the digital market distribution channels and which have, therefore, assumed considerable importance in the market – is central to this legislation. By prohibiting practices that give unfair competitive advantages, such as self-preferencing and restricting user choice, the DMA aims to create more contestable and innovative digital markets.

In particular, the DMA’s goal is to standardize the growth opportunities of European companies, regardless of their size, through the regulation of Gatekeepers, prohibiting certain unfair commercial practices implemented by Big Tech companies.

The DMA was legally implemented in November, 2022. The majority of its regulations became effective in May 2023, while the gatekeepers were officially appointed on September 6, 2023. These gatekeepers are required to comply with the DMA by March 6, 2024.

Perhaps the most forward-looking legislation is the EU's Artificial Intelligence Act (AI Act).

The AI Act aims to promote responsible and ethical use of AI while ensuring that health, safety, and fundamental rights of EU citizens are respected. With a commitment to upholding democracy, the rule of law, and environmental protection, the AI Act also seeks to catalyze investment and innovation in AI across Europe.

The Regulation will apply to both private and public actors inside and outside the EU as long as the AI system is placed on the Union market, or its use affects people located in the EU.

The main idea is to regulate AI based on the latter’s capacity to cause harm to society following a “risk-based” approach. Its risk-based classification system acknowledges the spectrum of potential benefits and harms embedded within AI technologies, tailoring regulatory requirements according to the potential societal harm posed by AI applications, with more stringent rules applied to "high-risk" AI. "High-risk" AI, such as that used in medical diagnosis or hiring processes, faces rigorous requirements designed to build trust in these systems. These include mitigating bias in datasets, ensuring transparency for users, and maintaining human oversight.

Despite apprehensions regarding potential innovation constraints, the overarching goal of the AI Act is to establish a framework for the ethical and responsible utilization of AI technologies.

These four regulatory pillars – GDPR, DMA, DSA, and the AI Act – demonstrate the EU's ambition to shape the future of the digital age. However, this does not mean businesses should view them in isolation. An effective privacy program must consider the data-sharing implications of the GDPR and DSA, while AI development projects need to factor in both privacy and content moderation obligations. Compliance in this environment is not a matter of simply ticking off a list of requirements. Companies must adopt a mindset of continuous adaptation, closely monitoring the evolving interpretation of regulations and their potential future expansion.

FLI’s extensive experience in privacy compliance positions us to offer holistic solutions that tackle the nuanced and interrelated challenges arising in the dynamic data privacy environment of today. We work closely with clients to guide them through the intricacies of data protection regulations, guaranteeing compliance with evolving standards while enhancing operational effectiveness. Our commitment extends beyond reactive compliance, emphasizing a robust privacy culture carefully integrated and nurtured within your business. If you would like to explore how FLI may support your organization domestically or in cross-border matters both within and outside of the EU, we invite you to get in touch with Daniel Casares-Lauritsen, FLI’s Chief Business Development Officer, at dcasares@first-law.com.