Annual Review 2024 and Outlook for 2025
The year 2024 was marked by numerous developments in various privacy regulations. The privacy field remains dynamic and ever-evolving, adapting to new challenges in 2024.
Israel
The Israeli Parliament approved Amendment 13 to the Israeli Protection of Privacy Law-1981 (the “Privacy Law”), which will come into effect in August 2025. The amendment updates the Privacy Law to align more closely with the GDPR and similar frameworks.
A proposed amendment to the Israeli Class Actions Law aims to enable class action lawsuits for various privacy violations.
The Privacy Protection Authority (“PPA”) issued an opinion on extraterritorial transfers of personal data, stating that personal data can be transferred outside Israel if the recipient ensures adequate data security. The opinion relaxed certain prohibitions on further transfers by the recipient. The PPA clarified that the recipient’s security commitments need not match Israeli standards precisely—compliance with the GDPR or laws of another country with adequate protection is sufficient. The PPA also published guidelines on the transfer of database ownership, stating that such a transfer requires informing the affected data subjects and obtaining consent if the purpose of data usage is expanded or if the characteristics of the new database controller are substantially different from those of the old controller.
In 2025, developments related to the implementation of the amended Privacy Law are to be expected, which will likely be accompanied by additional guidance from the PPA and potentially enforcement actions.
EU
In the past year, significant enforcement actions have been undertaken by various data protection authorities across Europe. France’s CNIL fined Orange €50 million for unlawfully displaying third-party ads in its email services and for placing cookies without obtaining consent. The Dutch AP imposed a fine of €4.75 million on Netflix for lacking sufficient transparency in its privacy notice regarding, among others, Netflix’s processing, retention, and transfer of personal data. In addition, the Irish Data Protection Commission (“DPC”) fined LinkedIn €310 million for unlawful data processing practices related to behavioral analysis and targeted advertising. The legal bases LinkedIn relied upon for such processing (i.e. consent and performance of a contract) were found to be lacking. The Irish DPC also issued a €251 million fine to Meta, triggered by a data breach affecting millions, due to its violation of its obligations concerning data breaches under the GDPR.
The Court of Justice of the European Union (“CJEU”) issued a ruling clarifying that a data controller’s commercial interest can qualify as a legitimate interest. The CJEU highlighted however that data processing for commercial interests must meet specific criteria such as necessity, transparency, and a balancing test to ensure that the rights of data subjects are not compromised. This ruling challenges the Dutch DPA’s previous stance which limits the use of legitimate interest as a legal basis for data scraping to interests grounded in law, rather than purely commercial interests. Following this CJEU decision, the Dutch DPA announced its intention to revise its opinion on data scraping.
The European Data Protection Board (“EDPB”) published Guidelines on the legal basis of legitimate interest, providing practical advice on conducting legitimate interest assessments and ensuring compliance with data subject rights. These Guidelines also include specific examples of how to apply legitimate interests in areas such as fraud prevention, direct marketing, and network security. Additionally, the EDPB published an Opinion addressing the obligations of controllers when using processors and subprocessors, detailing, among others, what should be included in their agreements. It highlights essential contract clauses and the necessity for controllers to periodically review agreements and to ensure the guarantees of (sub) processors are sufficient.
In 2025, we expect to continue seeing significant enforcement actions and the issuance of guidelines clarifying the application of the GDPR. Specifically, in addition to the EDPB opinion on AI Models, we expect more clarifications related to AI, such as the applicability of the legal basis of legitimate interest, the legality of data scraping, and efforts to align the GDPR with the EU AI Act.
US
The FTC introduced the “click-to-cancel” rule, which mandates that sellers make the cancellation process as straightforward as the subscription process to their services. This rule aims to eliminate deceptive practices that complicate termination, ensuring that opting out is as simple as signing up.
In 2025, several new privacy state laws in the United States are expected to take effect. Additionally, following the introduction of the draft American Privacy Rights Act in the House of Representatives, which aims to consolidate state privacy laws into a unified federal framework, there may be further developments on a federal level.
___________________
This publication is provided as a service to our clients and colleagues, with explicit clarification that each specific case requires individual examination and discussion in writing.
The information presented here is of a general nature and is not intended to answer the unique circumstances of any individual or entity. Although we strive to provide accurate and available information, we cannot guarantee the accuracy of the information on the day it is received, nor that the information will continue to be accurate in the future. Do not act on the information presented without appropriate professional advice after a comprehensive and thorough examination of the specific situation.
