2024 in Data Protection

Germany

This article looks back at the developments in data protection law in 2024 and ventures a look ahead to what is coming in 2025.

From the perspective of data protection, 2024 was defined by important decisions by the CJEU and the German Federal Court of Justice, as well as other relevant topics such as artificial intelligence (AI). With 2025 now upon us, the entry of important regulations into effect such as the Data Act and the AI Act is just around the corner: Some standards from the AI Act apply from February and August 2025 and many parts of the Data Act will then apply from 21 September 2025.

AI remains one of the most talked-about topics – including in data protection

The topic of AI was one of the most talked-about topics of the past year, including, as expected, from a data protection perspective. Data protection authorities are concerned with the use of AI in enterprises and are drawing attention to data protection issues in this context. For example, the Data Protection Conference (DSK) published a guide to AI and data protection in 2024. The guide is meant to provide enterprises, authorities and other organisations with guidelines for selecting, implementing and using AI applications. The Data Protection Conference (DSK) also made its first comments on generative AI models such as large language models (LLMs).

In January 2024, the Bavarian State Office for Data Protection Supervision (BayLDA) published a checklist on the topic of AI and data protection ("Datenschutzkonforme KI – Checkliste mit Prüfkriterien nach DSGVO"), which is meant to provide assistance with the data protection-compliant development and use of AI. The focus of the Bavarian State Office for Data Protection Supervision (BayLDA) here is on training AI models and risk assessment in the context of the GDPR. In July 2024, the Baden-Württemberg Commissioner for Data Protection and Freedom of Information of (LfDI) also rolled out the AI & Data Protection Guide and Navigator (ONKIDA), which provides an overview of various materials on AI and data protection. In addition, the Lower Saxony Commissioner for Data Protection has set up a specialist team to monitor the dissemination and use of AI under data protection law and ensure that AI is used in accordance with data protection law. As a competence centre, the specialist team will be expected to answer questions and work together with authorities, academia and private and public-sector bodies. Another key task that the specialist team has been set is to raise awareness of the risks associated with using AI among these institutions.

The topic of AI has also been addressed in Hamburg: In June 2024, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) published a position paper on the topic of data protection for job applicants and recruiting with reference to AI and digitalisation. The reason for the position paper was the decision of the CJEU dated 30 March 2023 in case C-34/21 and the subsequent discussion surrounding section 26 (1) German Federal Data Protection Act (BDSG). The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) points out that a large amount of sensitive data is generated during the application process. The Hamburg Commissioner also provides information on the use of AI-based systems in the recruitment process. In mid-July 2024, the Hamburg Commissioner also presented three theses on personal references in large language models (LLMs):

  • Simply storing an LLM without any personal data does not constitute processing within the meaning of Article 4 (2) GDPR. Processing operations in an AI system based on an LLM, and in particular their output, only need to be adapted to the requirements of the GDPR if personal data are processed. 
  • Data subject rights such as the right of access, to erasure or to rectification can relate to the input and output of an AI system, but not to the model itself.
  • If LLMs are trained with personal data, there is an obligation to design them in compliance with data protection provisions and to safeguard the rights of data subjects. The legality of using an LLM in an AI system remains unaffected by data breaches during its training.

You can find out more about AI and data protection here: Using AI and responsibility for data privacy.

North Rhine-Westphalia Commissioner's revised legal opinion on private email and internet use

AI is not the only topic that data protection authorities have been tackling. The North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (LDI NRW) caused a stir in data protection law by presenting the activity report for 2023 this year, particularly with one topic: According to the report, the North Rhine-Westphalia Commissioner for Data Protection and Freedom of Information (LDI NRW) does not consider employers who permit or tolerate private internet and email usage at work to be bound by telecommunications secrecy, contrary to the previous assessment of the data protection authorities. Therefore they are not potential addressees of section 206 German Criminal Code (StGB). The assertion that the employer could be liable to prosecution for a breach of telecommunications secrecy if it inspects business email inboxes has therefore been dropped. Another consequence of this assessment would be that the employer would no longer have to rely on the employee's consent to access data. The GDPR alone would then apply for this purpose. The commissioner recommends including explicit provisions in the employment contract.

Enforcement tracking: GDPR fines in 2024

One perennial issue in data protection law every year is GDPR fines, which can be up to EUR 20 million or 4 % of an enterprise's global annual turnover. According to the latest edition of our Enforcement Tracker Report, a total of 2,086 fines were imposed in the period under review and recorded in the CMS Enforcement Tracker. The total fines issued amount to around EUR 4.48 billion, while the average fine across all countries was approximately EUR 2.14 million.

The issue of GDPR fines also continues to occupy the courts. After the CJEU ruled on 5 December 2023 (C-807/21) that the fines provided for in Article 83 GDPR can be imposed directly on legal persons provided that they are to be classified as data controllers, the Third Senate for Fines of Berlin Higher Regional Court, which heard the case, referred the fine proceedings back to the Regional Court in its decision dated 22 January 2024. These proceedings concern a GDPR fine of EUR 14.5 million and whether the addressee of the decision must pay it.

Latest news from the CJEU on the GDPR

In 2024, the CJEU published a whole series of judgments related to data protection. Among them, the CJEU handed down its judgment in case C-757/22 on 11 July 2024. In the same case, the CJEU had already ruled in the spring of 2022 (C-319/20) that an action brought by consumer protection associations is admissible even if there is no specific mandate from a consumer. However, the German Federal Court of Justice referred another question to the CJEU towards the end of 2022 with its decision dated 10 November 2022 (I ZR 186/17), this time concerning the condition "as a result of the processing" under Article 80 (2) GDPR. In this regard, the German Federal Court of Justice wanted to know whether an infringement of law is asserted "as a result of the processing" if a consumer protection association bases an action on the fact that the rights of a data subject have been infringed by non-fulfilment of the obligations under Article 12 (1) sentence 1 and Article 13 (1) (c) and (e) GDPR. The CJEU came to the conclusion that consumer protection associations can assert claims for infringement of these information obligations. The German Federal Court of Justice negotiated this on 19 December 2024 and will hand down its decision on 27 March 2025.

In case C-21/23, the CJEU also delivered its judgment in October 2024 on the legal standing of competitors in the event of GDPR infringements. One of the key issues in these proceedings is whether infringements of data protection law can be asserted by competitors of the controller under the GDPR via the provisions of the German Unfair Competition Act (UWG) instead of by data subjects as parties authorised to bring an action. The Court of Justice has ruled that EU Member States may grant competitors of an alleged infringer of personal data provisions the opportunity to challenge their infringement in court as a prohibited unfair business practice. A competitor of a pharmacist with a mail-order licence had brought an action, claiming that the pharmacist was in breach of the GDPR. The CJEU also confirmed that data concerning health within the meaning of Article 9 (1) GDPR are transmitted when ordering non-prescription but pharmacy-only medicines via an online platform.

In 2024, the CJEU issued several rulings on the relevant data protection compensation standard of Article 82 GDPR in referral proceedings. We offer an overview of this on our blog: Latest news from the CJEU on GDPR compensation.

German Federal Court of Justice rules on Article 82 GDPR

However, the CJEU was not alone in dealing with the issue of GDPR compensation last year. Firstly, the local, regional and higher regional courts had to rule in a large number of proceedings on claims for compensation under Article 82 GDPR, most of which were dismissed; claims this year have concerned in particular the disclosure of positive data by telecommunications companies to a credit agency and the social media scraping cases. You can find a table with an overview of the case law on Article 82 GDPR on our blog: GDPR compensation: Overview of current rulings and developments (continuously updated)

One of the scraping cases became the German Federal Court of Justice's first leading decision procedure. In its judgment dated 18 November 2024, the German Federal Court of Justice ruled for the first time on key issues relating to claims for compensation under Article 82 GDPR. With reference to the case law of the CJEU, the German Federal Court of Justice states that even a mere temporary loss of control over personal data as a result of a GDPR infringement can constitute non-material damage. It further states that the data subject does not need to prove any specific misuse of these data to the detriment of the data subject or any other additional noticeable negative consequences for there to be a claim for compensation. According to the German Federal Court of Justice, the amount for compensation could be set at EUR 100. It remains to be seen how the competent courts will deal with the German Federal Court of Justice decision. Hamm Higher Regional Court has already dismissed the claims of the data subjects in several proceedings (judgment dated 29 November 2024 – 25 U 25/24; judgment dated 26 November 2024 – 25 U 12/24 and others), while Dresden Higher Regional Court implemented the German Federal Court of Justice's requirements and awarded EUR 100 in compensation (judgment dated 10 December 2024 – 4 U 808/24). An increase in consumer complaints regarding data protection can therefore be expected. However, GDPR compensation is just one of the topics that will continue to gain in importance in 2025.

EDPB: Strategy for the coming years and 2025 Coordinated Action

The European Data Protection Board (EDPB) is also looking to the future and in April 2024 it adopted its strategy for 2024 to 2027. This strategy explains the priorities and most important measures for achieving each of the goals it has set. These goals are enhancing harmonisation and promoting compliance with data protection legislation, reinforcing a common enforcement culture and effective cooperation, safeguarding data protection in the developing digital and cross-regulatory landscape and contributing to the global dialogue on data protection. The EDPB identifies platform regulation through the Digital Markets Act (DMA) and the Digital Services Act (DSA) as well as the spread of AI as three of the top issues.

In October 2024, the EDPB also announced the topic for the next Coordinated Action of Data Protection Authorities. In 2025, this will focus on the implementation of the "right to be forgotten", i.e. the right to erasure in accordance with Article 17 GDPR by the data controllers. As part of the action, the processes set up by the data controllers will be analysed and compared. The aim is to identify the biggest problems controllers face in complying with the law and to gain an overview of best practices. The action will start in the first half of 2025. In the previous year, one of the focuses of the supervisory authorities' Coordinated Actions was the right of access under Article 15 GDPR).

In 2025, many other topics will become relevant to data protection besides the ones mentioned above that stakeholders are used to. It is also important to keep an eye on the impact of the election result in the USA on data protection issues such as the US adequacy decision as well as the developments in data protection in Germany in the next legislative period (e.g. the German Employee Data Act). In December 2024, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) presented a data protection policy agenda for the 21st legislative period. Its focus is on topics including legal certainty for the training and use of AI systems, digitalisation in the healthcare sector and cyber security.

The future will be shaped by the interactions between current issues such as AI, virtual worlds, data usage and data (protection) law. The year 2025 promises to be just as exciting in this respect. You can stay up to date by subscribing to our blog and our newsletter.