EDPB Annual Report 2024: GDPR Enforcement, AI & Key Data Protection Insights

EDPB Annual Report 2024 Overview

The EDPB Annual Report 2024, titled “Protecting Personal Data in a Changing Landscape,” documents a pivotal year for the European Data Protection Board as it navigated an increasingly complex regulatory environment. Published in early 2025, the report provides a comprehensive overview of the Board’s activities, opinions, enforcement actions, and strategic direction during a year marked by significant legislative developments across the European Union.

Under the leadership of Chair Anu Talus, the EDPB demonstrated its evolving role as not just a GDPR enforcer but a central node in the EU’s broader digital governance framework. The year 2024 marked the first time since 2020 that the EDPB did not adopt any Art. 65 binding decisions, while simultaneously seeing a sharp increase in Art. 64(2) consistency opinion requests — signaling a shift toward proactive guidance rather than reactive dispute resolution.

The EDPB Secretariat’s operational scale grew substantially: over 530 meetings organized (up from 360 in 2023), 4,200+ IT assistance requests managed (up from 3,400), and 5,644 IMI system procedures facilitated. The EDPB website received 329,432 visits, with guidelines, opinions, and binding decisions among the most accessed content. For organizations operating in the EU, this report is essential reading for understanding how data protection enforcement is evolving alongside new digital regulations.

The EDPB 2024-2027 Strategy and New Priorities

In April 2024, the EDPB adopted its landmark 2024-2027 Strategy, providing a comprehensive roadmap structured around four strategic pillars that will guide data protection activities across Europe for the coming years.

Pillar 1: Advancing Harmonisation and Promoting Compliance focuses on ensuring consistent and effective application of data protection laws across all EU member states. This includes developing concise, practical, and accessible guidance — with particular attention to vulnerable data subjects such as children and tools for non-expert audiences including SMEs.

Pillar 2: Reinforcing a Common Enforcement Culture aims to strengthen collaboration among DPAs for complex cross-border cases. Building on the commitments made in the Vienna Statement on enforcement cooperation, this pillar anticipates opportunities arising from the future Regulation on GDPR procedural rules.

Pillar 3: Addressing Technological Challenges emphasizes a human-centric approach to emerging technologies, monitoring and assessing new technologies while safeguarding fundamental rights. This pillar is particularly relevant given the rapid advancement of AI, biometric systems, and IoT technologies.

Pillar 4: Enhancing the EDPB’s Global Role promotes international dialogue on privacy and data protection, focusing on cooperation between EU and non-EU enforcement authorities. The EDPB’s first meeting with DPAs from countries with adequacy decisions took place in 2024, marking a new chapter in global data protection cooperation.

Consistency Opinions and GDPR Harmonisation

The EDPB annual report documents a robust consistency opinion mechanism, with 28 opinions adopted in 2024 — 20 under Art. 64(1) and 8 under Art. 64(2) GDPR. Since its establishment in 2018, the Board has issued a total of 188 Art. 64(1) opinions, demonstrating the sustained importance of this harmonisation tool.

Art. 64(1) opinions cover six categories of DPA measures requiring consistency review: Data Protection Impact Assessment (DPIA) lists, draft codes of conduct, certification body accreditation, standard contractual clauses for international transfers, custom contractual clause authorisations, and Binding Corporate Rules (BCRs) approvals. In 2024, these broke down as 15 BCR opinions, 4 on accreditation requirements for certification bodies, 8 Art. 64(2) opinions, and 1 on code of conduct monitoring body accreditation.

The most significant development was the sharp increase in Art. 64(2) opinions — opinions on matters of general application or with cross-border effects. These addressed some of the most contentious data protection issues of the year: the validity of “consent or pay” models, the notion of main establishment, facial recognition at airports, processor obligations, Article 48 GDPR and third-country data requests, legitimate interest guidelines, and AI model data protection aspects. This increase reflects the EDPB’s growing role as a proactive guidance body addressing systemic challenges in the digital governance landscape.

Consent or Pay: The EDPB’s Landmark Opinion

Perhaps the most impactful opinion of 2024, Opinion 08/2024 on “Consent or Pay” models deployed by large online platforms, directly challenges the business models of major tech companies. Requested by the Dutch, Norwegian, and German (Hamburg) DPAs, this opinion examines whether consent is truly “freely given” when users face a binary choice between allowing data processing for behavioural advertising or paying a fee.

The EDPB’s conclusion is unequivocal: in most cases, large online platforms cannot comply with valid consent requirements by offering only these two options. The Board identified three primary issues undermining consent validity in these models:

• Imbalance of power: Large platforms hold dominant market positions, limiting users’ ability to reject consent without significant detriment. The CJEU’s Bundeskartellamt case (C-252/21) confirmed that a platform’s dominance can hinder genuine choice.
• Detriment to users: If users are excluded from important services or social interactions due to non-consent, or if fees are prohibitively high, the choice is not truly free.
• Lack of genuine alternatives: Platforms must offer an “equivalent alternative” — such as contextual advertising that requires minimal data collection — rather than forcing a stark binary choice.

The EDPB recommends that platforms offer a free version without behavioural advertising (using contextual ads instead), ensure any fee is proportionate and does not discourage exercising data rights, provide granular consent options, and maintain full transparency about data collection and its implications. The opinion acknowledged cross-regulatory collaboration with competition and consumer protection regulators, signaling a more integrated approach to platform regulation.

AI Models and EDPB Data Protection Guidance

On December 18, 2024, the EDPB adopted Opinion 28/2024 addressing data protection aspects of AI model training and deployment — one of the most anticipated guidance documents of the year. Requested by the Irish DPA, this opinion tackles three fundamental questions at the intersection of artificial intelligence and personal data protection.

First, regarding anonymity of AI models: the EDPB established that AI models trained on personal data cannot automatically be considered anonymous. Claims of anonymity require case-by-case DPA assessment, examining whether personal data can be directly extracted or obtained through queries, considering all “reasonably likely means” of identification. The opinion provides a non-prescriptive list of methods controllers may use to demonstrate anonymity.

Second, on legitimate interest as a legal basis for AI training: the EDPB confirms there is no hierarchy among GDPR legal bases and that legitimate interest can apply to AI model development under strict conditions. The opinion outlines a three-step test: (1) identifying a specific, lawful, and present legitimate interest; (2) demonstrating the necessity of data processing; and (3) a balancing test ensuring interests don’t override individuals’ fundamental rights. Practical examples include fraud detection and cybersecurity applications.

Third, regarding impact of unlawful processing: when an AI model is developed using unlawfully processed personal data, this may affect the lawfulness of its subsequent deployment — unless the model has been duly anonymized. This provision creates significant accountability for AI developers who must ensure lawful data practices throughout the entire development pipeline.

Facial Recognition at Airports: Biometric Data Limits

In May 2024, the EDPB issued Opinion 11/2024 on the use of facial recognition technologies by airports and airlines to streamline passenger flow, requested by the French DPA amid increasing biometric system deployments across major EU airports.

The opinion establishes critical boundaries for biometric data processing. Where no legal requirement exists to verify passenger identity with official documents, no biometric verification should be performed — as this would constitute excessive data processing. Only passengers who actively enrol and consent should have their biometric data processed.

The EDPB evaluated four different storage solutions for biometric data, reaching a clear conclusion: only two storage solutions are potentially GDPR-compatible. These are solutions where biometric data is stored (1) in the hands of the individual (e.g., on a personal device) or (2) in a central database but with encryption keys solely in the individual’s control. Centralised storage solutions — whether within the airport or cloud — without individual-controlled encryption keys were found incompatible with data protection by design and default requirements and security of processing obligations.

This opinion has significant implications for the travel industry’s technology adoption strategies, effectively ruling out most current centralised biometric systems and requiring fundamental redesigns to maintain individual control over sensitive biometric data.

Processors, Sub-Processors and Controller Accountability

The EDPB’s Opinion 22/2024, adopted in October and requested by the Danish DPA, provides crucial clarity on controller obligations when engaging processors and sub-processors under Art. 28 GDPR. This opinion addresses practical questions that have caused significant uncertainty in the market.

Key determinations include: controllers must have identity information (name, address, contact person) for all processors and sub-processors readily available at all times. The verification obligation applies regardless of risk level, though the extent of verification may vary based on processing risks. While initial processors should propose sub-processors with sufficient guarantees, the ultimate decision and responsibility remains with the controller.

Importantly, the EDPB ruled that controllers do not have a systematic duty to request sub-processing contracts. However, for high-risk processing, controllers should increase their verification level. For international data transfers between sub-processors, the data processor as exporter should prepare transfer documentation, but the controller must assess this documentation and demonstrate compliance to DPAs.

On contractual wording, the opinion provides welcome flexibility: including Art. 28(3)(a) GDPR terms verbatim is “highly recommended but not mandatory,” and variants addressing broader legal requirements remain within contractual freedom. However, for data transferred outside the EEA, broader variants alone are unlikely to achieve Chapter V compliance.

Cross-Border Enforcement and DPA Cooperation

The EDPB annual report documents significant enforcement cooperation activities across the EU’s network of Data Protection Authorities. In February 2024, the EDPB launched a Coordinated Enforcement action on the right of access, following a similar successful action in 2023 that examined the role of Data Protection Officers across the EU.

The Internal Market Information (IMI) system facilitated over 5,644 cooperation procedures during the year, with the Secretariat handling 907 IMI support requests. The EDPB HUB, the primary internal communication platform, experienced substantial growth: 12,307 content pieces created (64% increase), 2,372 new pages (59% rise), and 8,217 documents (72% growth). The user base exceeded 1,500 members, a 7% increase.

National enforcement actions documented in the report span 29 countries, covering issues from unlawful data processing and insufficient security measures to violations of data subject rights and international transfer breaches. Major cases involved technology platforms, financial institutions, healthcare providers, and government agencies. The report’s Case Digest section provides analysis of key national cases, offering valuable precedents for organizations across the EU.

The EDPB was also active in litigation, involved as a main party in 13 cases before the CJEU — including multiple applications for annulment against binding decisions. Most notably, several cases involved Meta Platforms Ireland, WhatsApp Ireland, and TikTok Technology, highlighting the ongoing tension between major tech platforms and EU data protection enforcement.

The Expanding Regulatory Landscape

A defining theme of the EDPB annual report is the rapid expansion of DPA responsibilities beyond traditional GDPR enforcement. New EU digital legislation has created a multi-layered regulatory framework that significantly expands the Board’s scope and DPA mandates.

Under the AI Act, DPAs (or authorities meeting equivalent independence requirements) are designated as Market Surveillance Authorities for certain high-risk AI systems. The EDPB met with the EU AI Office before adopting its opinion on AI models, establishing a precedent for cross-regulatory consultation. Statement 3/2024 explicitly recommended that DPAs should be designated as MSAs for high-risk AI systems, leveraging their enforcement experience.

As a member of the DMA High-Level Group, the EDPB provides critical guidance to the European Commission, fostering cohesion between data protection and sectoral regulation. Through the European Board for Digital Services, the EDPB contributes to overseeing large online platforms and search engines, including participating in the Age Verification Taskforce. The European Data Innovation Board membership enables EDPB input on data sharing initiatives and European data spaces.

Six legislative statements adopted in 2024 demonstrate the EDPB’s proactive engagement: addressing child sexual abuse regulation (emphasizing privacy in encryption), the financial data access package (PSR/PSD3/FIDA), the AI Act framework, GDPR procedural rules, and law enforcement data access recommendations. Each statement balances the Board’s commitment to fundamental rights protection with pragmatic recognition of legitimate policy objectives.

Key Takeaways for Organizations from the EDPB Annual Report

The EDPB Annual Report 2024 carries profound practical implications for organizations operating in the European Union. Here are the critical action points organizations should prioritize based on the report’s findings.

Review consent mechanisms immediately. The consent-or-pay opinion signals that platforms relying on binary consent/payment models face significant compliance risk. Organizations should explore offering contextual advertising alternatives, ensure consent granularity, and document that fees are proportionate and don’t coerce consent.

AI model development requires GDPR integration from day one. The AI models opinion makes clear that unlawful data processing during development can taint the model’s entire lifecycle. Organizations developing AI must implement privacy-by-design throughout the training pipeline, document anonymization measures, and prepare legitimate interest assessments with the three-step test framework.

Audit your processor and sub-processor relationships. Opinion 22/2024 clarifies that controllers must maintain identity information for all processors and sub-processors and increase verification for high-risk processing. Review your current contracts and ensure your organization can demonstrate compliance.

Reassess biometric deployments. If your organization uses facial recognition or other biometric systems, the EDPB’s stringent storage requirements — limiting acceptable solutions to individual-controlled storage — may require significant infrastructure changes.

Prepare for expanded DPA oversight. With DPAs gaining new roles under the AI Act, DMA, DSA, and Data Act, organizations should expect more integrated enforcement across regulatory domains. Building relationships with relevant DPAs and establishing cross-functional compliance teams will be essential. For more on navigating data governance, see our analysis of the EU Data Governance Act.