EDRi’s 2024 in Review

Spyware scandals mounted – but lawmakers failed to act

Just like the year before it, 2024 saw the unlawful use of spyware against politicians, journalists and human rights defenders continue to mount. In February, shocking news broke that Members of the European Parliament had been targeted with spyware, catalysing hopes that EU lawmakers might finally be taking this issue seriously. But despite the huge threat that these practices pose to democracy, most lawmakers were nonplussed.

Disappointingly the year ended not dissimilarly from how it started, with a shocking new report from EDRi observer Amnesty International published in December, in collaboration with our members SHARE Foundation and Access Now, on the use of spyware against journalists and human rights activists in Serbia. The prolific use of these tools by governments throughout the year showed why the EU must ban spyware – a demand that EDRi will continue to raise in 2025.

Platforms, data protection and Big Tech competition enforcement ramped up

Whilst the Digital Services Act (DSA) and Digital Markets Act (DMA) were adopted in 2022, this year we’ve started to see some action around enforcement. Early in 2024, EDRi spoke out about Big Tech companies’ deliberate circumvention of these new laws and the changes we want to see.

Thanks to a complaints by EDRi, our member GFF, and partners, we saw successes such as LinkedIn making a change to their targeting of adverts on the basis of people’s sensitive data. We also called on the Commission to take action against Apple for their breach of the DMA, and our member Bits of Freedom launched a campaign to help people claim their rights under the DSA.

At the same time, the enforcement push wasa double-edged sword. EDRi, along with our partners and allies, spoke out about the risks to privacy, data protection and free expression entailed by the growing use of age verification tools. Many platforms were turning to these often disproportionately intrusive and ineffective technologies in an attempt to show their compliance with the DSA. We highlighted this in our submission to the DSA’s autumn consultation on the protection of minors online – calling on decision-makers to prioritise empowerment over exclusion.

EDRi also submitted a critical response to the Irish Media Regulator’s draft Online Safety Code early in the year, warning that it was failing to address the risks and threats posed by age verification tools. Their final Code, adopted in autumn, made several major improvements – showing that responding to such consultations can lead to meaningful change.

However, many lawmakers continued to see quick fixes like age verification or smartphone bans as a silver bullet for complex online harms. We expect these questions of how to ensure online safety to become even bigger of a digital rights question in 2025.

Data protection: ‘Pay or Okay’ was not okay

Another digital rights issue that burned bright throughout 2024 was the ‘Pay or Okay’ saga – which saw Meta charging people in order to avoid being hyper-targeted online with potentially discriminatory and manipulative advertising.

EDRi spoke out against this Faustian bargain, and advocated for the European Data Protection Board (EDPB’s) decision on the issue to properly take into account people’s right to data protection.

With the General Data Protection Regulation (GDPR) remaining a cornerstone of our digital rights – but companies continuing to abuse our personal data – we welcomed the draft Procedural rules to improve enforcement. EDRi published our position paper on the file, and advocated for better information and clearer deadlines for those pursuing complaints. We also spoke out against a new decision by the European Commission which granted ‘adequate’ data protection status to Israel despite serious threats to fundamental rights and the rule of law.

New Artificial intelligence rules paved the way for more harms and biometric mass surveillance

The long-awaited Artificial Intelligence (AI) Act was finally passed in summer 2024. Whilst the final act made only modest steps towards human rights protections, it also laid the path for grave human rights violations. We are concerned about the lack of accountability and opacity of public sector use, and that even ‘simple’ systems can cause devastating harms.

Some biometric mass surveillance practices were prohibited, but enormous gaps were left for the use of these same tools at borders. Member States built in a get-out-of-jail-free card by allowing themselves to circumvent any bans by invoking national security claims. And the practice of ‘real-time remote biometric identification in publicly accessible spaces’ (think live facial recognition in parks, streets and squares) was not just not banned – but instead, the AI Act laid out steps for how to legalise it. That’s why in May, we published a guide to help civil society fight back. In the spring, our Reclaim Your Face campaign was recognised with the EU AI policy leader award.

The AI Act’s watery bans will enter into force in February 2025 – and several countries are already getting ready, with governments like Belgium already preparing to implement biometric mass surveillance.

As the Draghi report advocates for massive public and private investment in AI – and that AI is seen as the way to economic recovery – we will continue to raise the alarm on current AI harms for people and the environment.

Europe’s deadly digital borders were reinforced

The EU’s creeping surveillance machine was particularly present in the field of borders and migration in 2024. Following a disappointing and discriminatory lack of protections for people on the move in the EU AI Act, the EU’s securitisation agenda took several next steps including the Facilitators Package, the proliferation of dehumanising border tech as documented by our member Access Now, and the new “travel app” proposal.

EU Member States also called for a new ‘Return Directive’ to be put forward, threatening to further criminalise undocumented people when reporting crimes, and undertook a deeply harmful EURODAC reform. EDRi spoke out against these developments, and published a document pool to inform people about the problems entailed by the expansion of Europol.

At least it wasn’t all bad news for all things border tech. In April, the Greek data protection authority issued a record-breaking fine against the government for its illegal digital surveillance.

Law enforcement showed their true colours

Borders weren’t the only space where harmful, invasive and disproportionate ‘solutions’ were put forward in the name of security. In 2024, the European Commission’s ‘High Level Group on Access to Data for Law Enforcement’ – initially calling themselves the group on ‘Going Dark’ – released their 42 recommendations.

Their wishlist included mass surveillance of people’s private communications and measures to break encryption under the euphemism “lawful access”. Aside from them making deeply problematic recommendations, EDRi also called out the procedural failings surrounding this group and which cast serious doubts over its legitimacy.

We stayed safe from Chat Control – for now

What happened to the controversial EU CSA Regulation – often referred to as ‘chat control’ – in 2024? The simple answer is: nothing! And that’s good news for digital human rights defenders.

Despite a big push from the Belgian Presidency in the first half of the year, and devious tactics by the Hungarian Presidency in the second half, the chat control block remained. Dutch intelligence agencies even spoke out against the law, warning that chat control constitutes a threat to national security.

In December, digital rights advocates were given an early Christmas present when ten EU Member State governments made it clear that the law cannot progress until mass surveillance is ruled out, and end-to-end encryption protected. The future of this law is unclear, and in 2025, we hope that Eu institutions will seek solutions that will keep children safe whilst also respecting fundamental rights and technical feasibility.

A new Parliament and Commission took office

2024 saw the most far-right European Parliament ever elected. There was also a new crop of European Commissioners appointed to oversee the EU’s laws and policies – and EDRi was vocal about what we want them to put on their agenda for the next five years.

During and since the elections, we saw the culmination of narratives that turned to “competitiveness”, “strategic autonomy” and “digital sovereignty”. We witnessed growing attacks on important privacy and data protection legislation – with laws that protect our digital rights branded “red tape”. But we remained firm in our vision for digital human rights, reminding policy-makers that the EU can only innovate if people’s privacy, data, free expression and non-discrimination rights are protected.

In the autumn, together with over forty other civil society organisations, EDRi welcomed new decision-makers with the first-ever Tech and Society Summit. This was a landmark event to challenge the plethora of corporate summits with one that truly centered people, planet and democracy. This Summit sets the tone for the work we’ll be doing in 2025.

Want more?

Read more about everything we did in 2024 at the resources page on our website, and helps us keep protecting digital rights in 2025 by making a donation to EDRi’s work.