Click on the links below to read more:

• UK data reform: where is the data reform bill up to and how will it affect businesses?
• AI: what impact will the EU AI Act have and what (if any) changes will we see in the UK?
• International data transfers: what is the latest position and what changes are expected?
• Cookies, behavioural advertising and cybersecurity
• Finally, a look forward, what actions you need to take in 2024

---

Looking back: what happened in data protection law in 2023?

Looking forward: what do we need to do in 2024?

UK Data Reform

The Data Protection and Digital Information Bill is currently expected to come into force in spring 2024. Most of the changes are intended to make it easier to comply with UK data protection law. However, organisations caught by the territorial scope of the EU GDPR will need to continue to comply with its rules.

While it is not yet definite that the Bill will become law in its current form, some of its provisions will change compliance requirements. For example:

• The replacement of the requirement to appoint a data protection officer (DPO) with a senior responsible individual (SRI) is not merely a change of title; the SRI must be a member of senior management, which is not currently a requirement for DPOs.
• If a controller refuses a subject access request (SAR) on basis that it is vexatious or excessive, it is for the controller to show that this is the case.
• In relation to automated decision-making, the controller must explain the reasons for the processing.
• Amendments to the Bill introduced in November 2023 give the government the power to require financial institutions to provide information about the accounts of benefit recipients.

The Bill received its second reading in the House of Lords on 19 December 2023 and will now proceed to committee stage. Some members of the House of Lords expressed concerns about the Bill, including its impact on the UK's adequacy decision and the government's power to require information about benefits recipients' bank accounts, and indicated that the Bill would receive thorough scrutiny in its committee stage. 

If your organisation needs to comply with data protection law in the UK and the EEA, it should consider how best to achieve this.

Actions:

• Organisations should continue to monitor the Bill's progress and plan for changes that they may need to make.

• If your organisation needs to comply with data protection law in the UK and the EEA, it should consider how best to achieve this.

---

AI

UK 

The UK government has stated that it does not intend to introduce AI-specific legislation at this time, UK organisations must use AI systems in compliance with existing laws and guidance, including the UK GDPR and the AI guidance issued by the ICO. 

A private members' bill to introduce AI regulation has been introduced in the House of Lords, but this is not expected to become law.

At the time of writing, the government has not yet published its response to its AI white paper, although it had indicated that it would do so by the end of 2023.

Action: 

UK organisations must use AI systems in compliance with existing laws and guidance, including the UK GDPR and the AI guidance issued by the ICO.

EU

On 8 December 2023 the EU institutions reached political agreement on the EU AI Act, although the agreed text still needs to be finalised and published, which is not expected to take place until late January/February 2024. It has been reported that a number of member states are seeking to make changes to the position agreed in December 2023, so the Act's final form remains uncertain.

The Act (as agreed in December 2023) will introduce a risk-based approach where:

• AI systems presenting only limited risk will be subject to light transparency obligations;
• AI systems classified as high risk due to their significant potential harm to health, safety, fundamental rights, environment, democracy or the rule of law will be subject to stringent requirements, including a mandatory fundamental rights impact assessment; 
• uses of AI deemed to present an unacceptable risk, including untargeted scraping of facial images and emotion recognition in the workplace, will be banned; and
• general purpose AI models e.g. large generative AI models will be regulated.

The Act provides for fines of up to 7% of global revenue or EUR35 million.

Once the finalised version of the Act is published, there will be a two-year period before the Act enters fully into force, although the prohibition of unacceptable-risk uses of AI will come into effect after six months and the general purpose AI governance obligations will become applicable after 12 months.

The Act will apply to AI systems used or placed on the market in the EU. 

Action:

Organisations should consider whether they will need to comply and if necessary start planning how to achieve compliance.

Internationally 

The G7 voluntary Code of Conduct for AI developers (published in October 2023) sets out the actions that organisations should take to comply with the G7 international guiding principles on AI, including risk mitigation, responsible information sharing and incident reporting and robust security controls.

While the Code of Conduct is voluntary, most of the principles align with legislation in force, notably the GDPR/UK GDPR. AI developers should familiarise themselves with the principles and the code and consider what actions they should take.

Action:

AI developers should familiarise themselves with the principles and the code and consider what actions they should take.

AI Enforcement

We expect that 2024 will see increased enforcement action due to unlawful use of AI, including the use of personal data in breach of data protection law. 

---

International Data Transfers

Data transfers to the USA

Now that the EU-U.S. DPF and the UK-US data bridge have come into force, organisations can rely on these to transfer personal data to the United States. 

Action:

Given the risk of legal challenges (the current challenge from Philippe Latombe plus the threat of Schrems III), you may decide to take legal advice and proceed with caution. You could consider using layered clauses to provide that if these mechanisms are invalidated, standard contractual clauses will come into effect to provide a safeguard so that the transfer remains lawful.

Data transfers from the UK

In relation to international data transfers from the UK to countries other than the USA, the ICO has stated that it will publish guidance on the UK International Data Transfer Agreement (UK IDTA) and the UK Addendum to the EU standard contractual clauses (SCCs), although it has not yet indicated when this will be published.

The UK government has announced that it will seek international transfer partnerships with a number of target countries, including India, Singapore and the Dubai International Finance Centre.

Action: 

From 21 March 2024 UK organisations must repaper existing contracts that rely on the old version of the EU SCCs to switch to the UK IDTA or the new EU SCCs issued in June 2021 plus the UK Addendum.

Data transfers from the EU

The European Commissioner for Justice has indicated that adequacy decisions for Brazil and California are under discussion, so there may be news of progress during 2024.

International data transfers from the EEA to the UK

In 2024 the European Commission will review its adequacy decisions in respect of the UK, which are currently due to expire on 27 June 2025, to decide whether to extend them. While it is widely expected that the decisions will be renewed, a number of members of the House of Lords and other commentators have expressed concerns about the possible impact of the Data Protection and Digital Information Bill on the adequacy decisions.

Action:

Organisations relying on the UK adequacy decision for the transfer of personal data from the EEA to the UK, or from the UK to the EEA and then back to the UK, should monitor developments.

---

Cookies, behavioural advertising and cybersecurity

Cookies are typically used for the purpose of collecting information relating to a user's browsing activities, which can then be used to create a profile of that individual and display personalised online advertising to them.

The ICO's warning referred to above focuses on the use of personal information for personalised advertising without consent and links to the joint paper with the Competition and Markets Authority (CMA). The blog post launching the ICO/CMA paper states:

• a website’s cookie banner should make it as easy to reject non-essential cookies as it is to accept them; and 
• users should be able to make an informed choice on whether they want to give consent for their personal information to be used to profile them for targeted advertising.

The ICO has stated that it will provide an update on this work in January 2024. We anticipate that in 2024 the ICO will continue to work more closely with the CMA through both regulators' participation in the Digital Regulation Cooperation Forum (DRCF) to provide a joined-up response to misuse of personal data that can impact competition and consumer rights, as well as privacy.

The European Data Protection Board (EDPB) guidelines on tracking techniques covered by the ePrivacy Directive published in November 2023 apply broad interpretations to a number of terms used in the ePrivacy Directive, clarifying that its rules extend more widely than traditional cookies. While the UK is no longer bound by EDPB guidelines, they are still considered relevant. 

Regulatory shifts in the UK and the EU indicate that the use of cookies (and similar technologies) for online behavioural advertising is receiving greater scrutiny, so we recommend that you undertake an audit to identify whether your organisation is compliant and take steps to address any identified non-compliances.  

Google has announced that it will begin testing new functionality to restrict website access to third-party cookies in its Chrome browser in January 2024, with a view to phasing them out for all users in the second half of 2024. This is likely to impact behavioural advertising.

Action:

In the light of these regulatory and technological developments, businesses should consider alternative ways to continue to engage with their customers without using tracking cookies.

Cybersecurity

We anticipate that 2024 will see an increased focus on cybersecurity, including the following developments:

Cybersecurity in the UK

• proposed new statutory framework to improve the security and resilience of data infrastructure, including data centres

Cybersecurity in the EU

• EU member states must implement the NIS2 Directive by 18 October 2024
• the EU is expected to formally adopt the Cyber Resilience Act
• the European Supervisory Authorities under the EU Digital Operational Resilience Act (DORA) will develop technical standards in preparation for DORA becoming applicable on 17 January 2025 

Action: 

Organisations that operate in the UK and/or the EU should monitor developments and consider what actions are needed to meet the new requirements.

---

What else to expect in 2024

Online Safety Act

The Act (which received Royal Assent in October 2023) will impose obligations (to be set out in codes of practice drafted by Ofcom) on online service providers, but its substantive provisions are not yet in force. These will be implemented by secondary legislation, currently expected to be enacted in 2024. 

Action:

Online service providers should familiarise themselves with the OSA's requirements and review Ofcom's codes of practice as they are published to ascertain what actions are needed.

GDPR Review

The European Commission will publish its review of GDPR in 2024. It is not expected that this will result in substantial reform, but it is possible that it will be amended to include an updated version of the ePrivacy Directive. UK organisations whose activities are within GDPR's territorial scope should monitor developments and consider their potential impact.

Action:

UK organisations whose activities are within GDPR's territorial scope should monitor developments and consider their potential impact.

Data Protection Laws Worldwide

Following the entry into force of the revised Swiss Federal Act on Data Protection and Saudi Arabia's Personal Data Protection Law in 2023, we anticipate a wave of new and updated privacy laws:

• The Canadian Parliament is considering a bill to update its data protection law and introduce an AI and Data Act.
• India's new data protection law may come into force during 2024.
• New data protection laws are due to come into force in a number of US states. There have been indications that demands for AI legislation have rekindled interest in a federal data protection law, but also that this is unlikely during an election year.  

Action:

Organisations that operate internationally should monitor developments in each relevant territory and consider taking specialist advice on any additional data governance requirements.

ICO priorities for 2024

In its overview report "ICO audit: a year in focus", the ICO set out some new proposed areas of work for 2023-24:

• The use of AI in recruitment
• Data sharing in child protection/safeguarding
• Data protection compliance in the financial services sector
• The extraction and use of mobile phone data in criminal investigations
• Privacy & Electronic Communications Regulations: audits of public electronic communications network/service providers

Action: Organisations should monitor the ICO's guidance and enforcement activities in these areas and consider whether they need to make any changes to their policies and procedures.