As we approach the final quarter of 2024, it's an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023 (read our article on this here). Now, let's see how those predictions have played out.
The Data Protection and Digital Information Bill (DPDI Bill)
It was expected that this Bill would become law in Spring 2024, introducing significant changes. Among these were adjustments to the criteria for charging fees related to data subject access requests and a new legal basis for processing data under recognised legitimate interests.
However, the legislative journey of the DPDI Bill took an unexpected (or some may say, very much expected) turn. Although the Bill had successfully passed the Committee Stage in the House of Lords on 24 April 2024, it was subsequently dropped following the previous Prime Minister's announcement of a general election. This legislation will no longer come into force, unless the new Government decides to revive it.
Artificial Intelligence (AI)
AI's expanding role in the workplace was one of the major trends we anticipated for 2024. From customer service to recruitment, AI's influence on business operations is undeniable. We expected increased regulatory focus on AI, particularly concerning transparency, security and compliance with data protection laws.
While the ICO did not release new AI-specific guidance in 2024, it did take a step forward by launching a consultation series on the application of data protection laws to generative AI – AI that creates content such as text, code and images – which presents unique challenges compared to simpler AI models. This consultation, which concluded on 10 June 2024, aimed to clarify complex issues like the lawful basis for AI training, purpose limitation, accuracy and data subject rights. The outcomes of this consultation are eagerly awaited and could shape the regulatory landscape for AI in the years to come.
International data transfers
2023 saw considerable activity in international data transfers, including the implementation of the EU-US Data Privacy Framework, which allowed UK businesses to transfer data to certified US organisations. We anticipated that this framework might face legal challenges in 2024, echoing past Schrems litigation.
Instead, the European Commission has recently initiated a call for evidence, inviting feedback by 6 September 2024, to assess whether the EU-US Data Privacy Framework is functioning effectively. It will be interesting to see if the anticipated legal challenges materialise.
Additionally, the UK's new role as an associate member of the Global Cross Border Privacy Rules (CBPR) Forum was expected to lead to more international transfer agreements and potential membership expansion to other countries. The UK remains the only associate member. However, the Forum has made notable strides, establishing the Global CBPR and Global Privacy Recognition for Processor systems in April 2024, with accountability agents now active in Japan, Korea, Singapore, Chinese Taipei, and the United States.
The ongoing developments in data protection underscore the dynamic nature of this field. Organisations must remain vigilant and adaptable to navigate the complexities of the evolving regulatory landscape.
ICO Cookie regulations
In late 2023, the ICO raised concerns about the prominence of 'accept all' buttons in cookie banners, stressing that rejecting non-essential cookies should be equally straightforward. The ICO warned several popular websites about possible enforcement actions if they failed to comply with these standards. An update from the ICO was expected for January 2024, including information on non-compliant companies.
The ICO did provide an update in January this year, revealing that out of the 53 organisations it contacted, 38 had adjusted their cookie banners to be compliant and four had committed to reach compliance within a month. The ICO continues its efforts to ensure all websites offering services to UK users adhere to these standards, urging organisations to act before enforcement measures are necessary.
Data breaches
Major data breaches in 2023, including those involving the UK Electoral Commission and the Police Service of Northern Ireland (PSNI) were under investigation by the ICO. We anticipated that penalties would be announced in 2024.
The ICO has since fined the PSNI £750,000 for failing to protect the personal data of its workforce – a breach caused by human error that led to serious concerns over safety. In contrast, the Electoral Commission received only a reprimand, despite a serious hack that exposed vulnerabilities in its systems. The ICO's investigation found that the Electoral Commission lacked adequate security measures, prompting it to take remedial steps to enhance its protection against future attacks.
As 2024 progresses, it's clear that some of the year's predictions have materialised, while others have taken unexpected turns. The ongoing developments in data protection underscore the dynamic nature of this field. Organisations must remain vigilant and adaptable to navigate the complexities of the evolving regulatory landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.