As we step into 2024, the regulatory landscape surrounding data protection in the UK and the European Union promises to be dynamic and eventful. Data protection laws are evolving on both sides of the English Channel, with key developments in various areas poised to shape the future of information governance.
The Data Protection and Digital Information Bill (DPDI Bill) had its second reading in the House of Lords on 19 December 2023. The Bill sets out some modest reforms to the UK’s version of GDPR, designed to reduce businesses’ compliance burden. However, it does not radically change the current GDPR rules. The Bill has a few stages to go, and the timing of the general election may impact its passage through Parliament.
Meanwhile, the European Commission is expected to publish a review of the EU GDPR in mid-2024. Whilst major changes are unlikely, the Commission will be looking at areas where implementation of GDPR is problematic, such as:
In particular, the Council of the EU has highlighted the compliance burden for smaller organisations and the need to provide more guidance and practical tools.
The 21 March 2024 deadline rapidly approaches for UK data exporters to update to the UK international data transfer agreement. See our article here. Meanwhile, in 2024 the UK will seek more international transfer partnerships (adequacy decisions or data bridges) for its target countries, which include Singapore and the Dubai International Finance Centre. And we could see Schrems III, with a challenge to the recent EU-US Data Privacy Framework (the voluntary Framework which replaced the invalidated Privacy Shield program). This could have implications for the UK Extension to the Framework.
AI regulation is set to increase globally. The EU reached a political agreement on the text of the EU AI Act at the end of 2023, and it is anticipated that this Act will be adopted by the European Parliament this year. It will have an extra-territorial effect, impacting UK businesses operating in the EU that use AI. Meanwhile, the UK opted for a different course (Brexit dividend?). Instead of a specific AI Act, the UK plans to delegate AI regulation to existing sector-specific regulators. This year, the regulators (such as the ICO, CMA and FCA) will publish guidance on the principles for the adoption of AI.
The UK Information Commissioner’s Office (ICO) will finalise its guidance on data protection compliance for employers and other recruiters about recruitment and data retention practices. This will complement guidance issued in 2023 on Workers’ Health and Monitoring Workers (see here).
The ICO is likely to maintain its focus on unwanted email and SMS marketing, cookie compliance and allowing fair choices over whether or not to be tracked for personalised advertising, children’s data and data breaches. We can expect more public reprimands, fines and enforcement actions. Key takeaways from the ICO based on the latest reprimands they have issued were: