Data, privacy and the AI landscape in 2024

Posted on 26th January 2024

Here at Pritchetts Law, we’ve been gazing into our data protection crystal ball to foresee what 2024 might bring for the world of data protection, privacy and artificial intelligence (AI) law. And what better day to share our predictions than Data Protection Day? After all, the aim of this annual event on 28 January is to create awareness about the importance of respecting privacy, safeguarding data and enabling trust.

The landscape of data protection, AI, privacy and digital regulation continues to evolve at an unprecedented pace. This year is set to be pivotal, with significant changes on the horizon that will shape how organisations and individuals approach data protection and their use of AI and digital tech.

From imminent reform of UK data protection law to increased regulatory investigations, the rise of AI-enhanced cyber threats and the intersection with anticipated global AI and digital regulation, the stakes have never been higher, and the opportunities never greater.

It’s a lot to take in, so we’ve cut through the complexities to offer you our top 10 predictions for the data, privacy and AI landscape in 2024.

Do connect with us at Pritchetts Law LLP as we continue to explore what the future holds in this fast-paced area of law and compliance.

1. Reform of UK data protection law

The Data Protection and Digital Information Bill (DPDI Bill), which aims to reform UK data protection law, could become law as early as spring 2024.

If it comes into force as anticipated, it will bring the first major post-Brexit divergence of UK data protection laws from the EU General Data Protection Regulation (GDPR).

For multinational organisations, this divergence is likely to create some opportunities, but also present challenges, including a more complex data regulation landscape.

2. AI regulation

AI poses numerous risks, but also offers many benefits. Many organisations are keen to implement AI systems rapidly so that they can keep pace with competitors and the evolving market.

Our recent article in the Privacy & Data Protection Journal laid out the issues facing organisations when they are implementing or trialling AI systems. AI must be on the agenda of all senior-level discussions. Privacy and data protection professionals should be at the centre of those conversations, enabling them to achieve a consistent approach to data protection compliance.

The development and use of AI is already covered in various laws, including those relating to intellectual property, confidentiality, human rights, the GDPR and many more. Specific AI regulation will probably follow quickly to complement the intersection with that other legislation. The final draft of the proposed EU AI Act was published recently, and is likely to be brought into force soon. This puts the EU ahead of the USA, China and the UK, all of whom have been in the race to regulate rapidly developing AI technology.

3. Continued GDPR enforcement

The Information Commissioner’s Office (ICO) – and supervisory authorities across the EU – will continue to enforce the EU and UK GDPR, with a likely focus on those involved in:

  • Processing children’s data and conducting non-compliant marketing.
  • Data brokerage. The ICO has been investigating data brokers and issuing guidance to both brokers and those using their services (including marketing services). Don’t get caught in the ICO’s crosshairs as they scrutinise these practices.
  • Processing biometric data. This underwent fresh examination because of Clearview AI’s facial recognition technology.
  • Developing or implementing AI.

4. Continued focus on non-compliant marketing

Last year, Meta was handed a massive €390 million fine under the EU GDPR for the unlawful way in which it asked permission to use people’s data for ads on Facebook and Instagram.

The ICO also continues to focus on this area, issuing most of its fines in 2023 for non-compliant marketing practices. Keep an eye on our socials for our upcoming article on these fines and the lessons learned.

Such fines serve as a handy reminder to ensure that your staff have up-to-date training in compliant marketing practices and that you have reviewed your policies, controls and consent mechanisms. We offer a one-day Data Protection for Marketing Professionals course on dates throughout the year, so why not sign up?

5. Continued focus on the handling of personal data related to underage users

Tiktok was on the sharp end of some large fines last year too. First, the ICO issued it with its highest fine to date – £12.7 million – for several breaches of data protection law, including failing to use children’s personal data lawfully. Four months later, the EU data protection regulator fined it €345 million for breaching EU GDPR rules in its handling of children’s accounts.

In late 2023, the ICO also issued a preliminary enforcement notice against Snap, which concerned its potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’, particularly to children. We expect the ICO’s final decision on this to be issued later in the next few months. Whatever happens, this example is a useful reminder for organisations developing or using generative AI to properly assess its risks as well as its benefits.

All organisations must review their processing of children’s data generally, to ensure that they are doing so in line with applicable data protection legislation and regulatory guidance, including the ICO’s Children’s Code.

6. Continued focus on advertising cookies and the use of dark patterns on websites

The ICO has made it clear that non-compliant consent mechanisms for advertising cookies will continue to be part of its enforcement focus. In 2023, it issued guidance and held webinars about the use of harmful website design tools (including dark patterns). These tools are used to influence users’ decisions about how their personal data can be used, and make it harder to refuse cookies than to accept them.

In November 2023, the ICO issued enforcement action warnings to several of the UK’s most visited websites, requesting that they give users fair choices over whether to be tracked for personalised advertising. The ICO is likely to follow through with these warnings in 2024, and continue its wider work to ensure that the online advertising industry upholds individual rights.

In the EU, regulators and courts alike have been scrutinising the online advertising and cookie ecosystem too. They continue to lobby for consent to be the only valid legal basis for online advertising, rather than legitimate interests, contractual necessity and others.

In November 2023, the European Data Protection Board (EDPB) published draft guidance in relation to the use of cookies and similar tracking technologies, particularly those used most often in online advertising. Public consultation on that guidance ended in mid-January 2024, so the final version is expected soon.

By April 2024, the European Commission (EC) aims to finalise its Cookie Pledge, a set of high-level voluntary principles that aim to simplify cookie management and personalised advertising choices.

7. Continued rise of cyberattacks

Cyberattacks are expected to continue to rise, with hackers likely to exploit AI for increasingly sophisticated attacks. We must all continue to be on guard, and ensure that best practice data security measures are in place. And if things do go wrong, it’s crucial to have a set of up-to-date, robust data breach-handling processes ready to go.

8. Other new digital regulation

New digital regulation isn’t confined to AI; several new data laws are being considered across the UK, the EU and beyond.

For example, in the EU, there are the Digital Markets Act, Digital Services Act, Data Governance Act and Data Act.

Meanwhile, the UK has adopted a more sector-specific approach, such as the Smart Data schemes proposed under Part 3 of the DPDI Bill.

9. Data transfers, data bridges and adequacy

In September 2023, we reported on the new UK–US data bridge, part of the UK Extension to the EU–US Data Privacy Framework (DPF).

Organisations that still rely on the pre-GDPR EU standard contractual clauses (SCCs) have until 21 March 2024 – only weeks away – to transition to another data transfer mechanism that enables compliant transfer of personal data from the UK to countries without an adequacy decision. Suitable replacement mechanisms might include the new EU SCCs, the UK international data transfer agreement (IDTA), the UK Addendum to the new EU SCCs and binding corporate rules (BCRs).

In late 2023, the ICO introduced a UK Binding Corporate Rules Addendum. Those organisations that already have an approved EU BCR and want to apply for a UK BCR can use the UK BCR Addendum. Adding the UK BCR on to the existing EU BCR circumvents the need for a whole new set of documentation, reducing duplication.

The ICO also issued guidance for organisations completing transfer risk assessments for UK–US data transfers. Organisations must ensure that their data-mapping is up to date in relation to their own data transfers, and those of their suppliers (not least after the Meta case discussed above).

Further developments in relation to international data transfers are anticipated in 2024.

The EU–UK adequacy decision is expected to last until June 2025, enabling compliant transfers from the EU to the UK. The EC will commence work before the end of 2024 to consider whether to grant a further adequacy extension (up to a maximum of four more years). As part of this review, the EC is bound to watch closely the UK data reforms mentioned above, alongside any potential new UK data bridges granted to countries to which the EU doesn’t currently grant adequacy status.

Privacy professionals are keeping a close watch on the latest movements of Max Schrems, the privacy activist who successfully challenged the previous two EU–US data transfer mechanisms. Schrems has indicated that he intends to commence new legal proceedings relating to the current DPF.

10. Governance focus on privacy

It can be tempting for organisations to believe that they achieved GDPR compliance in May 2018 and have no further work to do, but this is clearly not the case. Data protection compliance is a living, breathing project for all organisations, not least because the use of data, the suppliers that businesses use, the systems used to process data and the laws surrounding it are constantly changing.

Savvy investors, boards and stakeholders are continuing to apply scrutiny in this area and see it as a crucial part of their Environmental, Social and Governance (ESG) programmes.

If your organisation needs any help keeping its house in order over 2024, please do get in touch with Pritchetts Law Partners Stephanie Pritchett or Ben Wootton.


 
Back To Blog »

Contact Us

Get in Touch

Pritchetts Law LLP
Hillside
35 Westbury Hill
Bristol
BS9 3AG
United Kingdom

+44 (0) 117 307 0266
info@pritchettslaw.com

Make an Enquiry

Please provide your details, and a brief summary of your enquiry, and one of our team will be in touch.

Pritchetts Law LLP is a Limited Liability Partnership registered in England and Wales (company no. OC413975) and authorised and regulated by the Solicitors Regulation Authority (SRA no. 647155). "Partner" refers to a member of Pritchetts Law LLP.
© Copyright 2024 Pritchetts Law LLPWeb Design By Toolkit Websites