Many new privacy laws are being enacted across the globe under the guise of increased cyber risks, the growth of Artificial Intelligence and landmark privacy law cases. On World Data Protection Day January 25th 2024, we look at some of the major events and news stories that have shaped the landscape, influencing the direction of policies and processes.
This is how the data protection industry will evolve, especially around big legislative leaps such as the NIS2 Directive and the EU Cyber Resilience Act. Certification of security standards has become a critical requirement as SMEs seek to implement key controls around the protection of personal information.
Data Protection & AI
In recent years, we have experienced significant growth in the use of AI technologies. ChatGPT has dominated the headlines in recent months. As the EU ramps up its AI regulations, the legal and governance risks posed by the use of AI have caught our attention.
AI governance has become a top priority and data protection compliance will be front and centre of these concerns to the extent that personal data is processed to develop, test or use AI technology.
Against this backdrop, privacy teams in 2024 will have to ensure that their privacy compliance and accountability tools are ‘up to scratch’ to deal with the challenges posed by the use of AI technologies.
Major Data Protection Events
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on GDPR celebrated its 5th anniversary on 25 May 2023. Coming into force on 25 May 2018, it is cited as one of the strictest pieces of privacy legislation in the world. The EU’s principle-based directive was introduced to protect the fundamental rights of individuals by safeguarding their personal data and creating a harmonised framework across the EU and for EU subjects across the globe.
Data Protection Fines
The AI Safety Summit took place in the UK on 1 November 2023 at Bletchley Park. Intended as a landmark event for AI., the event brought together leading experts, researchers, and policymakers from around the world, including EU, US and China.
An important outcome of the Summit was The Bletchley Declaration – a world-first agreement between 28 jurisdictions. The Declaration establishes a shared responsibility to understand and manage the potential risks of AI development. However, actionable strategies are absent which are fundamental for creating a credible regulatory framework.
Data protection developments in the EU, UK, and North America
There were several key court rulings by the Court of Justice of the European Union (CJEU) this year, which have helped to clarify certain areas of the legislation:
- Accountability principle – The CJEU ruled that not every violation of the GDPR would render all related processing to be unlawful (Case C-60/22)
- Right of Access – The CJEU clarified the scope of the GDPR right of access by stating that the right to obtain a ‘copy’ of personal data means that the data subject must be given a ‘faithful and intelligible’ reproduction of all those data
- Joint Controllers – The CJEU stated that if a company doesn’t follow GDPR rules for making a joint controller agreement or keeping records of data processing activities, it doesn’t automatically mean that the company’s data processing is illegal.
- Penalty fines – The CJEU ruled on 5 December 2023 that a supervisory Data Protection Authority (DPA) may only impose a fine for a GDPR infringement if it was committed wrongfully, either intentionally or negligently. In calculating a fine, a DPA must consider the total worldwide turnover of the entire group from the preceding business year.
The European Commission adopted its adequacy decision on EU-US data flows and established the EU-US Data Privacy Framework (DPF), which came into effect on 10 July 2023. The DPF replaced the invalidated Privacy Shield and aimed to address the concerns previously raised by the CJEU. However, only minutes after the announcement, Max Schrems, Austrian privacy lawyer and activist, stated his intention to challenge the new deal. A challenge has yet to be submitted by Mr Schrems, but the debate over transatlantic data transfers is clearly not over and will continue into 2024.
UK’s Key Data Protection Updates
The UK-US ‘data-bridge’ was approved on 21 September 2023, with it coming into force on 12 October 2023. Serving as an extension to the EU’s Data Privacy Framework (DPF), the data-bridge provides a mechanism for businesses in the UK to transfer personal data to US organisations certified under the ‘UK Extension to the EU-US Data Privacy Framework’ (UK Extension) without the need for further protections. However, criticisms of the EU-US DPF include concerns over the potential for increased surveillance by US authorities and the erosion of privacy rights.
The UK’s proposed GDPR replacement moves closer
On 19 December 2023, the Data Protection and Digital Information (DPDI) Bill was debated at the second reading stage in the House of Lords. The government believes the update will reduce unnecessary burdens on businesses and organisations, but the key risk with this Bill is that larger organisations will still be subject to the GDPR unless they have a way to segregate UK data subject data from EU data.
Canada Seeks to Update and Strengthen Its Privacy Laws
There have been significant developments in Canada’s privacy laws this year. On 24 April, the Canadian House of Commons agreed on the entirety of Bill C-27, the Digital Charter Implementation Act 2022, which seeks to update and strengthen the Personal Information Protection and Electronic Documents Act (PIPEDA),
The United States Sees a Wave of New Privacy Laws
It was a big year for privacy in the US, with 5 new state privacy laws:
- California Privacy Rights Act (CPRA) came into effect on 1 January 2023 and amends the California Consumer Privacy Act. (CCPA)
- Virginia Consumer Data Protection Act (VCDPA) came into effect on 1 January 2023
- The Colorado Privacy Act (CPA) came into effect on 1 July 2023
- The Connecticut Data Privacy Act (CTDPA) came into effect on 1 July 2023
- The Utah Consumer Privacy Act (UCPA) will come into effect on 31 December 2023
These laws reflect a shift towards greater consumer control over personal data and increased obligations for organisations in terms of data processing. They also indicate a move towards harmonising state-level laws with global standards, providing new consumer rights aligned with those in the GDPR.
International Data Transfers
SCCs and IDTAThe International Data Transfer Agreement (IDTA). From 21 March 2024, UK organisations can no longer use the old EU Standard Contractual Clauses (SCCs) for restricted data transfers. Instead, they must rely on the UK’s International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (‘UK Addendum’).
EU-UK adequacy – Later in 2024, the European Commission is due to review the EU-UK adequacy, which will expire on 27 June 2025. The outcome of the UK’s proposed Data Protection Bill could significantly affect this decision.
EDPB Action: Right of Access by Controllers
The European Data Protection Board (EDPB) will launch a national action in 2024 on ‘The right of access by controllers’. Each year, the EDPB seeks to prioritise certain topics for data protection authorities (DPAs) to work on at a national level. This will be the third co-ordinated enforcement action to date. The results allow for analysis and insight into the topic, which allows for targeted follow-up at both national and EU levels.
The EU’s AI ActThe Artificial Intelligence Act (AI Act) is a regulation of
The EU is likely to adopt the proposed AI Act in early 2024. Otherwise, the elections could delay its passage until 2025. EU Parliament’s priority is to make sure that AI systems used in the EU are safe, transparent, traceable, non-discriminatory and environmentally friendly. AI systems should be overseen by people, rather than by automation, to prevent harmful outcomes.
Parliament also wants to establish a technology-neutral, uniform definition for AI that could be applied to future AI systems.
The UK’s AI Regulation Bill
The AI Regulation Bill is a Private Member’s Bill, originating in the House of Lords during the 2023-24 session. Last updated on 29 November 2023, the Bill includes provisions for the creation of a body called the AI Authority and the appointment of designated AI officers. The government intends to publish a draft AI risk register for consultation, an updated AI regulatory roadmap, and a monitoring and evaluation report after March 2024.