AI will continue to be the big headline maker in 2024. Rapid developments in the technology itself and its capabilities, coupled with yet more AI awareness, mean the exponential growth and potential uses are expected to take another leap in 2024.
This of course brings with it the much-anticipated regulation. While 2023 saw many global conversations about regulation, at the end of the year political agreement was reached on the EU AI Act, the world’s first comprehensive law to regulate AI. While we still wait for the details to be formally released, leaks have given us a steer on what the final text may look like. While there is certainly still much debate as to how to regulate this fast evolving technology, it is likely this EU AI Act will set a blueprint for AI regulation going forwards and that 2024 will see a lot of data protection practitioners getting to grips with the provisions.
The next steps by the UK Information Commissioner’s Office will be interesting. Compared to most regulators, the ICO is already ahead of the curve when it comes to issuing AI-related guidance and setting expectations, and now it seems to be turning specifically to Gen AI by launching a consultation series on this very topic. It will be interesting to see what guidance follows this consultation and how this impacts the deployment of LLMs. The outcome of its current enforcement action against Snap Inc’s Gen AI chatbot My AI will also give a good indication of the ICO’s level of tolerance in this space.
Will 2024 be the year when we finally see the death of third party cookies? As Google announced in December 2023, they started the process on 4 January 2024 when 1% of Chrome users had a new feature, known as Tracking Protection, enabled which limits cross-site tracking by restricting website access to third-party cookies by default. Google aims to phase out third-party cookies for everyone in the ‘second half of 2024’ subject to any competition concerns the UK’s Competition and Markets Authority may have. This will force advertisers to have to turn to alternative ID solutions if they wish to continue to track users (all of which alternatives themselves have their own privacy issues).
At the end of 2023, we saw the ICO taking more proactive steps to address non-compliant cookie banners. This involved writing to various website operators requiring them to update their CMPs to ensure compliant consents are obtained. While not formal enforcement action, this step from the ICO caused website operators to review their practices. It seems the ICO will continue to focus on this area, particularly now it is equipped with various technologies to help proactively enforce in this space, so privacy practitioners should be making their cookie banners a priority. It is also likely we will see a number of ad funded service providers following in Meta’s EU footsteps and offering ‘pay or ok’ models.
EU regulators have also been busy with the European Data Protection Board’s new tracking technology guidelines causing even more of a headache for ad tech vendors. The EU Commission has also launched its cookie pledge which has received interesting feedback from the EDPB (and will likely impact the ‘pay or ok’ discussions).
Finally, we mustn’t forget IAB Europe’s TCF litigation, currently awaiting ECJ deliberation on the preliminary ruling, before heading back to the Belgian Market Court for final determination.
2024 will likely see the introduction of the Data Protection and Digital Information Bill which is being hailed as the UK’s ‘business friendly’ version of the GDPR.
While the reforms are in the main likely to be welcomed by UK organisations, the UK government has made clear that if an organisation is compliant with the current UK (and broadly the current EU) regime, then that organisation will be compliant with the new regime. It will therefore be interesting to see how the new UK laws will be adopted by multinationals who ultimately want a harmonised compliance regime across various jurisdictions.
What is likely to have an impact is the change in risk profile for e-Privacy breaches now that fines for e-Privacy requirements such as obtaining consent for electronic marketing and dropping cookies will be in line with current UK GDPR levels.
2024 is a big year for online tech regulation with the introduction of the EU Digital Services Act (DSA) and the Digital Markets Act (DMA). Very large online platforms and search engines have already had to grapple with the DSA rules, but as of 17 February 2024 the rules will apply to all platforms. As for the DMA, while the gatekeepers were officially appointed on 6 September 2023, they are required to comply with the Act by 6 March 2024. While the scope of the DSA and DMA may be limited to certain types of tech organisations, we are already seeing a number of their requirements being flowed down by the big tech vendors on users of their respective services.
The EU Commission is also set to conduct its 4-yearly review of the GDPR, so it will be interesting to see what comes out of that process. The call for evidence and questionnaire are open until 8 February 2024, with the report based on the feedback expected in mid-2024.
On the UK front, we have the Online Safety Act 2023 and all its associated guidance to be released throughout 2024.
The big news in this space in 2023 was the EU-US Data Privacy Framework (DPF) with the UK Extension and Swiss-US Data Privacy Framework. While the ink was barely dry a challenge was filed by a French MP (in a personal capacity) to have the DPF annulled. While this challenge did not succeed, seasoned privacy campaigners are expected to challenge the transfer mechanism as they do not believe it meets the requirements of the GDPR. Will Schrems III be on the cards for 2024?
Meanwhile the UK Government continues to work at the bilateral level with the UK’s priority partnerships, as well as pushing for multilateral level solutions; and even the EU Commission has signalled a change in its approach with perhaps more acceptance in the EU of the future of global multiparty solutions. This may well explain the rubber stamping by the EU Commission of the eleven existing adequacy decisions that were adopted pre-GDPR.
The increased reliance on data, coupled with the rapid acceleration of ever more sophisticated cyber threats and attacks, mean that cyber resilience is also going to be a key theme for 2024. AI is adding fuel to the fire, enabling scaling up and/or automating attacks to exploit weaknesses in the attack surface. AI can of course also be used to combat the threat, but it has been recognised that further protections are necessary, e.g. new legislation mandating security requirements in the form of the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA 2022) in the UK or the Cyber Resilience Act in the EU. A renewed board room focus on cyber risk management and expected increase in budgets and resources are forecast in order to protect valuable assets from attack, as well as to decrease the risk of fines and adverse publicity.
It will be important to keep an eye out for and understand the EU Cyber Resilience Act, the UK’s approach to cyber resilience, and the long-awaited NIS2 Regulations. All this, coupled with the skills shortage and how to address it, mean a busy year ahead in the cyber sector.
AI in the workplace context will be a hot topic for sure. The EU AI Act (use of AI in the workplace will be classed as ‘high risk’), Safety Summits, US Executive Orders, potential EU legislation on algorithmic management in the workplace, alongside data protection authority guidance, commentary and debate all acknowledge there are thorny issues to be tackled in this area and that workers must be given enhanced protection. Automated decision making is of concern to trade unions and works councils alike, while transparency features globally as a principle for AI. Discrimination and bias need to be addressed, likely through detailed equality impact assessments and by AI auditing tools, and the debate around generative AI in the workplace is only nascent.
The world of work and data continue to have the usual challenges around subject access requests, both with the increasing volume and the tactical way in which they are being used in employment disputes. The ICO 25 strategy ‘empowering you through information’, as well as high profile public data subject access requests, have added fuel to the fire. The volume and nature of such requests means that many businesses are struggling to keep up with both the tight deadlines and the sheer volume of data that needs to be processed and reviewed.
The ICO is also busy consulting on new guidance relating to employment practices and data protection, starting with offering information for employers on their data protection obligations and focuses on two key areas – ‘Keeping employment records’ and ‘Recruitment and selection’, with more guidance to follow.
While 2023 did not see a huge amount of high profile litigation, we did see some significant European Court of Justice decisions around ability to claim damages and harm, First there was an ECJ ruling that clarified that there must be a harm suffered to have a claim but that no de-minimis threshold applied. While this provided some comfort that claims will not arise for a mere infringement of the GDPR, a further ECJ decision at the end of the year clarified that fear could constitute non-material harm, which no doubt will re-open some floodgates. Therefore, safe to say that data privacy litigation threats are still very much alive and kicking. Further, with the wider adoption of AI, the risk of claims (especially in higher risk areas such as the workplace) is increasing. This, coupled with the ever-increasing cyber threats, and increasing regulatory activity on issues such as website scraping and misuse of children’s data, mean it is likely litigation funders are still looking for opportunities to strike, and it wouldn’t surprise us if we saw an increase in data litigation in 2024.
Children’s data remains in the regulatory spotlight around the globe. On 18 January 2024, the ICO published its renewed age assurance Opinion with an updated version reflecting developments over the past two years. The updated Opinion gives guidance and reflects the technological developments in age assurance technology/approaches, as well as explaining how to comply with data protection obligations while complying with the Online Safety Act 2023.
In the EU, the big news was Tik Tok’s EUR 345 million fine and corrective measures levied by the Irish Data Protection Commission in Autumn 2023. This decision was not dissimilar to the Instagram EUR 405 million fine in September 2022 in that it also involved default public settings. Tik Tok have appealed the decision and we await the outcome. It will also be important to follow the EDPB’s projects and proposed guidance as children’s data and protecting children online is in its work programme for 2024.
Many state legislatures in the US are considering adopting laws to further protect children’s data, although discrepancies remain around the definition of a child and therefore to what age the various protections apply. Meanwhile, the litigation around California’s Age Appropriate Design Code Act continues.
Developments in relation to behavioural advertising and children’s data will make it near impossible for children’s data to be used for targeted advertising. For example, targeted advertising to children without parental consent is the subject of several lawsuits in the US (think YouTube, DreamWorks, Cartoon Network, Amazon Alexa to name but a few!), and the DSA has now introduced an outright ban on use of children’s data for targeting advertising purposes in the EU.
The question as to whether data can ever truly be anonymised is a question often asked, but the answer will depend on who is answering the question. The rapid adoption of AI has accelerated the need for clarity in this area as AI large language models (LLMs) are trained on vast amounts of data and therefore it becomes increasingly important to understand the boundaries of anonymity or not.
In the UK, the ICO’s anonymisation and pseudonymisation guidance has been ‘paused for review from 2023 to 2024’, to allow the Data Protection and Digital Information Bill to progress through Parliament so that any changes to the law can be reflected in the final guidance. The guidance released so far by the ICO has been detailed and pragmatic.
While the EU’s approach is also undecided and in the main has always been more ‘black letter law’ than the ICO, some commentators believe a risk-based approach may be being favoured, but this will depend on the EDPB’s guidance (which is yet to be published but we also hope to see it in 2024).
As is obvious, even taking only one of the themes above (let alone ten) there will be lots of interesting developments in 2024.