This year has seen significant progress in the data protection industry, with many new privacy laws being enacted across the globe.
In this blog, we look at some of the major events and news stories that have shaped the landscape, influencing the direction of policies and processes.
What does the development of data protection laws mean for organisations? And how will the data protection industry continue to evolve? Big questions to keep in mind as we go into 2024.
5 years of the GDPR: The General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) celebrated its 5th anniversary on 25 May 2023. Coming into force on 25 May 2018, it is cited as one of the toughest pieces of privacy legislation in the world. The EU’s principle-based directive was introduced to protect the fundamental rights of individuals by safeguarding their personal dataInformation which relates to an identified or identifiable natural person. and creating a harmonised framework for data flow across the EU’s digital single market.
To mark the anniversary, The DPO Centre held a webinar to discuss the wins and challenges for businesses. Essentially, what worked, what didn’t, and why? Watch The DPO Centre’s lively GDPR debate here
Facebook fined a record €1.2 billion: On 22 May 2023, after 10 years of litigation and 3 court procedures, the Irish Data Protection Commission issued Meta Ireland with the largest GDPR fine to date. It was the fourth fine Meta received this year. The Commission issued two penalties in January 2023 for breaching rules with targeted ads on Facebook and Instagram and in March 2023, a fine for GDPR breaches with WhatsApp.
The fines sent a strong message to Tech giants that they cannot continue to neglect their obligations for compliance with data protections regulations. However, Meta has yet to pay the fine and announced its intention to appeal. One of the orders of the penalty charge was for Meta to discontinue its reliance on Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs) by 12 October. In an update on 7 September 2023, Meta announced they will rely on the new EU-US DPF for data transfers.
The AI Safety Summit took place in the UK on 1 November 2023 at Bletchley Park. Intended as a landmark event for artificial intelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc., the event brought together leading experts, researchers, and policymakers from around the world.
An important outcome of the Summit was The Bletchley DeclarationAn international agreement agreed upon by countries attending the AI Safety Summit 2023 at Bletchley Park, Buckinghamshire, England. The Bletchley Declaration announces a new global effort to unlock the benefits offered by AI by ensuring it remains safe. – a world-first agreement between 28 jurisdictions, including the EU, the US, and China. The Declaration establishes a shared responsibility to understand and manage the potential risks of AI development. Bias and privacy are topics covered within the Declaration, providing an agenda to focus on building respective risk-based policies across the countries. However, critics have highlighted the lack of detail and the absence of any actionable points for building an effective regulatory framework.
Europe’s GDPR continues to mature
Since its implementation in 2018, the General Data Protection Regulation (GDPR) has become a global standard for data protection. With each passing year, we see further clarification on its interpretation, and a greater understanding of the implications for businesses and individuals alike.
There were several key court rulings by the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU) this year, which have helped to clarify certain areas of the legislation:
The European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. adopted its adequacy decision on EU-US data flows and established the EU-US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate. (DPF), which came into effect on 10 July 2023. The DPF replaced the invalidated Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. and aimed to address the concerns previously raised by the CJEU. However, only minutes after the announcement, Max Schrems, Austrian privacy lawyer and activist, expressed his scepticism of the decision and stated his intention to challenge the new deal. A challenge has yet to be submitted by Mr Schrems, but the debate over transatlantic data transfers is clearly not over and will continue into 2024. Learn more about the EU-US DPF
The UK-US ‘data-bridge’ was approved on 21 September 2023, with it coming into force on 12 October 2023. Serving as an extension to the EU’s Data Privacy Framework (DPF), the data-bridge provides a mechanism for businesses in the UK to transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. personal data to US organisations certified under the ‘UK Extension to the EU-US Data Privacy Framework’ (UK Extension) without the need for further safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the.... However, criticisms of the EU-US DPF include concerns over the potential for increased surveillance by US authorities and the erosion of privacy rights. Many organisations have retained their existing data transfer mechanisms with a ‘wait and see’ approach.
DSIT published AI Skills for Business Competency Framework for public consultation in November 2023. Supported by the Office for Artificial Intelligence within the Department for Science, Innovation and Technology (DSIT), the draft framework presents guidance on the essential knowledge, skills, and behaviours employees should have to benefit from AI technology. DSIT intends the framework to support businesses, enabling them to understand their AI upskilling needs and to assist training providers in developing relevant training solutions. Read the draft AI Skills for Business framework
The UK’s proposed GDPR replacement moves closer
On 19 December 2023 the Data Protection and Digital Information (DPDI) Bill was debated at the second reading stage in the House of Lords. The government believes the updates to the current UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. will support innovation and reduce unnecessary burdens on businesses and organisations. However, the new legislation has the potential to increase costs and complexities for all but the smallest of businesses.
The Lords raised many concerns during the second reading, with Lord Bishop of Southwell and Nottingham quoting Rob Masson of The DPO Centre. The Lord Bishop used Mr Masson’s words when calling attention to the way in which the UK seems to be going in the opposite direction to the rest of the globe by lowering data protection standards.
Lord Allan of Hallam said, ‘It is the concern around EU adequacy that I think should really be front and centre of our discussions when we consider this legislation.’
This concern was echoed by several other Members, with Lord Vaux of Harrowden succinctly stating, ‘We must get this Bill right. If we do not, we risk substantial damage to the economy, businesses, individuals’’ privacy rights – especially children – and even, as far as the surveillance elements go, to our status as a free and open democratic society.’
Read the key differences between the UK GDPR and DPDI
There have been significant developments in Canada’s privacy laws this year. On 24 April, the Canadian House of Commons agreed on the entirety of Bill C-27, the Digital Charter Implementation Act 2022, which seeks to update and strengthen the Personal Information Protection and Electronic Documents Act (PIPEDA), including Canada’s first AI legislation.
In Quebec, ‘An Act to modernise legislative provisions as regards the protection of personal information’ came into effect in 22 September 2023, with the right to portability under this Act is due to come into force on 22 September 2024.
Read the PDF of Bill 64
It was a big year for privacy in the US, with 5 new state privacy laws:
These laws reflect a shift towards greater consumer control over personal data and increased obligations for organisations in terms of data processing. They also indicate a move towards harmonising state-level laws with global standards, providing new consumer rights aligned with those in the GDPR.
Subscribe to The DPIA – Keep updated on the latest, most important data protection news with our fortnightly email newsletter.
UK’s DPDI BillThe proposed Data Protection and Digital Information (DPDI) Bill aims to amend and supplement the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (2018) and the Privacy and Electronic Communications Regulation (PECR).
As we move into 2024, all eyes are carefully watching the progress of the proposed Data Protection and Digital Information (DPDI) Bill. The hope of the data protection industry is that the Lords will take into consideration their numerous concerns and apply rigorous scrutiny to the proposed legislation. But only time will tell. We will keep you updated soon as we have further information.
3rd party cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences. in Chrome to be disabled
Google’s plan to phase out 3rd party cookies in its Chrome browser begins in quarter 1 of 2024. This is part of a larger initiative called the Privacy Sandbox project, which aims to reduce cross-site tracking whilst still allowing functionality to keep online services and content freely available.
Google will disable 3rd party cookies for 1% of users from early January, applying the changes to 100% of users by Q3 2024. The full rollout depends on Google addressing the competition concerns of the UK’s Competition and Markets Authority (CMA). The phasing out of non-essential cookiesCookies created by third parties and dropped on website users, for the purposes of analytics or advertisement tracking. is in line with the wider global trend towards enhanced data protection and privacy.
The EU’s proposed ePrivacy RegulationA proposed regulation, currently under development, which will replace the ePrivacy Directive. establishes clearer rules on cookies, with a more streamlined solution for settings:
‘no consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors.’ (Proposal for an ePrivacy Regulation)
International data transfers
SCCs and IDTAThe International Data Transfer Agreement (IDTA) is a UK framework used as a mechanism to enable a data sharing agreement for the legal transfer of personal data to a country outside the UK. It came into force on 21 March 2022 and replaced the EU’s Standard Contractual Clauses (SCCs) – From 21 March 2024, UK organisations can no longer use the old EU Standard Contractual Clauses (SCCs) for restricted data transfers. Instead, they must rely on the UK’s International Data Transfer Agreement (IDTA) or the International Data Transfer AddendumAn additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content. (‘UK Addendum’).
EU-UK adequacy – Later in 2024, the European Commission is due to review the EU-UK adequacy, which will expire on 27 June 2025. The outcome of the UK’s proposed DPDI Bill could significantly affect this decision and create further complications for organisations operating across multiple jurisdictions.
EDPB action: Right of access by controllers
The European Data Protection Board (EDPB) will launch a national action in 2024 on ‘The right of access by controllers’. Each year, the EDPB seeks to prioritise certain topics for data protection authorities (DPAs) to work on at a national level. This will be the third co-ordinated enforcement action to date. The results allow for analysis and insight into the topic, which allows for targeted follow-up at both national and EU levels.
The EU’s AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU.
With European Parliamentary Elections scheduled for 6-9 June 2024, the EU is likely to adopt the proposed AI Act in early 2024. Otherwise, the elections could delay its passage until 2025. The Act has seen a certain amount of progress in 2023, with the European Parliament adopting amendments to the proposal on 14 June 2023. However, there have been stumbling blocks, especially over the way generative AI platforms like ChatGPT should be regulated. Big Tech companies have been lobbying to weaken the proposed EU legislation and there have also been calls from the French, German, and Italian governments to reduce some of the stringent measures to ensure AI innovation.
The UK’s AI Regulation Bill
The AI Regulation Bill is a Private Member’s Bill, originating in the House of Lords during the 2023-24 session. Last updated on 29 November 2023, the Bill includes provisions for the creation of a body called the AI Authority and the appointment of designated AI officers. The government intends to publish a draft AI risk register for consultation, an updated AI regulatory roadmap, and a monitoring and evaluation report after March 2024.
Data protection and privacy is a rapidly evolving industry. The pace of change is a challenge for organisations across all sectors, with new laws and new guidance being released regularly. The ever-pressing need for professional advice and guidance from data protection experts looks set to increase as we move into 2024.
The DPO Centre offers a range of data protection services, including consultancy, outsourced Data Protection Officers (DPOs), GDPR Representatives and AI Explainability (XAI) Services.
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible