To celebrate Data Privacy Day on 28 January, we’re looking forward to another busy year of change in data protection. Here are six areas to watch in 2024.
1. Cookie rule enforcement
In November 2023, the ICO (Information Commissioner’s Office) announced that it had written to many of the UK’s most visited websites, where their cookie usage wasn’t compliant with the PECR (Privacy and Electronic Communications Regulations).
The ICO gave the website owners 30 days to ensure their cookie usage was compliant, or else it would identify the organisations still non-compliant and potentially take further action. We discussed the ICO’s announcement in a recent interview with Louise Brooks, our head of consultancy, as well as the letters the ICO made public in December in a follow-up interview.
2. The DPDI Bill may get Royal Assent
The DPDI (Data Protection and Digital Information) Bill, which aims to update data protection law in the UK post-Brexit, is currently at the committee stage in the House of Lords. This means we can reasonably expect the final version to become law sometime this year.
The Bill, which Louise explained in layman’s terms in May 2023, primarily makes things easier for organisations operating in the UK by, for example, clarifying when they can refuse to accommodate a DSAR (data subject access request) and removing the requirement for a UK representative.
The Bill has since been amended. We’ll update our blog once the final version is published.
You can keep an eye on the Bill’s latest status here.
3. International data transfers after March 2024
SCCs (standard contractual clauses), issued by the European Commission, are used in contracts to allow for data transfers that would otherwise not be allowed under the GDPR.
Post-Brexit, UK organisations with contracts that were concluded before 21 September 2022 based on the SCCs issued by the European Commission between 2001 and 2010 must stop relying on those SCCs for international data transfers by 21 March 2024.
Going forward, UK organisations will need to rely on either the UK’s IDTA (international data transfer agreement) or the Addendum to the Commission’s SCCs to transfer data to countries without an adequacy decision.
4. Review of the EU–UK adequacy decision
The current adequacy decision between the EU and the UK, which allows for the free movement of personal data from the EU to the UK, expires in June 2025. The European Commission is expected to start a review in 2024 to decide whether to extend the adequacy decision for another four years.
The introduction of the DPDI Bill will potentially cause an issue here, but that won’t be clear until the Bill has passed and the European Commission begins its review.
5. The EU AI Act
In December 2023, the EU announced it will regulate the use of AI with the AI Act to “ensure better conditions for the development and use of this innovative technology”.
The Act has been written, and the European Parliament “reached a provisional agreement with the council on the AI Act” in December. That agreement will have to be formally adopted by both the European Parliament and Council to become EU law.
6. UK AI regulation
The UK government has started creating the UK’s own AI regulation, after releasing a white paper in March 2023 on the current regulatory environment, the approach the government plans to take, how the regulation will be applied territorially, and more.
The paper also included the government’s plans and a roadmap for developing the regulation over the 12 months following publication, so we should expect to see progress in this area in 2024.