Happy (belated) International Data Privacy Day for Sunday!
And what better reason than that to explore what 2024 is likely to have in store for data and privacy?
We are just over one year on from the European Commission kick starting the process to adopt an adequacy decision for the EU-US Data Privacy Framework. Two years on from the UK government hinting that it might think outside the box in terms of data protection regulation. Three years on from the introduction of the UK GDPR in a post-Brexit Britain. Four years on from the start of a global pandemic which forced a discussion around the tension between public health and data privacy. And over five years on from the GDPR coming into force across Europe, and by extension the world. But the passing of time does not appear to have diminished the worldwide focus on data and privacy issues.
In this post, we set out some of our predictions for data protection and privacy developments across the UK and EU in the year to come.
2024 looks likely to continue the trend of increasing privacy legislation around the world, with significant developments in India, China and Saudi Arabia.
In India, the draft Digital Personal Data Protection Act 2023 ("DPDPA") is expected to come into effect in 2024, introducing a new comprehensive framework for data protection. For more about the DPDPA, please see our briefing here.
In China, draft regulations relaxing the cross-border transfer requirements were proposed in Autumn 2023. If enacted, the new regulations will introduce certain exemptions to the prohibition on making international data transfers from China without complying with therequirements set out in the law, such as relying on standard contractual clauses.
2024 is also shaping up to be another year of data protection reform in several Gulf States, including notably Saudi Arabia. The Personal Data Protection Law ("PDPL"), which passed in 2023, will come into force in 2024, and will introduce the country's first comprehensive data protection legislation, although much of the detail is yet to be published. For more information about the PDPL, please see our briefing here.
With the addition of New Jersey and New Hampshire in early 2024, 13 US States now have privacy legislation. Several state-level data privacy rights are expected to go into effect in 2024, including the Texas Data Privacy and Security Act and the Florida Digital Bill of Rights, as well as privacy laws in Oregon, Montana and Washington. However, despite the continued uptake of privacy legislation at the state level, talks around the proposed American Data Privacy and Protection Act have stalled since early 2023. Given that 2024 will be an election year, it also seems unlikely that passing the legislation will be a priority for Congress, meaning that we will continue to have to wait to see if a US federal privacy law ever makes it on to the statute books.
Concerns over the renewal of Section 702 of the Foreign Intelligence Surveillance Act ("FISA") are likely to be a key privacy concern in the US in the upcoming year. Section 702 of FISA, which expired at the end of 2023, allows the US government to engage in targeted surveillance. FISA has been at issue in both Schrems data protection cases. It was a key aspect of the finding of the Court of Justice of the European Union that the EU-US Privacy Shield was invalid. The current government has suggested renewing FISA as is, but bipartisan concerns and public attention have prompted lawmakers to propose the Government Surveillance Reform Act, which would reform FISA – notably limiting law enforcement's capability to purchase electronic data of US citizens from third parties without a warrant and putting in place reinforced requirements for reporting and auditing how agencies have applied Section 702.
2024 looks set to be the year that reform of the UK data protection landscape becomes a reality and the Data Protection and Digital Information Bill ("DPDI Bill") becomes law. Following multiple delays (caused, in part, by political turmoil), and an anticipated period of scrutiny in the House of Lords during the first quarter of this year, the DPDI Bill is currently expected to receive Royal Assent in Spring 2024. That is, unless it ends up being deprioritised again behind more strategic initiatives in this general election year!
Touted as facilitating a more business-friendly privacy environment to drive innovation and reduce the compliance burden, only time will tell as to the true impact of the reform. In addition, we will have to wait and see if the UK has sufficiently toed the line to maintain its EU adequacy status. The UK government is certainly of the opinion that it has.
The last few years have been eventful when it comes to the topic of international data transfers. In Europe, we have seen 'Safe Harbors', 'Privacy Shields' and 'Frameworks' come and go in an effort to transfer data to the US. We've seen new Standard Contractual Clauses and the promise/threat of more to come. In the post-Brexit UK world, we have also now got 'Data Bridges', a UK Addendum to the SCCs and a UK International Data Transfer Agreement. Further afield, other jurisdictions have started adopting their own standard contractual clauses (e.g. China, Argentina, the DIFC).
2024, is unfortunately unlikely to resolve any of the confusion when it comes to international data transfers. It is widely anticipated that the new EU-US Data Privacy Framework will be challenged (and perhaps invalidated), although it is unclear what impact this could have on the UK extension to the Framework. As mentioned above, it is also unlikely that we will see a US federal privacy law that could alleviate some of the concerns about transfers to the US at least. Add to this the likelihood of other countries adopting their own versions of standard contractual clauses and the web of compliance measures to legitimise the transfer of data looks likely to continue to get more and more complex.
Whilst international flows of personal data remain a source of complexity, will 2024 see the EU further pursue "digital sovereignty" as a policy objective and, in turn, catalyse moves towards data localisation and regional practices? As the reverberations from Schrems II continue to be felt across the EU, organisations wishing to avoid the time, effort and cost of due diligence on transfers or implementing supplementary measures, may well prefer to self-select vendors based on hosting location to keep data in country/region rather than navigate the regulatory challenges now associated with international data transfers.
In addition, the EU Data Governance Act and Data Act include "GDPR-style" restrictions around transfers of non-personal data, and the ENISA proposed EU Cybersecurity Certification Scheme for Cloud Services could have the effect of moving even closer towards using solely EU-headquartered and operated "sovereign" cloud providers in order to attain the highest "high+" assurance level under the scheme. It will be interesting to watch the impact of global transfers as a whole in 2024 – in particular, we expect cloud service providers to continue to differentiate themselves in the market through their data localisation offerings.
The pace of regulation in the EU digital arena shows no sign of slowing in the year ahead. As organisations grapple with how to use new technologies responsibly, we will continue to see regulators looking to develop appropriate legislative frameworks to address the unique legal complexities that arise (including in respect of data) and encourage the uptake of trustworthy emerging technologies, without stifling innovation and investment in the technology. This is particularly true of artificial intelligence, where the EU is leading the charge with its tiered risk-based approach to regulating AI systems under the AI Act – which is still to be "rubber stamped" by the EU Parliament and Council of the EU before it will come into force later this year (with incremental application of its provisions).
Whether this high-profile piece of legislation will give rise to a similar worldwide "Brussels Effect" as was seen with the GDPR remains to be seen, although initial signs suggest maybe not. The UK, US and China all seem to be adopting a different approach and so it is even possible that the EU could become the outlier rather than the leader.
For further details on the EU AI Act, as well as the UK and Australia's approach to regulating AI please see our blog posts here, here, and here respectively.
2023 saw a proliferation of legislation coming out of the European Data Strategy and momentum is set to continue in 2024, when the interplay and practical reality of the legislation is likely to become clearer for organisations. Alongside the EU's flagship GDPR, the growing initiatives around the regulation of data beyond just "personal data" continue to be a priority, particularly in the form of the Data Governance Act and the Data Act. 2024 will start to test whether these legislative initiatives are able to achieve their aim of increasing trust in data sharing and facilitate access to, and use of, data within the EU.
Looking closer to home, and in an effort to unlock "the power of data for the UK" pledged by the DCMS in its National Data Strategy, will 2024 be the year that the UK's focus also goes beyond just "personal data" too? Or in a general election year will an 'overhaul' of the UK's data protection regime be enough
Close regulatory scrutiny of adtech looks unlikely to wane in 2024. 2023 saw unprecedented disruption in the form of binding EDPB decisions, regulatory enforcement action and multiple CJEU rulings resulting in Meta relying on three different lawful bases in quick succession when processing its users' personal data for targeted advertising purposes. The year ended with Meta proposing a subscription model for advertising-free services in the EU and 2024 is likely to be the year when regulators consider whether this concept of subscription-based models can give rise to valid consent to data processing.
It will also be interesting to see the impact of the 2023 enforcement activity on the targeted advertising models of providers in the adtech value chain, as we expect organisations to revisit their bases for data processing and look for privacy-friendly alternatives. As the provisions of the EU Digital Services Act are set to kick in for all in-scope entities in February 2024, we can also expect the year ahead to bring a greater focus on prohibitions and restrictions around "dark patterns" and a drive to mitigate the effect of their potentially manipulative or deceptive practices.
The regulatory spotlight continued to focus on cookies during 2023, although the approach taken by different regulators around Europe has not always been consistent with different regulators publishing different guidance materials for businesses. Perhaps partly because of this inconsistency and partly because of the still delayed ePrivacy Regulation, towards the end of 2023, the European Data Protection Board published its guidance on the technical scope of the cookie rules.
It seems likely in the face of all this regulatory guidance that the data protection supervisory authorities will continue to focus on cookie compliance in 2024, in particular given the concerns around targeted advertising discussed above. In addition, already in 2024 we have seen significant enforcement in the form of a EUR 10 million fine levied against Yahoo by the CNIL in France for alleged breaches of the cookie rules. So, could 2024 be the year when the cookies bite back?
At the close of 2023, several MPs flagged concerns over the ICO's response to regulating facial recognition, citing concerns that the proliferation of facial recognition technology companies raised concerns over misuse of this information and introduced risks of misidentification. The ICO has recognised that such facial recognition relies on sensitive data and indicated that it shall continue to investigate concerns relating to use of facial recognition, including pursuing its ongoing action against Clearview AI.
The ICO had fined Clearview £7.5 million for scraping photos of individuals from the internet, notably from social media, to generate profiles on individuals and provide such information to foreign law enforcement agencies. On appeal, the First Tribunal found that Clearview's activities fell out of scope of the UK GDPR as they related to processing activities undertaken by foreign law enforcement authorities. The ICO is seeking to appeal the decision and stated that this decision will not deter it from acting against "companies based internationally [...] particularly businesses scraping data of people in the UK".
Children's privacy has also attracted attention from regulatory bodies across the UK, EU and the US in 2023. The ICO emphasised the importance of children's privacy throughout 2023, notably partnering with the Department for Education to introduce child and parent friendly portals and codes of practice and publishing guidance for developers on children's privacy in the gaming industry to incorporate data protection into game design.
This momentum is likely to continue into 2024 and will likely cross over with discussions on the Online Safety Act which came into force in late 2023 and includes statutory duties relating to "lawful but harmful" content accessible to children. Children's privacy is also part of the EDPB's 2023/24 work programme and remains a headline issue as Tik Tok prepares to appeal its €345 million fine relating to age verification processes and default settings. Children's privacy is also a concern in the US, where the Federal Trade Commission has proposed amendments to the Children's Online Privacy Protection Rule ("COPPA Rule") to restrict the ability to use and disclose children's personal data and limit monetisation of children's data.
2023 saw a glut of interesting and influential privacy-related decisions coming out of the European Court of Justice, including decisions that, on the one hand, the fear of misuse of personal data was sufficient to be a non-material damage under GDPR and, on the other hand, infringement of the GDPR alone was insufficient for damages.
And the privacy cases look set to continue in Europe in 2024. There are currently multiple GDPR questions referred to the European court, including with respect to transparency obligations when undertaking profiling activities. In addition, with all eyes on the ongoing data transfers saga, it remains to be seen whether 2024 will be the year for Schrems III.
And finally, will 2024 be the year that the EU supervisory authorities start to pull in the same direction with respect to GDPR enforcement? It cannot be denied that significant enforcement of the GDPR across Europe has perhaps not been as successful as everyone imagined in 2018 with the GDPR came into force. Large investigations have spanned several years before reaching a conclusion and there have been numerous enforcement decisions proposed by a lead supervisory authority which have been subject to objections from other interested supervisory authorities, resulting in referral to the EDPB. In addition, some supervisory authorities have been bypassing all of this by focussing on enforcement of the ePrivacy rules which can be done at a national level and without consultation with others. The so-called 'one stop shop' has actually involved several shops.
However, the EU Commission has now proposed a new Procedural Aspects Regulation designed to streamline the process and coordinate and align the supervisory authorities more across Europe. Will this result in more significant enforcement action in the future?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
