Data protection | UK Regulatory Outlook April 2023

UK ICO issues guidance for developers and users of generative AI

The Information Commissioner's Office (ICO) has published a press release which presents eight questions that developers and users need to ask when using generative artificial intelligence (AI). 

This comes after the circulation of news stories regarding ChatGPT, which has led to a focus on potential data privacy issues globally, most significantly in Italy where the Italian data protection authority has taken action against Open AI (the company behind ChatGPT). The European Data Protection Board (EDPB) has also announced the launch of a task force on ChatGPT to encourage cooperation and exchange of information between the EU's national data protection authorities.  

The ICO states in its press release that while these technologies are novel, the applicable data protection law principles remain the same. It has also recommended that organisations using generative AI should take a data protection by design and by default approach.

MEPs raise concerns over proposed new EU-US adequacy decision

Civil Liberties Committee MEPs opposed the adoption of the draft adequacy decision by the European Commission on the EU-US Data Privacy Framework earlier this month.

They argue that the framework does not provide for sufficient safeguards, highlighting that the EU-US Data Privacy Framework "still allows for bulk collection of personal data in certain cases, does not make bulk data collection subject to independent prior authorisation, and does not provide for clear rules on data retention".

Another reason for the objection was that the MEPs found that the proposed Data Protection Review Court (DPRC) (the court intended to provide redress to data subjects) would make any decisions in secret, therefore violating citizens' rights to access and rectify data about them. The MEPs were also concerned that DPRC judges could be dismissed by the US president who has the constitutional power to do so, and could also overrule decisions of the DPRC, invalidating its position as an independent body.

UK data protection reform update: second reading of DPDI bill on the 17 April

Further to last month's update, the Data Protection and Digital Information Bill (DPDI) received its second reading in the House of Commons on the 17 April.  It will now go through the Committee Stage.  At present, we expect it to come into force later this year or early next year, depending on parliamentary progress.

For more information, please read our Insight.

ICO responds to Office for Artificial Intelligence White paper: AI regulation

At the end of March, the UK government published a white paper on artificial intelligence (AI), entitled "A pro-innovation approach to AI regulation".  The white paper shows the government's new "flexible" approach to regulating AI, with the aim of building public trust in AI, making it easier for businesses to grow and create jobs.  The government's aim is to "avoid heavy-handed legislation", and instead empower existing regulators to prepare tailored approaches to suit how AI is used in each specific sector.  In response to this, the ICO has welcomed the proposed framework and set out some further recommendations for the government to consider.

Our AI specialists have written an Insight on what the white paper will propose and how it will work.

See also the Cyber security section.

EDPB finalises guidance on various GDPR topics

Following public consultations, the EDPB has adopted final versions of both updated and new guidance on the following topics.

Personal data breach notification requirements under the EU GDPR: The EDPB has finalised its updates to its existing guidance on personal data breach notification requirements. The updates clarify that, in the event of a personal data breach impacting individuals in multiple EU countries, controllers not established in the EU (where the one-stop-shop is not available) must notify multiple EU data protection authorities (DPAs).  While concerns were raised by stakeholders during the consultation regarding operational issues arising from notifying multiple DPAs, these updates remain in the final version adopted by the EDPB. 

Identifying a controller or processor's lead supervisory authority under the EU GDPR: The EDPB has updated its existing guidance on identifying a controller or processor's lead supervisory authority to clarify the position where there is joint controllership.

Guidelines on the right of access under the EU GDPR: The EDPB has finalised new guidance on the right of access under the EU GDPR. The guidance covers how the right of access has to be implemented in different situations and also clarifies the scope of the right of access, how a controller can provide access, and guidance on the limits and restrictions on the right of access (such as the notion of manifestly unfounded or excessive requests).

UK High Court rules immigration exemption in the Data Protection Act 2018 is unlawful

Following a case brought forward by the3million and the Open Rights Group, the High Court has ruled that the government's second attempt at an immigration exemption in the Data Protection Act 2018 is unlawful and must be made clearer. The government must now make further changes to the exemption to make it compliant.

Speaking on the matter, Information Commissioner, John Edwards said, "Clarity in what the law requires is crucial for it to function well. The changes this judgment requires will bring greater certainty, which will allow for effective immigration processes while supporting people's rights".

ICO issues guidance on direct marketing and regulatory communications

Please see Advertising and marketing.