Data law | UK Regulatory Outlook January 2024

This year is shaping up already to be a busy one in the world of data protection and broader data regulation. For this January edition of our Regulatory Outlook, Osborne Clarke's data experts have provided an overview of data protection developments and predictions for 2024, the UK Information Commissioner's Office's (ICO) priorities for this year, broader data regulation trends, and finish with some key dates to be aware of for 2024.

We have renamed this section "Data law" as there are an increasing number of new data laws we are reporting on  which are not specific to data protection (such as the EU's Data Act or the UK's Smart Data schemes) or areas of law which intersect with data protection (such as regulation of artificial intelligence or digital regulation).

To stay up to date with these developments, please keep an eye out for future editions of our Regulatory Outlook, our Dipping into Data series of webinars and our Annual Data Event which will return later this year. 

Hot data protection topics for 2024

UK data protection reform 

One of the main questions since the UK General Data Protection Regulation (GDPR) became its own distinct regime from the EU GDPR is how  far will the UK GDPR diverge from the European framework?

The Data Protection and Digital Information (DPDI) Bill, which sets out the current proposal to reform UK data protection law, has completed its readings in the House of Commons and is currently progressing through the House of Lords with the expectation that it will become law in spring 2024.

It has undergone a number of amendments during its passage through Parliament – you can find our summary of the key changes here. Most recently, the DPDI Bill was amended to include potentially controversial provisions giving the secretary of state a new power to obtain information for social security purposes (i.e. benefits information), and giving Ofcom the power to require internet service providers (including social media companies) to retain information in connection with an investigation by a coroner into the death of a child suspected to have taken their own life.

The bill represents a balancing act between demands to give organisations the ability to use data responsibly (for example, setting out further circumstances where they can rely on legitimate interests to lawfully process personal data) and ensuing that personal data remains protected. It also reflects the need for the UK to maintain its adequacy decision with the EU (which enables the free flow of personal data from the EU to the UK).

Once the bill receives Royal Assent, businesses should consider what changes they could or should make to their existing governance frameworks, particularly to take advantage of potential relaxations in certain requirements (for example, around records of processing). Businesses with operations in both the UK and the EU will need to consider whether they can (and would want to) continue to adopt a single approach to compliance across both, irrespective of the changes being introduced by the DPDI Bill.

International data transfers 

2023 saw a number of key changes in the sphere of international data transfers. On 11 July 2023, the new EU-US Data Privacy Framework (the much-anticipated replacement to the Privacy Shield) went live. Following hot on its heels, on 12 October 2023, the new UK-US Data Bridge was introduced, extending the mechanism (essentially a partial adequacy decision, which did not apply to the UK post-Brexit), to apply to transfers of personal data from the UK to the US. At the end of 2023, we saw the ICO issue guidance for organisations completing transfer risk assessments for transfers of personal data from the UK to the US.

Separately, the ICO has also introduced a UK Binding Corporate Rules (BCRs) Addendum, which will enable existing EU BCR holders to complement and widen the scope of their EU BCRs to cover UK data transfers without the need for a wholly separate UK BCR application and policy.

Further important developments are likely in 2024. To add to the utility of the EU-US Data Privacy Framework (as extended by the UK-US Data Bridge), we expect to see the Swiss government recognise the framework as adequate, enabling transfers of personal data from Switzerland to the US under the framework. Conversely, we expect to see further challenges to the EU-US Data Privacy Framework: privacy activist Max Schrems (who has challenged the previous two EU-US transfer mechanisms) has indicated an intention to commence legal proceedings on the basis that the framework does not do enough to protect EU citizens' personal data. A crucial question at that point would be whether the UK-US Data Bridge could survive even if the EU-US Data Privacy Framework failed.

The EU-UK Adequacy Decision, which is a decision made by the European Commission that maintains the free flow of personal data from the EU to the UK under the EU GDPR, is expected to last until 27 June 2025. The European Commission will start work later in 2024 to determine whether to extend this adequacy status up to a maximum of another four years. We expect that the European Commission will be closely following the Data Protection and Digital Information Bill developments as part of this review.

Lastly, ahead of 21 March 2024, we expect to see a last flurry of businesses looking to implement the new EU standard contractual clauses (SCCs) and the UK Addendum or the UK standalone international data transfer agreement, as businesses still relying on the pre-GDPR SCCs to transfer personal data from the UK to non-adequate countries have until that date to transition to another transfer mechanism before the pre-GDPR SCCs cease to apply.

Harmful website designs (aka dark patterns)

In 2023, the ICO and UK Competition and Markets Authority (CMA) joined forces in warning businesses to stop using harmful website design tools (such as dark patterns) that can influence a consumer's decision and online behaviour about the way their personal data is used; for example nudging them towards giving up more data than they would like. These design tools include privacy-intrusive default settings and pop-ups that make it harder to refuse cookies than accept them.

Following this, the ICO made clear at its October ICO Data Protection Practitioner's Conference that non-compliant cookie consent mechanisms (for advertising cookies) remains an important focus of its enforcement strategy. Then in November it issued warnings to some of the UK's top websites that they face enforcement action if cookie consent mechanisms are not up to scratch, for example where  it is not as easy for a user to "Reject All" advertising cookies on their website as it is to "Accept All" such cookies.

We predict continued regulatory focus from the ICO in 2024 on harmful website design practices, particularly on what the ICO perceives to be non-compliant cookie consent mechanisms (for which it plans to provide an update in January on its recent enforcement efforts), and increased collaboration with the CMA.

Businesses should review their website designs, particularly cookie consent mechanisms, to check whether they are adopting any of the dark patterns identified by the ICO and the CMA, and assess what changes (if any) to make as a result.

Online advertising 

Increasing regulatory scrutiny of the online advertising ecosystem across Europe has been a consistent theme for 2023 – regulators (in the EU, in particular) and courts (specifically, the Court of Justice of the European Union (CJEU)) continue to push for consent as the only valid lawful basis for online advertising activities (away from legitimate interests and contractual necessity) and there has been further scrutiny over cookie consent practices. We can expect further developments throughout 2024.

In particular, towards the end of 2023, the European Data Protection Board (EDPB) published draft guidelines for consultation on the technical scope of the cookie requirements in Article 5(3) of the e-Privacy Directive. The draft guidelines clarify that the scope of the rules (that require user consent) apply beyond traditional cookies to a vast array of other technologies that are intended to track users online, including those often used in the online advertising industry . The public consultation closes on 18 January 2024 and therefore we can expect the final guidelines sometime thereafter. 

The European Commission has also published a draft set of high-level principles in relation to advertising cookies (its "cookie pledge"), which is intended to address "cookie fatigue" by simplifying the management of cookies and personalised advertising choices by consumers. The European Commission is currently taking feedback, including from the EDPB (who has issued an opinion on the current draft), and aims to finalise the principles by April 2024. Even once finalised, the principles will be voluntary only.

In 2024, it is possible we will receive  the CJEU's highly anticipated judgment on a number of questions raised by IAB Europe in relation to the application of the EU GDPR to its Transparency and Consent Framework (TCF), following enforcement from the Belgium data protection authority. The TCF is a widely adopted tool across the adtech ecosystem for communicating users' choices with respect to the use of their personal data for online advertising purposes, and uncertainty remains around the long-term viability of this framework pending this judgment .

As noted already above, in the UK, the ICO has announced its intention to enforce cookie requirements, particularly in relation to websites that fail to provide users with an easy "Reject All" button for advertising cookies within their cookie consent banner. In issuing this warning, the ICO noted that this "action is part of our broader work to ensure that people's rights are upheld by the online advertising industry", perhaps indicating that further developments in this area can be expected in 2024. 

In light of increasing scrutiny from regulators and courts we are seeing a growing number of organisations in Europe move to a "consent or pay" model , whereby an individual either consents to the use of their data for online advertising purposes or alternatively pays for the service. In Europe, this model has already attracted the attention of privacy activists (in relation to whether this is valid consent under the GDPR) and, as such, we predict that we will hear further comments from the regulators on the viability of this model in 2024. 

Businesses that use personal data for online advertising purposes should review what lawful basis they are currently relying on in respect of that processing, and – if relying on legitimate interests or contractual necessity – they should assess whether that is still the appropriate lawful basis (in light of the developments set out above). Organisations that operate in the UK and the EU should consider how that assessment may vary between the two regions, particularly as most of the case law and enforcement action on this issue is currently  coming out of the EU (although that is changing with the ICO's action on cookie banners).

Artificial intelligence 

Data protection issues related to the increasing use of artificial intelligence (AI) in our daily lives has been a focus area for the ICO for some time. There were a number of developments on the topic of AI from the ICO in the form of guidance (such as a warning to businesses on the data protection risks of generative AI, as well as guidance for developers on the same) and enforcement (its fine of Clearview AI).

Towards the end of 2023, the Information Commissioner warned companies about consumers' trust in AI, reminding businesses in a speech at TechUK’s Digital Ethics Summit 2023 that "privacy and AI go hand in hand – there is no either/or here". We expect in 2024 that privacy and AI will continue to be a principal focus for the ICO.

This will be coupled with an increase in wider AI regulation. Late on Friday 8 December, negotiators for the European Parliament and Council of the EU reached a political agreement on the shape and contents of the EU AI Act. The agreed text is not yet available, and the first full draft may not be ready before the end of January or later. Nevertheless, from the press releases from the Parliament and Council, and various other press reports and posts, we can build a picture of the scope and structure it will take. For the Parliament to have sufficient time to adopt the text before the June elections, the technical drafting must be complete by the end of February. While the EU AI Act will not apply in the UK, it will affect UK businesses operating in the EU, making it necessary to establish an AI governance programme in good time for the relevant deadlines.

Businesses that are developing or considering using AI should properly assess the data protection (and other) risks of doing so prior to implementation.

Certifications 

As previously reported, in 2022 we saw the first GDPR certification scheme called "Europrivacy" receive formal approval. Europrivacy enables organisations to assess and certify the compliance of their data processing with the EU GDPR and complementary national data protection regulations. Organisations with certified data processing activities can identify and reduce their risks and demonstrate their compliance to help enhance their business reputation and improve access to markets.

Throughout 2023, we have seen these schemes gradually improve and they have the potential to become something much more significant through the course of 2024.

Osborne Clarke is an official partner for the scheme and our team of experts can assist with your compliance – see more information. As the benefit of such initiatives start to bear fruit, we expect many more organisations to seek accreditation and further organic growth of industry codes of conduct.

ICO priorities for 2024 

ICO25 plan 

In 2022, the ICO published the ICO25 plan, which established its targets for the next few years and its annual action plan for October 2022 to October 2023. This included a number of actions to safeguard and empower people, to empower responsible innovation and sustainable economic growth, to promote openness and transparency, and to develop the ICO's culture, capacity and capability.

In 2023, we saw the ICO follow through on a number of its proposed actions (although certainly not all of them), such as developing a subject access request tool to help individuals submit subject access requests in a way that is more helpful for organisations to be able to respond, and a series of new guidance.

At this time, we are still waiting for the ICO to publish its 2023-2024 annual action plan, although we would predict the ICO's priorities and actions are likely to remain the same for 2024. 

ICO guidance 

2024 promises to be another year of new and updated ICO guidance following consultations on employment data, biometrics and data transfer risk assessments to the US. We are still waiting for the ICO's much-anticipated guidance pipeline (part of its ICO25 plan), at which point it will become clear what more we can expect from the ICO.

This year we are hoping that the clause-by-clause guidance on how to use the International Data Transfer Agreement and UK Addendum will finally be published.  Further guidance is also expected on new technologies and further sector-specific guidance as part of its ICO25 plan.

Enforcement predictions 

In accordance with its ICO25 plan, the regulator is likely to continue to focus its enforcement on certain areas where it sees the greater risks to society (including the most vulnerable). As was the case in 2023, we expect the ICO to continue to enforce through a combination of fines, warnings and reprimands with increasing publicity for its enforcement action.

Those areas on which we predict the ICO will focus its attention in 2024 are:

• Cookie compliance/online advertising. As already mentioned, one area we expect will receive increasingly more of the ICO's attention is harmful online designs, most notably the use of advertising cookies without adequate cookie consent mechanisms. We can expect an update from the ICO on its enforcement action in this area at the start of 2024.
• Children's data. Following on from its work on its Age Appropriate Design Code, a clear focus for the ICO continues to be on ensuring that organisations are following the code - we expect this to continue, particularly in the context of an expected focus by online platforms on wider child-harm issues as a result of the UK's Online Safety Act.  
• New technologies (such as AI and biometric data). 2023 saw the ICO increase its scrutiny on organisations' use of AI and biometric technologies (such as Clearview AI's facial recognition technology and a generative AI chatbot used by a social media service), and we predict this will continue into 2024 as more and more organisations are looking to implement these technologies into their businesses.  
• Direct marketing. The ICO continues to actively enforce spam-marketing and cold-calling requirements,  and we expect this to continue throughout 2024.

Data regulation – beyond data protection in 2024

Data protection law is a fundamental  pillar of the data regulation world, but its importance is  at risk of being eclipsed by the wave of other data regulation set to tantalise lawyers through 2024 and beyond.

In the EU, there is an increasing body of regulation governing (certain) organisations' access to, use and sharing of data (whether personal data or otherwise). In particular, the Digital Markets Act, Digital Services Act, the Data Governance Act and the Data Act have each either come into effect recently or will come into effect over the next couple of years. Many aspects of that new regulation intersect with existing data protection laws.

The UK is taking a different approach, at least in the short to medium term. Although the UK has a similar objective to the EU of unlocking the value of data across the economy, it is not currently pursuing horizontal, cross-sector regulation; instead choosing to take a more sector-specific approach. Part 3 of the DPDI Bill proposes to introduces new regulation-making powers to enable Smart Data schemes to be introduced in any given sector. At the same time, the Department for Science, Innovation and Technology is consulting on the potential benefits and challenges of introducing a smart data scheme into the UK telecoms market, in the form of the Open Communications scheme. The Financial Conduct Authority has also published a call for input on the potential competition impacts from the data asymmetry between Big Tech firms and financial services firms.

It is more important than ever for data teams to be aware of the intersection of data protection with other areas of existing (or pending) regulation and to work together with other teams and experts to address issues in a holistic, forward-thinking and practical manner.

Key dates

Data Protection and Digital Information Bill expected to pass (or fail)

Key Date: Spring 2024 (predicted)

Why is this important?

The DPDI Bill aims to reduce data protection burdens on businesses now that the UK is no longer part of the EU. This includes lessening record-keeping obligations for processors and controllers, changing thresholds for charging data subject requests, and changing the circumstances in which a company can rely on legitimate interest as a lawful basis for processing. It will also cut down on "user consent" pop-ups. The bill is currently in its second reading in the House of Lords and is expected to pass by spring 2024. However, this is not guaranteed: in part because the UK government will be mindful of the risks involved in diverging too far from the EU GDPR, given that the EU-UK adequacy decision is scheduled for review in 2024.

EU Data Act will become law in 2024
Key Date: January 2024

Why is this important?  

The EU Data Act intends to establish a single market for data, which has the potential to fundamentally change the environment for data-driven business models in the EU. The proposed regulation tries to establish a cross-sectoral governance framework for data access and use, for individuals, organisations and EU public authorities. The Data Act includes provisions that regulate connected products, as well as data processing services and data transfers. It offers opportunities and challenges, and what will prevail will depend on a company's business model and its ability to adapt and prepare. The Data Act received approval at the end of 2023 and was published in the official journal on 22 December 2023, meaning it will become law on 11 January 2024. However,  the obligations will not apply until September 2025, and certain provisions will have a longer date before application (such as requirements relating to providing access to data for new products). 

Deadline to implement the new UK data transfer agreements for transfers under the UK GDPR

Key Date: 21 March 2024

Why is this important?

We expect to see a last flurry of businesses looking to implement the new EU SCCs and UK Addendum or the UK standalone international data transfer agreement as businesses still relying on the pre-GDPR SCCs to transfer personal data from the UK to non-adequate countries have until that date to transition to another transfer mechanism before the pre-GDPR SCCs cease to apply.