Search

How can we help?

Icon

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023 (read our article on this here). Now, let’s see how those predictions have played out.

The Data Protection and Digital Information Bill (DPDI Bill)

It was expected that this Bill would become law in Spring 2024, introducing significant changes. Among these were adjustments to the criteria for charging fees related to data subject access requests and a new legal basis for processing data under recognised legitimate interests.

However, the legislative journey of the DPDI Bill took an unexpected (or some may say, very much expected) turn. Although the Bill had successfully passed the Committee Stage in the House of Lords on 24 April 2024, it was subsequently dropped following the previous Prime Minister’s announcement of a general election. This legislation will no longer come into force, unless the new Government decides to revive it.

Artificial Intelligence (AI)

AI’s expanding role in the workplace was one of the major trends we anticipated for 2024. From customer service to recruitment, AI’s influence on business operations is undeniable. We expected increased regulatory focus on AI, particularly concerning transparency, security and compliance with data protection laws.

While the ICO did not release new AI-specific guidance in 2024, it did take a step forward by launching a consultation series on the application of data protection laws to generative AI – AI that creates content such as text, code and images – which presents unique challenges compared to simpler AI models. This consultation, which concluded on 10 June 2024, aimed to clarify complex issues like the lawful basis for AI training, purpose limitation, accuracy and data subject rights. The outcomes of this consultation are eagerly awaited and could shape the regulatory landscape for AI in the years to come.

International data transfers

2023 saw considerable activity in international data transfers, including the implementation of the EU-US Data Privacy Framework, which allowed UK businesses to transfer data to certified US organisations. We anticipated that this framework might face legal challenges in 2024, echoing past Schrems litigation.

Instead, the European Commission has recently initiated a call for evidence, inviting feedback by 6 September 2024, to assess whether the EU-US Data Privacy Framework is functioning effectively. It will be interesting to see if the anticipated legal challenges materialise.

Additionally, the UK’s new role as an associate member of the Global Cross Border Privacy Rules (CBPR) Forum was expected to lead to more international transfer agreements and potential membership expansion to other countries. The UK remains the only associate member. However, the Forum has made notable strides, establishing the Global CBPR and Global Privacy Recognition for Processor systems in April 2024, with accountability agents now active in Japan, Korea, Singapore, Chinese Taipei, and the United States.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

The ongoing developments in data protection underscore the dynamic nature of this field. Organisations must remain vigilant and adaptable to navigate the complexities of the evolving regulatory landscape.

ICO Cookie regulations

In late 2023, the ICO raised concerns about the prominence of ‘accept all’ buttons in cookie banners, stressing that rejecting non-essential cookies should be equally straightforward. The ICO warned several popular websites about possible enforcement actions if they failed to comply with these standards. An update from the ICO was expected for January 2024, including information on non-compliant companies.

The ICO did provide an update in January this year, revealing that out of the 53 organisations it contacted, 38 had adjusted their cookie banners to be compliant and four had committed to reach compliance within a month. The ICO continues its efforts to ensure all websites offering services to UK users adhere to these standards, urging organisations to act before enforcement measures are necessary.

Data breaches

Major data breaches in 2023, including those involving the UK Electoral Commission and the Police Service of Northern Ireland (PSNI) were under investigation by the ICO. We anticipated that penalties would be announced in 2024.

The ICO has since fined the PSNI £750,000 for failing to protect the personal data of its workforce – a breach caused by human error that led to serious concerns over safety. In contrast, the Electoral Commission received only a reprimand, despite a serious hack that exposed vulnerabilities in its systems. The ICO’s investigation found that the Electoral Commission lacked adequate security measures, prompting it to take remedial steps to enhance its protection against future attacks.

As 2024 progresses, it’s clear that some of the year’s predictions have materialised, while others have taken unexpected turns. The ongoing developments in data protection underscore the dynamic nature of this field. Organisations must remain vigilant and adaptable to navigate the complexities of the evolving regulatory landscape.

Speak to our Data Protection team today for legal advice and assistance.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

About this article

Read, listen and watch our latest insights

art
  • 02 September 2024
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.

art
  • 29 August 2024
  • Privacy and Data Protection

What a controller or a processor needs to know…in a nutshell

Data processing agreements are a common feature of contracts for the supply of services, for example often featuring as self-contained schedules to master services agreements.

Pub
  • 20 August 2024
  • Privacy and Data Protection

Data Protection unlocked for HR: How to ensure compliance?

In the second episode of the ‘Data Protection Unlocked for HR’ podcast series, Harry Berryman and Shauna Jones, members of the Clarkslegal data protection team, share invaluable insights on how HR can ensure compliance, safeguard employee data, and maintain privacy standards.

art
  • 14 August 2024
  • Privacy and Data Protection

Data protection audit – what you need to know

A data protection audit is the process of auditing all of your data protection processes and procedures to understand your current levels of compliance and identify any areas for improvement.

art
  • 05 August 2024
  • Employment

AI and Recruitment

To assist employers who are using, or considering the use of, AI in recruitment, we have put together a summary of the key risks that employers should be aware of.

art
  • 15 July 2024
  • Privacy and Data Protection

The duty to protect third parties: is your DSAR response compliant?

Responding to a data subject access request (DSAR) may feel like a daunting process. It requires a solid understanding of the data subject’s rights, and of the meaning of personal data.