close
close

Data law | UK Regulatory Outlook for May 2024 – Osborne Clarke

Posted on by darion

DPDI bill falls after UK election announcement | UK Government publishes Smart Data Action Plan | AI ICO strategy

DPDI bill falls after UK elections announced

Parliament has been suspended following the announcement of the UK general election on July 4, 2024. This means that any regulations that were not adopted in the short preparatory period, which ended on May 24, 2024, will now disappear and we will have to wait for the newly elected government to introduce these regulations. More details about the washing period can be found in our Statistics.

The Data Protection and Digital Information (DPDI) Bill was at report stage in the House of Lords when Parliament was adjourned in June, and work on it in Parliament had not accelerated in the run-up period. This means that the bill has failed and the new government can re-introduce it (such bills would have to start the parliamentary process from scratch), but there is no such obligation.

The UK Government publishes its Smart Data Action Plan

The UK Department for Business and Trade has published the Smart Data Roadmap setting out how it intends to use its powers under the DPDI Act to legislate secondary law in relation to ‘smart data’ systems. The government’s goal is for these intelligent data systems to facilitate the secure sharing of customer data, upon customer request, with “authorized third-party providers” who will then enrich this data with broader contextual business data.

The action plan covers the following seven sectors:

  • Banking and finance;
  • energy and road fuels;
  • telecommunication;
  • transport;
  • retail sales; AND
  • buying a house.

Each of these sectors will go through four stages of implementation – identification, consultation, design and implementation – and the roadmap provides more detailed information on these stages in the context of each sector.

The action plan is part of a wider government strategy to increase businesses’ access to many different types of data, which in our experience has been warmly welcomed. However, the roadmap in the roadmap shows that the government is still at the beginning of creating a smart data economy and it is clear that some sectors are further along on this journey than others. It is therefore uncertain when enterprises will be able to start reaping the benefits of smart data systems. Since the DPDI bill, which would have given the government the power to issue implementing regulations for smart data systems, died after the election was called, it will be up to the next government to decide whether to reintroduce the bill and continue working on the regulations.

AI ICO strategy

The Information Commissioner’s Office (ICO) has published its strategic approach to artificial intelligence (AI), as requested by the government in its response to the Artificial Intelligence White Paper. For more information, see the AI ​​section.

The ICO report contains the following information:

  • Highlights topics at the intersection of his remit and AI (such as personal data for core training models, high-risk AI and fairness, facial recognition and biometrics, children and AI).
  • It explains how the principles of data protection law align well with the UK’s ‘high-level principles’ set out in the Artificial Intelligence White Paper.
  • Provides an overview of the ICO’s work and guidance on artificial intelligence, including a list of enforcement activities.
  • Provides an overview of the ICO’s planned work on artificial intelligence, including a series of consultations on generative artificial intelligence (see AI section), a consultation on biometric classification technologies, and planned updates to the ICO guidance in spring 2025 on ‘Artificial Intelligence and Data Protection’. and “Automated decision-making and profiling.”
  • It highlights upcoming AI work being led by the ICO’s regulatory sandbox, including a system to help prevent falls in older people, personalized AI for people affected by cancer, AI to help identify people who may be at risk of domestic violence, and AI used to remove personal data from drone photos.
  • Later this year, the ICO plans to publish an audit report on AI recruitment solution providers and review AI technology used in education and juvenile detention services.
  • Finally, the ICO outlines the extent of its collaboration with other regulators, including the Digital Regulators Collaboration Forum, the Regulators and Artificial Intelligence Working Group, government, standards bodies and international partners.

In relation to its own AI capabilities, the ICO notes that “in the future, almost all data protection positions at ICOs will involve AI to some extent” and expects its AI and data analytics team, currently consisting of ten people working full-time on AI management, to grow in the coming years. ICO reports that it currently has a customer service chatbot powered by artificial intelligence and algorithmic email tool triage is also developing an AI solution that will help identify websites using non-compliant cookie banners.

The European Parliament’s Civil Liberties Committee writes to the House of Lords European Affairs Committee inquiry into data adequacy

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs has written to the European Affairs Select Committee of the UK House of Lords to ask about the data adequacy decision and its implications for UK-EU relations (see this Regulatory Outlook for more information).

The Commission expressed its concernson the overall direction of UK Government data policy“and warns that the provisions of the DPDI Act”may increase the UK’s divergence from EU data standards, casting doubt on the validity of adequacy arrangements“. The committee’s main concerns included the dilution of the definition of ‘personal data’, the potential for the ICO’s role to be undermined and EU international transfer rules being circumvented for countries not considered ‘adequate’ under EU law.

When proposed, the DPDI Act was the first major divergence in data protection between the UK and the EU since Brexit and is part of a wider pro-business approach taken by the UK Government. It is therefore not surprising that some concerns are being expressed in Europe, but it remains to be seen whether these concerns will be strong enough to potentially jeopardize the UK’s adequacy decision. Now that a UK election has been called, the DPDI Bill will not continue (see above), but the concerns expressed therein may have significance in the longer term if the next UK Government reconsiders the DPDI Bill or an alternative form of divergence.

The EDPB adopts an opinion on ‘consent or payment’ models.

The European Data Protection Board (EDPB) has adopted an opinion on the validity of consent under the General Data Protection Regulation (GDPR) for the processing of personal data for behavioral advertising in the context of consent-or-pay models.

According to the EDPB, while consent-or-pay models are not prohibited per se, in most cases it will be difficult for platforms to demonstrate valid consent if they only give users the choice between (1) consenting to the processing of their personal data for behavioral advertising purposes and (2) pay a fee for access to the service without using his personal data in this way. This is partly because the EDPB considers that such consent would not meet the GDPR requirements regarding its voluntariness, awareness, specificity and unambiguity. The controller would therefore need to be able to demonstrate that, irrespective of the EDPB’s opinion, its specific model was designed to meet consent requirements.

Details of potentially different travel destinations for consent-or-pay models in the UK can be found in our previous regulatory forecasts.

The ICO publishes its fourth call for submissions on generative artificial intelligence and data protection

See the AI ​​section.

ICO report on cybersecurity breaches

See the Cybersecurity section.