Data protection reflections and predictions

December 2023

What’s been most significant in the world of data protection in past year? And what do we think will be taxing our minds in the year to come? We’ve asked some friends to share their thoughts. Grab a cuppa, sit back and enjoy our musings.

Christopher Whitewood, Privacy and Data Protection Officer, Direct Line Group

2023 was the year that AI got real! AI moved from a debate among subject matter experts to becoming boardroom concern. The risks of AI have been widely publicised from your Terminator/Matrix doomsday scenarios, but many businesses have successfully deployed AI to streamline burdensome processes and generate efficiencies.

AI will remain a hot topic throughout 2024 and beyond. Organisations will need to consider how they can build privacy and security into model designs; explain any model deployments and ensure customer outcomes remain fair. Privacy professionals will need to develop their knowledge of AI to have meaningful conversations with interested business areas and aim to enhance their Data Literacy skills. Privacy support will be crucial to help design processes and governance that permit effective, but controlled innovation.

Businesses will need to keep a watchful eye on regulatory developments, following agreement of the EU AI Act and progress of the UK Government’s approach to AI regulation. 2024 will certainly not be dull!

Dominic Batchelor, Head of IP and Privacy, Royal Mail Group

Whilst the implications of AI will continue to feature prominently during 2024, the new year is also likely to bring first proper post-Brexit divergence of UK data protection laws from the EU. This is both in terms of the substantive changes proposed by the Data Protection and Digital Information (No.2) Bill – notably, the loosening of accountability requirements – and the UK’s potential establishment of ‘data bridges’ to countries the EU does not consider adequate.

How this impacts the UK’s adequacy from an EU perspective remains to be seen, but concerns are bound to be raised, with questions resurfacing about the need to bolster EU-UK data transfers. We should also expect the ICO to use any increased scope for issuing fines for PECR breaches and consequently for organisations to focus more on PECR compliance.

Redouane Serroukh, Head of Information Governance & Risk, NHS Integrated Care Board of Herts and West Essex

2023 has been a record-breaking year for GDPR fines with Ireland’s Data Protection Commission (DPC) leading the way with a whopping €1.2 billion fine after it found Meta to be in violation of GDPR when transferring personal data from the EU to the US. The DPC also found time to fine Meta €390 million earlier in the year, for falling foul of the requirements of consent for advertising. Meta was not the only company on the DPC’s radar, with TikTok also receiving a €345 million euros fine for its handling of underage users’ data.

Here in the UK, the ICO’s highest fine in 2023 was also handed to TikTok to the tune of £12.7 million for illegally processing the data of children under the age of 13.

The ten highest fines issued under the UK or EU GDPR have been focused on many of the tech companies with WhatsApp, Spotify and Clearview AI also making it on to the list. It would appear the regulators are not afraid to go for the big companies with equally big fines and are hoping that these will serve as reminders to other companies, big or small, that GDPR compliance is just as important as it has ever been.

Robert Bond, Senior Counsel, Privacy Partnership

For UK/EU to US transfers, we have had Safe Harbour, then Privacy Shield, and in 2023 we got the Data Privacy Framework and the UK Data Bridge. The EU and UK seemed to judge US as an adequate jurisdiction…. but Max Schrems and NOYB have other ideas.

Max Schrems, has said “They say the definition of insanity is doing the same thing over and over again and expecting a different result. Just like ‘Privacy Shield’ the latest deal is not based on material changes, but by political interests.”

Personal data constantly moves internationally, and businesses need solutions. The EU Standard Contractual Clauses are influencing other jurisdictions such as the Middle East, South America, Africa and the Far East. In due course, we may get international data transfer conventions such as the OECD initiative, Data Free Flow with Trust (DFFT).

In my view the DFFT will be a major influence on a global solution, but I think we will see more bilateral agreements in the meantime. Also the EU is likely to speed up the “adequacy” approach, particularly as more and more countries are implementing GDPR-influenced privacy laws.

Sara Howers, Data Protection Officer UK, CGI

2023 has been a frustrating year, waiting to see what/when/if the UK Data Protection and Digital Information Bill (DPDI) will ever see the light of day. Now it’s going through yet another round, with some hat tipping to PECR changes and some AI musings. Until it’s finalised, who knows where it will really land with adequacy rulings, especially now there’s some discussion around revising Human Rights and Equality Bills.

Although, I’m sure most of us have briefed our Senior Management Team about the need for a SRI (Senior Responsible Individual) and how this might change the DPO’s numerous reporting lines (if we still have a DPO?).

The new ICO public listing of the cases their workers are dealing with is also somewhat frustrating. There appears to be no right to query their outcomes which are public entries, especially when you have evidence their conclusions may not be correctly attributed.

I’m sure I won’t be alone when I expect 2024 to be “all about AI”, and I also expect an uptick in Data Subject Access Requests. With many more questions around ADM (automated decision making) and what algorithms are making what decisions, means time for everyone to give their Privacy Notices an overhaul.

Michael Bond, Group Data Protection Officer – News UK

Back in the summer, I wrote personally to the Public Bills Committee about the DPDI No2 Bill (as it was then). I asked Government to really grasp the opportunity to innovate in the data protection space, rather than tinker about. I am now concerned, as I am sure others are, that government has not only failed to take the opportunity to show global leadership on data protection issues, but has in fact put information rights on the backburner in the UK. An opportunity lost.

Andrew Bridges, Data Governance Manager, Sagacity

I can’t believe we celebrated five years of the GDPR in 2023. I strongly believe the GDPR was needed at the time it became a regulation but, what still amazes me is how many organisations still grapple with their core understanding of regulation …yes, five years on!

As we enter 2024, we’ll now have supplementary amends created by the Data Protection & Digital Information Bill to contend with, so it looks like another year of grappling with regulations.

Oh, did I mention AI…. we will see rapid experimentation and initiatives in the AI space in 2024. Whilst AI has the potential to be a force for good, we must remember it does come with a warning to ensure it’s used in an ethical way so we don’t see a rise in risk to privacy and potential misuse of personal data.

Charles Ping, Managing Director Europe, Winterberry Group

2024 really looks like it’ll be the year when all the posturing stops, and privacy takes a leap forward with the deprecation of cookies on Chrome. My prediction is that the sky won’t fall in and the disciples of Chicken Licken will wake up to a world that still has blue above our heads, where digital media is still planned, activated, consumed and measured for brands wanting to reach customers.

However, when we reflect on the sometimes partisan arguments of the past 3+ years and the endless posturing to be the next “universal ID”, we will note that this discussion has been hugely important. The whole process of deprecation has fuelled a much wider understanding of the features that define privacy-enabled marketing and measurement. Three years ago, differential privacy, salting and confidential computing weren’t on many marketers’ agenda. They are now.

Importantly, we now have an evolution in the landscape where policy and regulation understands how data protection rules can be used to enhance and fuel market power and sets us on a future path, where privacy and competitive markets are regulated in tandem. That is progress.

Philippa Donn, Partner, DPN Associates

In 2023, I was struck by the ICO’s decision to make it UK ‘Year of the Reprimand.’ The ICO announced, controversially, public sector organisations will routinely receive reprimands rather than fines. Around thirty five reprimands were issued; mostly to organisations in the public sector, but some in the private sector too.

I appreciate fines are the ultimate sanction and act as a deterrent. Conversely, I understand how fining publicly funded organisations only serves to hit the public purse (in effect, taxpayers shelling out for mistakes made by civil servants).

What’s interesting is these reprimands are now published. Offenders are named, with details of errors made and remedies implemented. Rich learnings for us all. Some cases involved companies which suffered sophisticated cyber-attacks. Considering how devastating these can be, and the expense involved in fixing them and implementing changes, I see why a fine might not be the ‘answer.’ In the current economic climate, a financial penalty could lead to job losses or even push a company under.

As for 2024, I’ll be watching closely the fallout from the cookie warning letters the ICO recently issued to some of the UK’s most visited websites. Much of the free content we read online is dependent on advertising. Consent for tracking isn’t going to work; I predict either a stand-off with the ICO or more content being placed behind pay walls. Can trade-offs be made between advertising standards, the law and the risk of excluding those on low incomes from accessing quality online content, particularly journalism?

Simon Blanchard, Partner DPN Associates

There have been some dreadful data breaches in 2023, not least the breach by Police Service of Northern Ireland. It’s undeniable that breaches occur far too frequently. Yet even in these uncertain times of increased global cyber threat, ransomware, social engineering and so on…. the lion’s share of data breaches reported to the ICO still arise from human error; not bad actors! And most are preventable.

In 2024, let’s provide practical information security training to our teams and get to grips with minimising the personal identifiers our teams process outside the core systems (e.g. in Excel or Sheets), where our powers to protect the data may be weaker.

We’ll be sure to keep you updated throughout 2024 on the progress of the UK DPDI Bill, AI developments, international data transfers, the future of cookies and any other surprises along the way!