One of the most frequently asked questions of our data privacy team is: what is new in data protection? Our one-word response to this would be: Lots!

So, to help clients stay on top of the ever-evolving data protection developments, we’re sending out a quarterly blog with a selection of some of the most recent updates.  There are of course many other developments not covered below, but these are the ones that we believe will be most useful.

• We await the ICO’s response to a series of consultations on generative AI.  In the meantime, the ICO’s investigation into Snap’s generative AI feature “my AI” makes clear the importance of conducting a thorough DPIA for use of this technology.
• Use of generative AI in the creative industries should be treated with particular care and consideration. The sensitivities surrounding this technology have once again been brought into sharp focus by further SAG-Aftra strikes – this time by video game performers. Similarly, both X and Meta have faced regulatory scrutiny over plans to train AI on user data on their platforms, which ultimately has led to each platform pausing its plans. Key takeaway:  The consultation element of a DPIA should be properly engaged with, to ensure the public and regulators are behind novel uses of technology. Particular care is needed when considering appropriate lawful basis for training AI and how to implement that effectively (legitimate interests vs consent).

• There is ongoing litigation in the UK and internationally, initiated by rights holders seeking to protect their creative assets from AI use. Major music labels (including Sony Music Entertainment, Universal Music Group Recordings and Warner Records) are suing companies offering AI music generator tools (Suno AI and Udio AI) in the US. Meanwhile Getty’s dispute with Stability AI in respect of its library of images continues here in the UK and abroad.

• Facial recognition remains under the ICO’s microscope. This year the regulator has brought enforcement action against two organisations rolling out this technology (see here and here). Key takeaway: Make sure facial recognition use is necessary and proportionate, think carefully about lawful basis and complete a DPIA before roll out.

• ‘Consent or pay model’ (i.e. offering users a choice between accessing an online site/service free of charge subject to consenting to targeted advertising or paying a fee for access ad-free/with non-targeted advertising) – is not prohibited per se but faces increasing regulatory scrutiny from UK and EU regulators (from data protection and consumer law angles). We are still awaiting the ICO’s response to its “call for views” on this issue. Key takeaway: If considering introducing this model, proceed with caution and be prepared to justify how you have ensured consent is freely given – particular consideration needs to be given to how the two options are presented to users and what price point is applied.
• Google rows back on depreciation of third-party cookies, instead planning to offer users an “informed choice” between tracking cookies or cookie-less options. We await the detail but if Chrome users are presented with a binary choice between the status quo and a “privacy-preserving” alternative, then ad tech players may nevertheless be forced to adopt cookie-less: user behaviour being the driver for change. Key takeaway: We anticipate cookie-less advertising solutions will still play an important role in the future of targeted advertising.
• Cookie consent (or lack of it): The ICO’s campaign checking specifically whether cookies are dropped before consent is given and whether ‘accept’ and ‘reject’ options are equally prominent is ongoing. So far, no reprimands have been issued. Will the ICO take enforcement action up a notch to drive change in light to Google’s U-turn on cookies? Non-compliant cookie practices are also low-lying fruit for disgruntled customers – threats of legal action or regulatory complaints can cause unwanted headaches for business. Key takeaway: Review how cookie consent is presented to users. Is it as easy to reject as to accept?

• The ICO has warned cyber attacks are on the rise. The most common cyber security beaches being phishing, brute force attacks, denial of service, error and supply chain attacks. A cyber attack (and personal data breach) does not necessarily mean a business has breached its data protection obligations, however. To protect your business from claims and fines it will be essential to be able to show your business had taken appropriate and proportionate technical security measures and had internal policies in place, despite being infiltrated. Key takeaway: Review IT security practices and policies and stress test data breach policies.

• The ICO has launched a Children’s code strategy call for evidence concerning how children’s personal data is used by social media platforms (SMPs) and video sharing platforms (VSPs). Despite the focus on SMPs and VSPs, the consultation has broader relevance – in particular, consideration of age assurance practices for under 13 year olds. You have until 11 October 2024 to respond. Key takeaway: If your online services are likely to be accessed by children, you should already have a ‘Children’s Code’ DPIA in place. This needs to be kept under regular review in light of ongoing updates in guidance from the ICO.

• In 2025 (currently from 17 January 2025, but we have heard murmurings that this will be pushed back to May 2025), online gambling business will be required to move to opt-in consent for electronic direct marketing channels on a per-product and per-channel basis (‘soft opt-in’ is no longer permissible). Key takeaway: Consider existing marketing practices and put in place a strategy for offering revised consent options to new and existing customers.
• The enhanced financial risk assessments pilot is due to start at the end of August 2024. Key takeaway: Participating operators should ensure data sharing agreements are in place with credit reference agencies, the lawful basis they are relying on to undertake assessments have been documented and privacy notices have been updated.

• The Journalism Code of Practice came into force on 22 February 2024. A key emphasis of the Code is accountability (the journalism exemption does not apply to this requirement) – i.e. being able to show how you comply with data protection obligations and documenting your application of the journalism exemption, when you are unable to comply. This becomes particularly important where data subjects will be unable to exercise data rights in respect of content you are producing due to application of the journalism exemption.  Although many news publishers and content creators will likely need to rely on the journalism exemption in part – the exemption does not apply in a blanket fashion. Key takeaway: Where relying on the journalism exemption put in place a written assessment documenting why it is incompatible for you to comply. Where ‘high risk’ processing is taking place put in place a DPIA (e.g. when undertaking under cover reporting or dealing with sensitive subject matters). Documentation can be overarching rather than on a project- by-project/story-by-story basis.

• Goodbye DPDI2, Hello DISD: The government will introduce a new data law in the UK (the Digital Information and Smart Data Bill (DISD Bill)) which will take the place of the (now defunct) Data Protection and Digital Information (No. 2) Bill (DPDI2), which had been at an advanced stage of its parliamentary journey before the general election. The bill is unlikely to be revolutionary, but we wait to see the published text to know the detail. In particular, will fines for breach of PECR will be brought in line with GDPR levels? For now they remain capped at £500k. Key takeaway: Watch out for updates.
• The government announced that new legislation concerning the development of the most powerful AI models is on the cards, but stops short of announcing a specific AI Bill. Meanwhile the EU AI Act came into force on 1 August 2024, although many provisions will only apply on a phased basis over the next two years. Key takeaway: If your organisation develops or operates AI – check if it falls within scope of the EU AI Act (and, if so, which level of ‘risk’ obligations apply). Set a compliance roadmap, not forgetting data protection obligations where personal data is used in connection with the AI system.