As if it wasn’t complicated enough already, the data and compliance landscape is shifting again. New legislation has come into force, and there’s more to come.
The U.K. Online Safety Act (2023) is now in force, and the Data Protection and Digital Information Bill is progressing through parliament, and is expected to be enacted in Spring 2024.
The EU is creating legislation to address the risks associated with artificial intelligence with its Artificial Intelligence Act. The AI Act is also expected in early 2024.
Here’s our round up of the main points.
Artificial Intelligence Act
Although EU legislation might not be directly enforceable on non-EU nations, we need to remember that EU legislation still has an impact beyond the EEA.
For example, if a U.K. business needs to process the personal data of European citizens resident in the EU, their data must be processed and safeguarded according to EU GDPR, not the U.K. GDPR contained in the Data Protection Act (2018). The U.K. GDPR applies to U.K. citizens and EU citizens resident in the UK.
Also, the EU GDPR formed the blueprint for data protection frameworks that are used as far afield as Japan and the Faroe Isles, and New Zealand and Korea. So what Europe does is extremely likely to have global ramifications.
The EU’s stance on GDPR was “If you want to trade with use, follow these rules”. That was enough for governments around the world to update their data protection frameworks and align them with GDPR. Expect similar when the AI Act comes into force.
The Artificial Intelligence Act has defined AI as:
“a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”
This definition is purposely aligned with the definition given by the EU’s Office of Economic Co-operation and Development’s Recommendation of the Council on Artificial Intelligence.
The EU AI Act places obligations on providers, deployers, importers, distributors and product manufacturers of AI systems, if they interact with the EU marketplace or citizens.
Notably, the definition of deployers includes “providers and deployers of AI systems in third countries if the output produced by an AI system is being used in the EU”. The U.K. is a third country, so if you have an online presence that is accessible from Europe and contains any AI functionality, you need to ensure you are compliant with the AI Act.
Some AI systems are prohibited. These include such things as biometric identification systems in publicly accessible spaces, and any AI system that exploits a vulnerability in a person or group of people, due to age, disability or their social or economic circumstances.
There are exceptions, such as for free and open-source AI systems, AI systems used solely for scientific research and development, and for the military and law enforcement.
The Online Safety Act 2023
The Online Safety Act (2023) is a piece of U.K. legislation that came into force in October 2023, designed to provide protections and increased safety online for users of all ages, but in particular children.
Probably the best known element of the Act is the one that makes social media services responsible for what is posted on their platforms.
They must:
- Remove illegal content quickly or prevent it from appearing in the first place, including content promoting self-harm
- Prevent children from accessing harmful and age-inappropriate content including pornographic content, content that promotes, encourages or provides instructions for suicide, self-harm or eating disorders, content depicting or encouraging serious violence or bullying content
- Enforce age limits and use age-checking measures on platforms where content harmful to children is published
- Ensure social media platforms are more transparent about the risks and dangers posed to children on their sites, including by publishing risk assessments
- Provide parents and children with clear and accessible ways to report problems online when they do arise
Other protections are provided, which also apply to adults. They’re designed to:
- Make sure illegal content is removed
- Enforce the promises social media platforms make to users when they sign up, through terms and conditions
- Offer users the option to filter out content, such as online abuse, that they do not want to see
If these rules are not followed, Ofcom could levy fines of £18 million or 10% of a platform’s global annual revenue, whichever is biggest. With the likes of Facebook, that could potentially mean fines of billions of pounds.
Unless you run a social media platform, there is little for the average SMB to do here. If you have an online user forum for your customers, make sure you monitor the content that is uploaded or posted.
Data Protection and Digital Information Bill
The Data Protection and Digital Information Bill is going through due process on its way to becoming an Act, and coming into force. At the time of writing, late February 2024, it has gone through the House of Commons and is at the committee stage in the House of Lords, meaning it is a few steps away from gaining royal assent.
The Mill changes the structure and governance of the Information Commissioner’s Office. The role of the Information Commissioner as corporation sole is abolished. The power will no longer reside within a single person, with an organization (their “office”) behind them.
A new body corporate called the Information Commission will be created. The powers and obligations of the Information Commissioner will transfer to the Information Commission. This changes the old model of the ICO to something closer to existing bodies such as the Financial Conduct Authority and Ofcom.
The Data Protection and Digital Information Bill is intended to update and simplify existing data protection laws.
Data Transfers
Currently, you can only send personal data to countries outside of the EU if they have received a positive adequacy decision.
The new Bill describes a scheme where the exporter of the data can make a judgment on whether the standards of protection in the target country are materially lower than in the UK.
They must act “reasonably and proportionately”, and give consideration to all circumstances, including the nature and volume of the personal data.
ePrivacy
Companies will be exempt from requiring to obtain consent for cookies in situations that pose low risk to user privacy.
These situations are:
- Solely for the purpose of analytics, carried out with a view to improve the website or information society service
- To optimize content display, according to user preferences, such as adjusting content to suit screen size
- Solely to update software or necessary for security purposes. Privacy settings should not be altered
The Soft Opt-In
The existing soft opt-in rules allow email marketing to existing customers on an opt-out basis. This penalized charities and non-commercial organizations because the rules only apply when the personal data is collected in the context of a sale or negotiation for a sale.
Charities and other non-commercial organizations will be able to enjoy the soft opt-in benefits provided they obtained the data subjects’ personal data in the course of the individual making a donation or otherwise supporting the charity.
Accountability
It won’t be a requirement to maintain a record of processing activities in all cases. You’ll only need to do so if you carry out processing that is “likely to result in a high risk to the rights and freedoms of individuals”.
The requirements for data protection impact assessments are changing, too. They’re going to be called an “assessment of high risk processing”. The granular description of the types and purposes of processing, the safeguarding of the data, and the mitigation of risk have been replaced by a much simpler document.
The new document will be more of a summary, and there will no longer be a requirement to consult with data subjects. Currently this is required in special cases, such as those with unmitigated high risks. Such processing currently must be reported to the ICO. The new Bill makes that reporting optional.
Data Protection Officers
The new Bill removes the requirement for a DPO and replaces it with a requirement for a “senior responsible individual”.
Currently, the DPO must avoid conflicts of interest, and must be divorced from decisions regarding data processing and IT. Under the new Bill the senior responsible individual must be involved in those decisions.
The duties of the DPO will transfer to the senior responsible individual, including overseeing the company’s data privacy framework.
These include:
- Representing or delegating a representative to the ICO and data subjects ensuring appropriate oversight and support is in place for the framework and appointing appropriate personnel
- Providing tailored training to ensure staff understand the company’s policies
- Regularly auditing the efficacy of the framework
Which boils down to being in charge of the company’s data protection compliance, being the point of contact for the ICO and data subjects, providing internal training, and conducting internal audits. Basically what the DPO does.
We expect that a business that has a DPO will retain the DPO, and assign someone as the senior responsible individual who delegates all of the above to the DPO.
Data Subject Rights
There are some changes to what types of requests can be refused, and a right to complain that will sit alongside the existing right to object.
An existing provision under GDPR allows businesses to reject data subject requests if they are “manifestly unfounded or excessive”. The new act adds “vexatious” to the list, covering requests that are intended to cause distress, are not made in good faith, or that are an abuse of process.
The new right to complain requires organizations to facilitate the making of complaints which means that you’re going to need a formal complaints procedure and records. This may well require an electronic complaint form.
Because this is a new subject right, the list of data subject rights in your privacy notice will need updating. If the list of data subject rights are listed anywhere else in data protection framework documentation, they’ll need to be updated too.
Businesses may be required to notify the ICO of the number of complaints they have received. The ICO have the power to reject complaints made to them if the data subject has not first completed the complaint process with the organization they are complaining about.
Legitimate Interests
The new Bill gives more clarity to processing under the legitimate interest lawful basis. Examples are given for direct marketing, for reasons of IT security, and for data transfers within the same group of companies.
Interestingly, there’s a group of data processing purposes that are identified and classed as legitimate, and for which a legitimate interest assessment is not required.
These include:
- Disclosures to public bodies who need to process personal data in the execution of a public interest task
- Disclosures for national security, public security and defense purposes
- Emergency response
- Prevention or detection of crime
- Safeguarding vulnerable individuals
- Data processing by candidates for political office or their elected representatives
Purpose Limitation
Under GDPR you have to say what type of processing you’re going to do, and why. You cannot process personal data in a way that wasn’t described in advance, or disclosed to the data subjects at the time of collection.
The Bill reaffirms this, but also introduces a list of purposes deemed compatible with the original purpose. These include:
- Disclosures to public authorities if the authority needs the data for a public interest task
- Disclosures for reasons of public security
- Emergency response
- Safeguarding vulnerable individuals
- Protecting vital interests
- Preventing and detecting crime
- Assessing tax
- Complying with legal obligations
The Bill makes it clear that, If the lawful basis for your data processing is consent, you have no legal standing to perform any additional processing. You may only process data using the methods and purposes that consent was originally, and specifically, granted for.
As consent must be specific, your only recourse is to get new consent for additional data processing.
Make Sure You’re Ready
The Data Protection and Digital Information Act is expected in early 2024. There may be a grace period similar to the two-year grace period between GDPR coming into effect and its actual enforcement. Either way, it’s prudent to make sure you are aware of what the changes mean to your business, and to plan for those changes by updating your data protection documentation and procedures.
It’s unlikely that significant modifications will be introduced now, with the Bill so close to being enacted, so it’s safe to start that process as soon as you are able.