2024 is likely to see some significant trends in the arena of data privacy and data protection. Companies are beginning to adapt to new privacy features and re-think business models to comply with forthcoming themes and legislation emerging from both within the UK, EU and the USA.
The UK’s revised Data Protection and Digital Information Bill is heading through the House of Lords currently with a view to being passed this year. The European Parliament will be voting on the AI Act in 2024, with a view to implementing the act in 2025. The act will represent the first comprehensive legislative approach to AI in the world and is bound to cause complications for those companies providing AI services.
Meanwhile, in the US, which due to its government system, puts the responsibility of data protection and privacy in the hands of individual states rather than the federal government, there is likely to be an increase in the number of those states publishing legislation. Canada, Brazil and Egypt are all expected to pass legislation in 2024, as well.
All this means that the scope for enforcement will never have been wider. Last year, the fines for companies with the EU totalled two billion Euros, which is more than the fines of 2019, 2020 and 2021 combined. This demonstrates a commitment to not only larger monetary penalties, but also more frequent, smaller enforcements.
Tougher scrutiny for children’s data will be a key concern. Social media companies have been at the forefront of these debates, with the usual suspects such as Meta and TikTok facing the wrath of regulators across the UK and the EU. The ICO has published its opinion on age assurance defining what an online service must do if it is likely to be accessed by children. Many US states are also considering adopting laws to protect children’s data. A source of disharmony has always been the definition of a child and at what age these laws should apply. The legal definition of a child is not the same across the world.
Developments in relation to behavioural advertising will make it largely impossible for children’s data to be used for targeted advertising. Multiple lawsuits across the USA are outstanding for marketing to children without parental consent on platforms such as YouTube.
Continued awareness of privacy rights amongst consumers will continue, especially with issues such as those highlighted above gaining more and more publicity. It seems that consumers are increasingly exercising their rights to things like subject access requests, in 2023 28% of consumers admitted to sending a SAR, which is an increase of 4% in one year. Here in the UK, councils and police forces have been inundated with requests.
In response to some of these regulatory requirements, you can see businesses beginning to change their practices. Meta, the company that owns Facebook, has recently launched a paid subscription model for ad-free services in Europe which avoids tracking. This is a controversial move that is likely to be challenged by privacy advocates. TikTok, the Chinese owned social media giant, has announced it will be spending $13bn on European servers, which will allow them to store European data in Europe. Evidence then, that a tougher approach can work but not always in a way that is considered most advantageous for the data subject.
So what’s the outcome for all of us? Well, here in the UK, we will have some new legislation to adapt to. There may be some changes to key definitions including the very definition of what is personal data. The EU’s AI Act is bound to have implications across the globe and will probably be seen as the gold standard approach to AI regulation. How this affects programmes like ChatGPT will only really be seen in years to come.
We will probably see more enforcement, combined with a growing sense of confidence within the public over their rights and freedoms, and businesses, especially those that are littered with our data are going to have to begin to publicly demonstrate their commitment to privacy, as Apple has done, if they want to stay ahead in the market.
For us, specifically at CFH, we will adapt to these developments, above all those in UK legislation. We also understand that the people at the end of the chain, such as our clients’ customers, patients and employees, require the same level of service as our clients do and will ensure that we provide this.
Why not read our other Data Protection blogs?