Regulatory Outlook

Data Law | UK Regulatory Outlook May 2024

Published on 31st May 2024

DPDI bill falls following UK election announcement | UK government publishes Smart Data Roadmap | ICO's AI strategy

DPDI bill falls following UK election announcement

Following the announcement of the UK general election being called for 4 July 2024, Parliament has been prorogued. This means that any legislation that was not passed during the short wash-up period which ended on 24 May 2024 will now fall away and we will have to wait to see whether the newly elected government will introduce the legislation. See our Insight for more details on this wash-up period.

The Data Protection and Digital Information Bill (DPDI Bill) was at the report stage in the House of Lords when the Parliament was prorogued with sitting scheduled for June, and its progression through Parliament has not been accelerated during the wash-up period. This means that the bill now falls and it is open for the incoming government to introduce the bill again (such bills would have to start the Parliamentary process from scratch), but they are under no obligation to do so.

UK government publishes Smart Data Roadmap

The UK Department for Business and Trade has published its "Smart Data Roadmap" setting out how it intends to use its power under the DPDI Bill to make secondary legislation in relation to "smart data" schemes. The government's aim is that these smart data schemes will help to facilitate the secure sharing of customer data, at a customer's request, with "Authorised Third-party Providers" who will then enhance that data with their broader contextual business data.

The roadmap covers the following seven sectors:

  • banking and finance;
  • energy and road fuels;
  • telecoms;
  • transport;
  • retail; and
  • home buying.

Each of these sectors will progress through four stages of implementation – identification, consultation, design and implementation – and the roadmap goes into greater detail regarding these stages in the context of each sector. 

The roadmap forms part of the government's wider strategy on increasing access for businesses to many different types of data, which has in our experience been warmly welcomed. However, the timeline included in the roadmap shows that the government is still in the early days of its formation of a "smart data" economy and it is clear that some sectors are further along in this journey than others. It therefore remains uncertain when businesses can expect to start benefitting from the smart data schemes. Since the DPDI Bill, which would create powers for the government to issue implementing legislation for smart data schemes, has fallen following the election announcement, it will be for the next government to decide whether to introduce the bill again and proceed with the regulations.

ICO's AI strategy

The Information Commissioner's Office (ICO) has published its strategic approach to artificial intelligence (AI) as requested by the government in its response to the AI white paper. See AI section for more information.

The ICO's report includes the following:

  • It highlights themes in the intersection between its remit and AI (such as personal data for training foundation models, high risk AI and the fairness principles, facial recognition and biometrics, children and AI).
  • It explains how the principles of data protection law align well with the UK's "high level principles" set out in the AI white paper.
  • It gives an overview of the ICO's work and guidance issued around AI, including a list of its enforcement activity.
  • It provides an overview of the ICO's planned work on AI, including its series of consultations on generative AI (see AI section), a consultation on biometric classification tech, and planned updates in spring 2025 to the ICO's guidance on "AI and Data Protection" and "Automated Decision-Making and Profiling".
  • It highlights upcoming AI-related work by the ICO's Regulatory Sandbox, including a system to help prevent falls in the elderly, personalised AI for those affected by cancer, AI to help identify individuals who may be at risk of domestic violence, and AI used to remove personal data from drone images.
  • Later this year, the ICO plans to issue a report on its audit of providers of AI recruitment solutions, and to review AI technology used in education and youth prison services.
  • Finally, the ICO flags a range of its collaborative activity with other regulators, including the Digital Regulators Cooperation Forum, the Regulators and AI Working Group, the government, standards bodies and international partners.

In relation to its own AI capabilities, the ICO notes that "in the future nearly all data protection roles at the ICO will involve AI to some degree" and it expects its AI and Data Science team, currently comprising ten people who work full time on AI governance, to grow in the coming years. The ICO flags that it currently has an AI-supported customer service chatbot and an algorithmic tool for email triage. It is also developing an AI solution to help identify websites using non-compliant cookie banners.

European Parliament's civil liberties committee writes to House of Lords European Affairs Committee's inquiry into data adequacy

The European Parliament's Committee on Civil Liberties, Justice and Home Affairs has written to the UK House of Lords European Affairs Select Committee's inquiry into the data adequacy decision and its implications for the UK-EU relationship (see this Regulatory Outlook for background).

The committee expressed its concerns "about the overall direction of the data policies of the UK Government" and warns that the provisions in the DPDI Bill "may increase UK divergence from EU data standards, putting the validity of the adequacy findings into question". The committee's main concern related to the watering down of the definition of "personal data", potential for undermining of the ICO's role, and the bypassing of EU international transfer rules for countries which are not deemed "adequate" under EU law.

When proposed, the DPDI Bill represented the first major divergence on data protection between the UK and EU since Brexit and is part of a wider pro-business approach being adopted by the UK government. It is therefore not surprising to see some concerns being expressed in Europe but it remains to be seen whether those concerns will be strong enough to potentially jeopardise the UK's adequacy decision. Now that a UK election has been called, the DPDI Bill will not proceed (see further above), but the concerns raised on it may have longer term relevance if the DPDI Bill or an alternative form of divergence is revisited by the next UK government.

EDPB adopts opinion on "consent or pay" models

The European Data Protection Board (EDPB) has adopted an opinion on the validity of consent under the General Data Protection Regulation (GDPR) to process personal data for the purposes of behavioural advertising in the context of "consent or pay" models.

In the EDPB's view, although "consent or pay" models are not prohibited as such, in most cases, it will be hard for platforms to demonstrate valid consent if they only give users a choice between (1) consenting to processing of their personal data for behavioural advertising purposes, and (2) paying a fee to access the service without their personal data being used in this way. This is in part because the EDPB considers that such consent would not meet the GDPR's requirements of being freely given, informed, specific and unambiguous. A controller would therefore need to be able to demonstrate that, notwithstanding the EDPB's opinion, its specific model has been designed so as to meet the requirements for consent.

For details on the potentially different direction of travel for "consent or pay" models in the UK, please see our previous Regulatory Outlook

ICO publishes fourth call for evidence on generative AI and data protection

See AI section.

ICO report on cyber security breaches

See Cyber security section.

Share

View the full Regulatory Outlook

Interested in hearing more? Expand to read the other articles in our Regulatory Outlook series

View the full Regulatory Outlook

Regulatory law affects all businesses.

Osborne Clarke’s updated Regulatory Outlook provides you with high level summaries of important forthcoming regulatory developments to help in-house lawyers, compliance professionals and directors navigate the fast-moving business compliance landscape in the UK.

Expand
Receive Regulatory Outlook each month

A round-up of forthcoming regulatory developments – straight to your inbox

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?