Data Protection in 2023: A year in review

This year has seen significant progress in the data protection industry, with many new privacy laws being enacted across the globe.

In this blog, we look at some of the major events and news stories that have shaped the landscape, influencing the direction of policies and processes.

What does the development of data protection laws mean for organisations? And how will the data protection industry continue to evolve? Big questions to keep in mind as we go into 2024.

Major data protection events

5 years of the GDPR: The General Data Protection Regulation (GDPR) celebrated its 5^th anniversary on 25 May 2023. Coming into force on 25 May 2018, it is cited as one of the toughest pieces of privacy legislation in the world. The EU’s principle-based directive was introduced to protect the fundamental rights of individuals by safeguarding their personal data and creating a harmonised framework for data flow across the EU’s digital single market.

To mark the anniversary, The DPO Centre held a webinar to discuss the wins and challenges for businesses. Essentially, what worked, what didn’t, and why? Watch The DPO Centre’s lively GDPR debate here

Facebook fined a record €1.2 billion: On 22 May 2023, after 10 years of litigation and 3 court procedures, the Irish Data Protection Commission issued Meta Ireland with the largest GDPR fine to date. It was the fourth fine Meta received this year. The Commission issued two penalties in January 2023 for breaching rules with targeted ads on Facebook and Instagram and in March 2023, a fine for GDPR breaches with WhatsApp.

The fines sent a strong message to Tech giants that they cannot continue to neglect their obligations for compliance with data protections regulations. However, Meta has yet to pay the fine and announced its intention to appeal. One of the orders of the penalty charge was for Meta to discontinue its reliance on Standard Contractual Clauses (SCCs) by 12 October. In an update on 7 September 2023, Meta announced they will rely on the new EU-US DPF for data transfers.

The AI Safety Summit took place in the UK on 1 November 2023 at Bletchley Park. Intended as a landmark event for artificial intelligence, the event brought together leading experts, researchers, and policymakers from around the world.

An important outcome of the Summit was The Bletchley Declaration – a world-first agreement between 28 jurisdictions, including the EU, the US, and China. The Declaration establishes a shared responsibility to understand and manage the potential risks of AI development. Bias and privacy are topics covered within the Declaration, providing an agenda to focus on building respective risk-based policies across the countries. However, critics have highlighted the lack of detail and the absence of any actionable points for building an effective regulatory framework.

Data protection developments in the EU, UK, and North America

Europe’s GDPR continues to mature

Since its implementation in 2018, the General Data Protection Regulation (GDPR) has become a global standard for data protection. With each passing year, we see further clarification on its interpretation, and a greater understanding of the implications for businesses and individuals alike.

There were several key court rulings by the Court of Justice of the European Union (CJEU) this year, which have helped to clarify certain areas of the legislation:

• Accountability principle – The CJEU ruled that not every violation of the GDPR would render all related processing to be unlawful (Case C-60/22)
• Right of Access – The CJEU clarified the scope of the GDPR right of access by stating that the right to obtain a ‘copy’ of personal data means that the data subject must be given a ‘faithful and intelligible’ reproduction of all those data
• Joint Controllers – The CJEU stated that if a company doesn’t follow GDPR rules for making a joint controller agreement or keeping records of data processing activities, it doesn’t automatically mean that the company’s data processing is illegal.
• Penalty fines – The CJEU ruled on 5 December 2023 that a supervisory Data Protection Authority (DPA) may only impose a fine for a GDPR infringement if it was committed wrongfully, either intentionally or negligently. In calculating a fine, a DPA must consider the total worldwide turnover of the entire group from the preceding business year.

The European Commission adopted its adequacy decision on EU-US data flows and established the EU-US Data Privacy Framework (DPF), which came into effect on 10 July 2023. The DPF replaced the invalidated Privacy Shield and aimed to address the concerns previously raised by the CJEU. However, only minutes after the announcement, Max Schrems, Austrian privacy lawyer and activist, expressed his scepticism of the decision and stated his intention to challenge the new deal. A challenge has yet to be submitted by Mr Schrems, but the debate over transatlantic data transfers is clearly not over and will continue into 2024. Learn more about the EU-US DPF

UK’s key data protection updates

The UK-US ‘data-bridge’ was approved on 21 September 2023, with it coming into force on 12 October 2023. Serving as an extension to the EU’s Data Privacy Framework (DPF), the data-bridge provides a mechanism for businesses in the UK to transfer personal data to US organisations certified under the ‘UK Extension to the EU-US Data Privacy Framework’ (UK Extension) without the need for further safeguards. However, criticisms of the EU-US DPF include concerns over the potential for increased surveillance by US authorities and the erosion of privacy rights. Many organisations have retained their existing data transfer mechanisms with a ‘wait and see’ approach.

DSIT published AI Skills for Business Competency Framework for public consultation in November 2023. Supported by the Office for Artificial Intelligence within the Department for Science, Innovation and Technology (DSIT), the draft framework presents guidance on the essential knowledge, skills, and behaviours employees should have to benefit from AI technology. DSIT intends the framework to support businesses, enabling them to understand their AI upskilling needs and to assist training providers in developing relevant training solutions. Read the draft AI Skills for Business framework

The UK’s proposed GDPR replacement moves closer

On 19 December 2023 the Data Protection and Digital Information (DPDI) Bill was debated at the second reading stage in the House of Lords. The government believes the updates to the current UK GDPR will support innovation and reduce unnecessary burdens on businesses and organisations. However, the new legislation has the potential to increase costs and complexities for all but the smallest of businesses.

The Lords raised many concerns during the second reading, with Lord Bishop of Southwell and Nottingham quoting Rob Masson of The DPO Centre. The Lord Bishop used Mr Masson’s words when calling attention to the way in which the UK seems to be going in the opposite direction to the rest of the globe by lowering data protection standards.

Lord Allan of Hallam said, ‘It is the concern around EU adequacy that I think should really be front and centre of our discussions when we consider this legislation.’

This concern was echoed by several other Members, with Lord Vaux of Harrowden succinctly stating, ‘We must get this Bill right. If we do not, we risk substantial damage to the economy, businesses, individuals’’ privacy rights – especially children – and even, as far as the surveillance elements go, to our status as a free and open democratic society.’
Read the key differences between the UK GDPR and DPDI

Canada seeks to update and strengthen its privacy laws

There have been significant developments in Canada’s privacy laws this year. On 24 April, the Canadian House of Commons agreed on the entirety of Bill C-27, the Digital Charter Implementation Act 2022, which seeks to update and strengthen the Personal Information Protection and Electronic Documents Act (PIPEDA), including Canada’s first AI legislation.

In Quebec, ‘An Act to modernise legislative provisions as regards the protection of personal information’ came into effect in 22 September 2023, with the right to portability under this Act is due to come into force on 22 September 2024.
Read the PDF of Bill 64 

The United States sees a wave of new privacy laws

It was a big year for privacy in the US, with 5 new state privacy laws:

• California Privacy Rights Act (CPRA) came into effect on 1 January 2023 and amends the California Consumer Privacy Act (CCPA)
• Virginia Consumer Data Protection Act (VCDPA) came into effect on 1 January 2023
• The Colorado Privacy Act (CPA) came into effect on 1 July 2023
• The Connecticut Data Privacy Act (CTDPA) came into effect on 1 July 2023
• The Utah Consumer Privacy Act (UCPA) will come into effect on 31 December 2023

These laws reflect a shift towards greater consumer control over personal data and increased obligations for organisations in terms of data processing. They also indicate a move towards harmonising state-level laws with global standards, providing new consumer rights aligned with those in the GDPR.

Looking ahead: Data protection in 2024

Subscribe to The DPIA – Keep updated on the latest, most important data protection news with our fortnightly email newsletter.

UK’s DPDI Bill

As we move into 2024, all eyes are carefully watching the progress of the proposed Data Protection and Digital Information (DPDI) Bill. The hope of the data protection industry is that the Lords will take into consideration their numerous concerns and apply rigorous scrutiny to the proposed legislation. But only time will tell. We will keep you updated soon as we have further information.

3^rd party cookies in Chrome to be disabled

Google’s plan to phase out 3^rd party cookies in its Chrome browser begins in quarter 1 of 2024. This is part of a larger initiative called the Privacy Sandbox project, which aims to reduce cross-site tracking whilst still allowing functionality to keep online services and content freely available.

Google will disable 3^rd party cookies for 1% of users from early January, applying the changes to 100% of users by Q3 2024. The full rollout depends on Google addressing the competition concerns of the UK’s Competition and Markets Authority (CMA). The phasing out of non-essential cookies is in line with the wider global trend towards enhanced data protection and privacy.

The EU’s proposed ePrivacy Regulation establishes clearer rules on cookies, with a more streamlined solution for settings:

‘no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors.’ (Proposal for an ePrivacy Regulation)

International data transfers

SCCs and IDTA – From 21 March 2024, UK organisations can no longer use the old EU Standard Contractual Clauses (SCCs) for restricted data transfers. Instead, they must rely on the UK’s International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (‘UK Addendum’).

EU-UK adequacy – Later in 2024, the European Commission is due to review the EU-UK adequacy, which will expire on 27 June 2025. The outcome of the UK’s proposed DPDI Bill could significantly affect this decision and create further complications for organisations operating across multiple jurisdictions.

EDPB action: Right of access by controllers

The European Data Protection Board (EDPB) will launch a national action in 2024 on ‘The right of access by controllers’. Each year, the EDPB seeks to prioritise certain topics for data protection authorities (DPAs) to work on at a national level. This will be the third co-ordinated enforcement action to date. The results allow for analysis and insight into the topic, which allows for targeted follow-up at both national and EU levels.

The EU’s AI Act

With European Parliamentary Elections scheduled for 6-9 June 2024, the EU is likely to adopt the proposed AI Act in early 2024. Otherwise, the elections could delay its passage until 2025. The Act has seen a certain amount of progress in 2023, with the European Parliament adopting amendments to the proposal on 14 June 2023. However, there have been stumbling blocks, especially over the way generative AI platforms like ChatGPT should be regulated. Big Tech companies have been lobbying to weaken the proposed EU legislation and there have also been calls from the French, German, and Italian governments to reduce some of the stringent measures to ensure AI innovation.

The UK’s AI Regulation Bill

The AI Regulation Bill is a Private Member’s Bill, originating in the House of Lords during the 2023-24 session. Last updated on 29 November 2023, the Bill includes provisions for the creation of a body called the AI Authority and the appointment of designated AI officers. The government intends to publish a draft AI risk register for consultation, an updated AI regulatory roadmap, and a monitoring and evaluation report after March 2024.

Data Protection support and advice for 2024

Data protection and privacy is a rapidly evolving industry. The pace of change is a challenge for organisations across all sectors, with new laws and new guidance being released regularly. The ever-pressing need for professional advice and guidance from data protection experts looks set to increase as we move into 2024.

The DPO Centre offers a range of data protection services, including consultancy, outsourced Data Protection Officers (DPOs), GDPR Representatives and AI Explainability (XAI) Services.

This year has seen significant progress in the data protection industry, with many new privacy laws being enacted across the globe.

In this blog, we look at some of the major events and news stories that have shaped the landscape, influencing the direction of policies and processes.

What does the development of data protection laws mean for organisations? And how will the data protection industry continue to evolve? Big questions to keep in mind as we go into 2024.

Major data protection events

5 years of the GDPR: The General Data Protection Regulation (GDPR) celebrated its 5^th anniversary on 25 May 2023. Coming into force on 25 May 2018, it is cited as one of the toughest pieces of privacy legislation in the world. The EU’s principle-based directive was introduced to protect the fundamental rights of individuals by safeguarding their personal data and creating a harmonised framework for data flow across the EU’s digital single market.

To mark the anniversary, The DPO Centre held a webinar to discuss the wins and challenges for businesses. Essentially, what worked, what didn’t, and why? Watch The DPO Centre’s lively GDPR debate here

Facebook fined a record €1.2 billion: On 22 May 2023, after 10 years of litigation and 3 court procedures, the Irish Data Protection Commission issued Meta Ireland with the largest GDPR fine to date. It was the fourth fine Meta received this year. The Commission issued two penalties in January 2023 for breaching rules with targeted ads on Facebook and Instagram and in March 2023, a fine for GDPR breaches with WhatsApp.

The fines sent a strong message to Tech giants that they cannot continue to neglect their obligations for compliance with data protections regulations. However, Meta has yet to pay the fine and announced its intention to appeal. One of the orders of the penalty charge was for Meta to discontinue its reliance on Standard Contractual Clauses (SCCs) by 12 October. In an update on 7 September 2023, Meta announced they will rely on the new EU-US DPF for data transfers.

The AI Safety Summit took place in the UK on 1 November 2023 at Bletchley Park. Intended as a landmark event for artificial intelligence, the event brought together leading experts, researchers, and policymakers from around the world.

An important outcome of the Summit was The Bletchley Declaration – a world-first agreement between 28 jurisdictions, including the EU, the US, and China. The Declaration establishes a shared responsibility to understand and manage the potential risks of AI development. Bias and privacy are topics covered within the Declaration, providing an agenda to focus on building respective risk-based policies across the countries. However, critics have highlighted the lack of detail and the absence of any actionable points for building an effective regulatory framework.

Data protection developments in the EU, UK, and North America

Europe’s GDPR continues to mature

Since its implementation in 2018, the General Data Protection Regulation (GDPR) has become a global standard for data protection. With each passing year, we see further clarification on its interpretation, and a greater understanding of the implications for businesses and individuals alike.

There were several key court rulings by the Court of Justice of the European Union (CJEU) this year, which have helped to clarify certain areas of the legislation:

• Accountability principle – The CJEU ruled that not every violation of the GDPR would render all related processing to be unlawful (Case C-60/22)
• Right of Access – The CJEU clarified the scope of the GDPR right of access by stating that the right to obtain a ‘copy’ of personal data means that the data subject must be given a ‘faithful and intelligible’ reproduction of all those data
• Joint Controllers – The CJEU stated that if a company doesn’t follow GDPR rules for making a joint controller agreement or keeping records of data processing activities, it doesn’t automatically mean that the company’s data processing is illegal.
• Penalty fines – The CJEU ruled on 5 December 2023 that a supervisory Data Protection Authority (DPA) may only impose a fine for a GDPR infringement if it was committed wrongfully, either intentionally or negligently. In calculating a fine, a DPA must consider the total worldwide turnover of the entire group from the preceding business year.

The European Commission adopted its adequacy decision on EU-US data flows and established the EU-US Data Privacy Framework (DPF), which came into effect on 10 July 2023. The DPF replaced the invalidated Privacy Shield and aimed to address the concerns previously raised by the CJEU. However, only minutes after the announcement, Max Schrems, Austrian privacy lawyer and activist, expressed his scepticism of the decision and stated his intention to challenge the new deal. A challenge has yet to be submitted by Mr Schrems, but the debate over transatlantic data transfers is clearly not over and will continue into 2024. Learn more about the EU-US DPF

UK’s key data protection updates

The UK-US ‘data-bridge’ was approved on 21 September 2023, with it coming into force on 12 October 2023. Serving as an extension to the EU’s Data Privacy Framework (DPF), the data-bridge provides a mechanism for businesses in the UK to transfer personal data to US organisations certified under the ‘UK Extension to the EU-US Data Privacy Framework’ (UK Extension) without the need for further safeguards. However, criticisms of the EU-US DPF include concerns over the potential for increased surveillance by US authorities and the erosion of privacy rights. Many organisations have retained their existing data transfer mechanisms with a ‘wait and see’ approach.

DSIT published AI Skills for Business Competency Framework for public consultation in November 2023. Supported by the Office for Artificial Intelligence within the Department for Science, Innovation and Technology (DSIT), the draft framework presents guidance on the essential knowledge, skills, and behaviours employees should have to benefit from AI technology. DSIT intends the framework to support businesses, enabling them to understand their AI upskilling needs and to assist training providers in developing relevant training solutions. Read the draft AI Skills for Business framework

The UK’s proposed GDPR replacement moves closer

On 19 December 2023 the Data Protection and Digital Information (DPDI) Bill was debated at the second reading stage in the House of Lords. The government believes the updates to the current UK GDPR will support innovation and reduce unnecessary burdens on businesses and organisations. However, the new legislation has the potential to increase costs and complexities for all but the smallest of businesses.

The Lords raised many concerns during the second reading, with Lord Bishop of Southwell and Nottingham quoting Rob Masson of The DPO Centre. The Lord Bishop used Mr Masson’s words when calling attention to the way in which the UK seems to be going in the opposite direction to the rest of the globe by lowering data protection standards.

Lord Allan of Hallam said, ‘It is the concern around EU adequacy that I think should really be front and centre of our discussions when we consider this legislation.’

This concern was echoed by several other Members, with Lord Vaux of Harrowden succinctly stating, ‘We must get this Bill right. If we do not, we risk substantial damage to the economy, businesses, individuals’’ privacy rights – especially children – and even, as far as the surveillance elements go, to our status as a free and open democratic society.’
Read the key differences between the UK GDPR and DPDI

Canada seeks to update and strengthen its privacy laws

There have been significant developments in Canada’s privacy laws this year. On 24 April, the Canadian House of Commons agreed on the entirety of Bill C-27, the Digital Charter Implementation Act 2022, which seeks to update and strengthen the Personal Information Protection and Electronic Documents Act (PIPEDA), including Canada’s first AI legislation.

In Quebec, ‘An Act to modernise legislative provisions as regards the protection of personal information’ came into effect in 22 September 2023, with the right to portability under this Act is due to come into force on 22 September 2024.
Read the PDF of Bill 64 

The United States sees a wave of new privacy laws

It was a big year for privacy in the US, with 5 new state privacy laws:

• California Privacy Rights Act (CPRA) came into effect on 1 January 2023 and amends the California Consumer Privacy Act (CCPA)
• Virginia Consumer Data Protection Act (VCDPA) came into effect on 1 January 2023
• The Colorado Privacy Act (CPA) came into effect on 1 July 2023
• The Connecticut Data Privacy Act (CTDPA) came into effect on 1 July 2023
• The Utah Consumer Privacy Act (UCPA) will come into effect on 31 December 2023

These laws reflect a shift towards greater consumer control over personal data and increased obligations for organisations in terms of data processing. They also indicate a move towards harmonising state-level laws with global standards, providing new consumer rights aligned with those in the GDPR.

Looking ahead: Data protection in 2024

Subscribe to The DPIA – Keep updated on the latest, most important data protection news with our fortnightly email newsletter.

UK’s DPDI Bill

As we move into 2024, all eyes are carefully watching the progress of the proposed Data Protection and Digital Information (DPDI) Bill. The hope of the data protection industry is that the Lords will take into consideration their numerous concerns and apply rigorous scrutiny to the proposed legislation. But only time will tell. We will keep you updated soon as we have further information.

3^rd party cookies in Chrome to be disabled

Google’s plan to phase out 3^rd party cookies in its Chrome browser begins in quarter 1 of 2024. This is part of a larger initiative called the Privacy Sandbox project, which aims to reduce cross-site tracking whilst still allowing functionality to keep online services and content freely available.

Google will disable 3^rd party cookies for 1% of users from early January, applying the changes to 100% of users by Q3 2024. The full rollout depends on Google addressing the competition concerns of the UK’s Competition and Markets Authority (CMA). The phasing out of non-essential cookies is in line with the wider global trend towards enhanced data protection and privacy.

The EU’s proposed ePrivacy Regulation establishes clearer rules on cookies, with a more streamlined solution for settings:

‘no consent is needed for non-privacy intrusive cookies that improve internet experience, such as cookies to remember shopping-cart history or to count the number of website visitors.’ (Proposal for an ePrivacy Regulation)

International data transfers

SCCs and IDTA – From 21 March 2024, UK organisations can no longer use the old EU Standard Contractual Clauses (SCCs) for restricted data transfers. Instead, they must rely on the UK’s International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (‘UK Addendum’).

EU-UK adequacy – Later in 2024, the European Commission is due to review the EU-UK adequacy, which will expire on 27 June 2025. The outcome of the UK’s proposed DPDI Bill could significantly affect this decision and create further complications for organisations operating across multiple jurisdictions.

EDPB action: Right of access by controllers

The European Data Protection Board (EDPB) will launch a national action in 2024 on ‘The right of access by controllers’. Each year, the EDPB seeks to prioritise certain topics for data protection authorities (DPAs) to work on at a national level. This will be the third co-ordinated enforcement action to date. The results allow for analysis and insight into the topic, which allows for targeted follow-up at both national and EU levels.

The EU’s AI Act

With European Parliamentary Elections scheduled for 6-9 June 2024, the EU is likely to adopt the proposed AI Act in early 2024. Otherwise, the elections could delay its passage until 2025. The Act has seen a certain amount of progress in 2023, with the European Parliament adopting amendments to the proposal on 14 June 2023. However, there have been stumbling blocks, especially over the way generative AI platforms like ChatGPT should be regulated. Big Tech companies have been lobbying to weaken the proposed EU legislation and there have also been calls from the French, German, and Italian governments to reduce some of the stringent measures to ensure AI innovation.

The UK’s AI Regulation Bill

The AI Regulation Bill is a Private Member’s Bill, originating in the House of Lords during the 2023-24 session. Last updated on 29 November 2023, the Bill includes provisions for the creation of a body called the AI Authority and the appointment of designated AI officers. The government intends to publish a draft AI risk register for consultation, an updated AI regulatory roadmap, and a monitoring and evaluation report after March 2024.

Data Protection support and advice for 2024

Data protection and privacy is a rapidly evolving industry. The pace of change is a challenge for organisations across all sectors, with new laws and new guidance being released regularly. The ever-pressing need for professional advice and guidance from data protection experts looks set to increase as we move into 2024.

The DPO Centre offers a range of data protection services, including consultancy, outsourced Data Protection Officers (DPOs), GDPR Representatives and AI Explainability (XAI) Services.