Along with a number of key developments, 2023 saw the fifth anniversary of The General Data Protection Regulation (GDPR), cited as one of the toughest pieces of privacy legislation in the world.
Following the launch of their data protection officer training course, The DPO Centre takes a look back at the key movements in Data Protection over the past year, whilst casting an eye on the future in 2024.
Meta receives record-breaking fine
2023 proved a record-breaking year for data protection, as Facebook received fines of a record €1.2 billion. On 22 May, after 10 years of litigation and 3 court procedures, the Irish Data Protection Commission issued Meta Ireland with the largest GDPR fine to date.
It marked the fourth fine Meta received through the course of the year; the Commission issued two penalties in January for breaching rules with targeted ads on Facebook and Instagram, and a fine in March for GDPR breaches with WhatsApp.
These fines – and others like it – serve as a strong message to global industry giants, especially in tech, that they cannot continue to neglect their obligations for compliance with data protection regulations. That said, Meta has yet to pay the fine, and has announced its intention to appeal the decision.
AI Regulation Takes Shape
November saw the inaugural AI Safety Summit taking place at Bletchley Park in Milton Keynes. Intended as a landmark event for artificial intelligence, leading experts, researchers, and policymakers from around the world gathered to address the future of AI governance.
An important outcome of the Summit was The Bletchley Declaration – a world-first agreement between 28 jurisdictions (including the EU, the US, and China), establishing a shared responsibility to understand and manage the potential risks of AI development.
In particular, bias and privacy are covered in the Declaration, promising focus on building respective risk-based policies across the countries. The summit indicates a fair start for the wider governance of Artificial Intelligence, but critics have hit back against the lack of detail and the absence of any actionable points for building an effective regulatory framework.
Elsewhere in the field of AI, the UK’s Department for Science, Innovation and Technology (DSIT) published AI Skills for Business Competency Framework for public consultation in November of last year. Supported by the Office for Artificial Intelligence within DSIT, the draft framework presents guidance on the essential knowledge, skills, and behaviours employees should have to benefit from AI technology. DSIT intends the framework to support businesses, developing the understanding of AI upskilling needs and assisting training providers in developing relevant training solutions.
The UK’s proposed GDPR replacement moves closer
In late December, the Data Protection and Digital Information (DPDI) Bill was debated in the House of Lords. The government believes the updates to the current UK GDPR will support innovation and reduce unnecessary burdens on businesses and organisations. However, the new legislation has the potential to increase costs and complexities for all but the smallest of businesses.
Concerns were raised around the bill, with Lord Bishop of Southwell and Nottingham calling attention to the way in which the UK seems to be going in the opposite direction to the rest of the globe by lowering data protection standards.
Lord Allan of Hallam said, ‘It is the concern around EU adequacy that I think should really be front and centre of our discussions when we consider this legislation.’
This concern was echoed by several other Members, with Lord Vaux of Harrowden succinctly stating, ‘We must get this Bill right. If we do not, we risk substantial damage to the economy, businesses, individuals’’ privacy rights – especially children – and even, as far as the surveillance elements go, to our status as a free and open democratic society.’
Chrome begins disabling 3rd Party Cookies
Google’s plan to phase out 3rd party cookies in its Chrome browser moved off the starting block early this year, with test changes being made to the way companies are able to track users online. This development is part of a larger initiative – the Privacy Sandbox project – which aims to reduce cross-site tracking whilst still allowing functionality to keep online services and content freely available.
Google’s changes will disable 3rd party cookies for 1% of users – about 30 million people – applying the changes to 100% of users by Q3 of this year. The full rollout depends on Google addressing the competition concerns of the UK’s Competition and Markets Authority (CMA) – and some advertisers have hit back, stating that the changes will have a negative impact on their business. However, the phasing out of non-essential cookies is in line with the wider global trend towards enhanced data protection and privacy.
The UK’s AI Regulation Bill
Last updated in November 2023 The AI Regulation Bill includes provisions for the creation of a body called the AI Authority, and the appointment of designated AI officers. The government intends to publish a draft AI risk register for consultation, an updated AI regulatory roadmap, and a monitoring and evaluation report after March 2024.
In conclusion, 2023 has been an action-packed year for data protection and artificial intelligence regulation, marked by significant fines, international agreements, and legislative advancements. These developments reinforce beliefs that data protection is a constantly-evolving space, in which the need for robust data governance and AI regulation is increasingly recognised. As we enter into 2024, it’s important that we continue balancing innovation with ethical considerations and privacy rights. The global community must remain vigilant, ensuring that advancements in technology are matched with responsible governance and regulatory frameworks. The process of crafting a secure digital future is ongoing, and the steps taken in 2023 represent significant strides in this direction, with more to come.