United Kingdom

On April 25, 2024, the UK’s Investigatory Powers (Amendment) Act 2024 (“IP(A)A”) received royal assent and became law.  This law makes the first substantive amendments to the existing Investigatory Powers Act 2016 (“IPA”) since it came into effect, and follows an independent review of the effectiveness of the IPA published in June 2023.Continue Reading Changes to the UK investigatory powers regime receive royal assent

On 15 January 2024, the UK’s Information Commissioner’s Office (“ICO”) announced the launch of a consultation series (“Consultation”) on how elements of data protection law apply to the development and use of generative AI (“GenAI”). For the purposes of the Consultation, GenAI refers to “AI models that can create new content e.g., text, computer code, audio, music, images, and videos”.

As part of the Consultation, the ICO will publish a series of chapters over the coming months outlining their thinking on how the UK GDPR and Part 2 of the Data Protection Act 2018 apply to the development and use of GenAI. The first chapter, published in tandem with the Consultation’s announcement, covers the lawful basis, under UK data protection law, for web scraping of personal data to train GenAI models. Interested stakeholders are invited to provide feedback to the ICO by 1 March 2024.Continue Reading ICO Launches Consultation Series on Generative AI

Earlier this year, the UK’s privacy and competition regulators (the ICO and CMA) issued a joint paper setting out their concerns and expectations in the field of dark patterns – techniques designed to mislead or deceive users of online services – which the regulators refer to as “harmful online choice architectures”. As we’ve previously noted, dark patterns are an area of increasing focus of regulators, and the joint paper reflects the growing interplay between privacy and competition laws – a trend we expect to see continue in 2024.Continue Reading UK Regulators Target Dark Patterns

On 29 March 2023, the UK Information Commissioner’s Office (“ICO”) published updated Guidance on AI and data protection (the “Guidance”) following “requests from UK industry to clarify requirements for fairness in AI”. AI has been a strategic priority for the ICO for several years. In 2020, the ICO published its first set of guidance on AI (as discussed in our blog post here) which it complemented with supplementary recommendations on Explaining Decisions Made with AI and an AI and Data Protection risk toolkit in 2022. The updated Guidance forms part of the UK’s wider efforts to adopt a “pro-innovation” approach to AI regulation which will require existing regulators to take responsibility for promoting and overseeing responsible AI within their sectors (for further information on the UK Government’s approach to AI regulation, see our blog post here).

The updated Guidance covers the ICO’s view of best practice for data protection-compliant AI, as well as how the ICO interprets data protection law in the context of AI systems that process personal data. The Guidance has been restructured in line with the UK GDPR’s data protection principles, and features new content, including guidance on fairness, transparency, lawfulness and accountability when using AI systems.Continue Reading UK ICO Updates Guidance on Artificial Intelligence and Data Protection

The UK Information Commissioner’s Office (“ICO”) recently published detailed draft guidance on what “likely to be accessed” by children means in the context of its Age-Appropriate Design Code (“Code”), which came into force on September 2, 2020. The Code applies to online services “likely to be accessed by children” in the UK. “Children” are individuals under the age of 18. In order to determine whether an online service is “likely to be accessed” by children, companies must assess whether the nature and content of the service has “particular appeal for children” and “the way in which the service was accessed”. This new draft guidance provides further assistance on how to make this assessment, and is undergoing a public consultation until May 19, 2023.Continue Reading UK ICO Provides Guidance On When A Service Is “Likely To Be Accessed By Children” And Needs To Comply With Its Age-Appropriate Design Code

Regulators in Europe and beyond have been ramping up their efforts related to online safety for minors, through new legislation, guidance, and by promoting self-regulatory tools.  We discuss below recent developments in the EU and UK on age verification online.Continue Reading Age Verification: State of Play and Key Developments in the EU and UK

On February 16, 2023, the UK Information Commissioner’s Office (“ICO”) released guidance for the video game industry on how to conform with the UK’s Age Appropriate Design Code when developing video games. This blog post summarizes the ICO’s recommendations for video game developers and designers when creating video games that are likely to be accessed by children under the age of 18. For more information about the UK’s Age Appropriate Design Code, see our previous blog posts here and here.Continue Reading UK Information Commissioner’s Office Publishes Guidance for Video Game Developers and Designers to Improve Data Protection in their Services

On October 12, 2022, the UK Information Commissioner’s Office (“ICO”) opened a public consultation seeking feedback on the draft guidance document on employment practices, specifically relating to monitoring at work (the “Monitoring at Work Guidance”). The guidance aims to provide practical guidance and good practices relating to monitoring workers in accordance with data protection legislation.Continue Reading UK Information Commissioner’s Office released a New Draft Employment Guidance for Monitoring at Work

On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.

The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.

Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent.  The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same.  But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.Continue Reading A Cautious Approach: the UK Government’s Data Protection and Digital Information Bill