Blog
The EU AI Act: what we know so far and key takeaways
On 8 December 2023, after 38 hours of intense final negotiations, the Council of the European Union and the European Parliament reached an historic, provisional agreement on laws to regulate the use of artificial intelligence in the EU (the "AI Act"). The AI Act marks the world's first comprehensive legal framework to regulate the use of AI, aiming to ensure that "AI systems placed on the European market and used in the EU are safe and respect fundamental rights and EU values". This landmark deal signifies the EU's commitment to AI safety and puts it ahead of other countries such as the US and UK, which are yet to publish their own comprehensive legislation. China has developed its own approach to regulating AI.
The definitive version of the AI Act remains to be agreed. Work will continue at a technical level to finalise the details and text, which will then need to be confirmed by the Council and Parliament, and which is expected in early 2024. Until then, these are the key takeaways from the provisional agreement.
Driving data protection compliance: employee vehicle monitoring
What is vehicle monitoring and why?
Vehicle monitoring refers to the practice of collecting and analysing data related to the operation and usage of vehicles. Businesses are increasingly using employee vehicle monitoring to improve productivity, optimise management, and ensure safety, including the use of telematics systems consisting of GPS technology, onboard vehicle diagnostics and other inbuilt software. GPS technology enables organisations to monitor and manage their vehicles by collecting real-time data on location, speed, fuel use, and more. This data can be used for optimising routes, improving safety, and cutting costs. Vehicle telematics systems that combine GPS technology with other technology telematics, enable organisations to gain more sophisticated insights into driver behaviour, vehicle diagnostics, and fuel use. Apart from speed, a telematics system can capture details such as accelerator and brake usage frequency. Other monitoring tools, like dashcams and in-cabin cameras, can enhance security by recording footage inside and around the vehicle.
The monitoring of vehicle telematics systems enables organisations to gather a wealth of data, encompassing not just vehicle-related data, but also personal data such as employee whereabouts, driving habits and other activities. It may even be possible for organisations to collect personal data about third parties, such as passengers or other road users.
ICO launches consultation on new Data Protection Fining Guidance
On 2 October 2023, the UK's Information Commissioner's Office ("ICO") released its draft Data Protection Fining Guidance ("Draft Guidance"). The Draft Guidance provides a comprehensive overview of the legal framework underpinning the ICO's authority to levy fines, the conditions that warrant the issuance of penalty notices, and the factors that influence fine calculations. The Draft Guidance is now open for consultation until 27 November 2023.
Cracking down on cookies: Recent complaints and regulatory enforcement
While the rules relating to the use of cookies and similar tracking technologies in the UK and Europe are long established, it is only in recent years that we have seen a targeted focus by data protection authorities ("DPAs") to crack down on cookie-related compliance. This reaction from the regulators is partly a response to increasing complaints from data subjects and partly due to focused efforts by privacy activists calling for stricter regulation and enforcement action.
Breach response: How do we reconcile international incident and breach reporting requirements?
The exponential increase in the number of cybersecurity threats has led to privacy and security executives acknowledging the need for reconciliation of incident and breach reporting requirements.
ICO publishes new guidance on employee monitoring
On 3 October 2023, the Information Commissioner's Office (the "ICO") published new guidance on employee monitoring. This aims to provide practical advice to ensure that employers comply with their obligations under the UK GDPR and Data Protection Act 2018.
Snap into (ICO) action
Snap, Inc. and Snap Group Limited ("Snap") have received a preliminary enforcement notice from the Information Commissioner's Office ("ICO") over their potential failure to assess the privacy risks associated with the 'My AI' chatbot. This notice came after an investigation revealing that Snap may not have adequately identified and assessed the risks to millions of 'My AI' users in the UK, including children aged 13 to 17.
Building data bridges: UK extends EU-US Data Privacy Framework
Background
On 21 September, the Department of Science, Innovation and Technology published the Data Protection (Adequacy) (United States of America) Regulations 2023, which are set to come into effect on 12 October 2023. From this date, UK organisations will be able to transfer personal data to US entities certified under the UK Extension to the EU-US Data Privacy Framework (also known as the "UK-US Data Bridge") without the need to implement further transfer safeguards.
In anticipation of the UK-US Data Bridge, on 18 September, the US Attorney General designated the UK as a "qualifying state" under Executive Order 14086 ("Executive Order"). As a result, UK individuals can benefit from the oversight and redress mechanisms for US signals intelligence activities that have been introduced by the Executive Order.