As the year 2024 unfolds, the intersection of data protection and artificial intelligence (AI) takes the spotlight, not just in the UK but globally. The highly awaited EU AI Act, often touted as “the world’s first comprehensive AI law,” is nearing implementation. In December 2023, the European Parliament and European Council reached a provisional agreement on its content. While the final text is yet to be published, earlier drafts provide insights. Expected to be adopted in early 2024, it will come into full force two years afterward.
Employers should take note that AI used in employment carrying high-risk levels, as defined by the legislation, will face additional compliance obligations and safeguards. Importantly, the EU AI Act will have a global reach, impacting international companies utilizing AI within the EU, regardless of their headquarters. Violations of this regulation may lead to substantial fines, reaching as high as EUR 35 million or 7% of global annual turnover.
UK regulation of AI: A different approach
In contrast to the EU’s stringent approach, the UK is pursuing a distinct path, abstaining from introducing comprehensive AI legislation. Instead, it focuses on fostering innovation and sector-specific regulation and guidance. Critics, including the Equality and Human Rights Commission (EHRC), argue that the UK’s approach falls short. Nonetheless, there have been signs of regulatory movement, exemplified by the Artificial Intelligence (Regulation) Bill, a brief Private Members’ Bill introduced in November 2023. This bill aims to establish a central AI Authority responsible for overseeing AI regulation.
A glimmer of hope emerged in September 2023 when the Trades Union Congress (TUC), representing trade unions in the UK, called for urgent legislation to safeguard workers’ rights and formed an AI taskforce. The taskforce intends to unveil a draft AI and Employment Bill in early 2024. It will advocate for legislative amendments to the UK GDPR to address potential issues like discriminatory algorithms and threats to data privacy rights associated with AI’s analysis of facial expressions, tone of voice, and accents during job applicant assessments.
Potential UK departure from GDPR
Post-Brexit, the UK government proposed the Data Protection and Digital Information Bill, aimed at simplifying and modernizing the UK’s data protection framework. While this legislative shift might ease data protection compliance for domestic companies, international employers are likely to maintain compliance with the stringent GDPR standards. An area of concern is whether this departure from GDPR could jeopardize the EU’s adequacy decision granted to the UK. Losing this decision could result in additional paperwork for UK businesses handling data transfers from the EU. The Bill is anticipated to pass in Spring 2024, though the timing may be influenced by the upcoming UK election.
ICO guidance and European Commission review
The Information Commissioner’s Office (ICO), the UK’s data protection regulator, is expected to release more guidance in response to evolving technology and legal developments. This includes expanded AI resources and targeted advice for employers, especially in the areas of international transfers and best practices. In the meantime, the ICO is currently soliciting input on draft guidance covering various topics, such as employment records retention and recruitment and selection.
In 2024, the European Commission is set to review the EU GDPR. While the GDPR has largely succeeded in harmonizing data protection rules and enhancing privacy protection, some minor aspects, such as compliance burdens for small organizations, may come under scrutiny.
Regulatory focus areas: AI in recruitment and data protection in financial services
As part of its strategic agenda, the ICO has committed to scrutinizing AI’s role in recruitment and data protection compliance within the financial services sector. In October 2023, the ICO issued a preliminary enforcement notice against a technology firm for potentially failing to adequately assess the privacy risks posed by a generative AI chatbot. This signals the ICO’s likely increase in enforcement actions against companies neglecting the privacy implications of generative AI.
In summary, 2024 is poised to be a pivotal year for data privacy and AI regulations in the UK and EU. While the EU AI Act promises comprehensive AI oversight, the UK adopts a more industry-focused approach. Both regions are navigating the complex intersection of data privacy and AI, with potential implications for employers, data controllers, and technology innovators.