Data privacy and AI: what should UK and EU employers look out for in 2024?

Data privacy and AI: what should UK and EU employers look out for in 2024?


26th January 2024

As we look ahead to 2024, it is clear that both data protection and AI will continue to take centre stage in the UK, as it will in many other countries. 

In this article we have looked ahead to the developments that are expected to impact UK employers in the coming year.

  • EU Regulation of AI – the hotly anticipated EU AI Act, has been hailed as “the world’s first comprehensive AI law”. The most recent development was in early December 2023, when it was announced that the European Parliament and European Council had reached a provisional agreement on its final text. Although the final text has not yet been published, we have a good idea of what it will include from earlier drafts (see our earlier article here) and we are expecting the law to be adopted in early 2024, with most provisions coming into force two years afterwards. The main thing for employers to be aware of is that AI used in employment that poses a high level of risk (according to the legislation) would be subject to additional compliance requirements and safeguards. The EU AI Act will have extra-territorial scope, so international companies that are creating or using AI that is used in the EU will still be subject to it, regardless of where the company is based. The real sting is the potentially enormous fines for failure to comply with the EU AI Act, which are up to the higher of EUR 35 million or 7% of global annual turnover.
  • UK Regulation of AI – in contrast to the EU’s approach to the regulation of AI, the UK has taken a different approach and does not currently intend to introduce legislation to regulate the use of AI, preferring to focus on “innovation” and sector-specific regulation and guidance. The UK government’s approach has come under fire, notably from the Equality and Human Rights Commission (EHRC) who have said that the proposed regulations “do not go far enough”. There have been some rumblings of regulation, including the Artificial Intelligence (Regulation) Bill, a short Private Members’ Bill, introduced in November 2023, which aims to establish a central AI Authority to oversee the regulatory approach to AI.

    In a promising development, in September 2023, the Trades Union Congress (the TUC) - which is the UK “industry” body for trades unions - called for ‘urgent’ new legislation to safeguard workers’ rights and launched a new AI taskforce. The taskforce aims to publish a draft AI and Employment Bill in early 2024 and will lobby the government with the aim of getting this legislation passed. The draft legislation will be accompanied by a call for amendments to the UK GDPR to guard against discriminatory algorithms and risks to data privacy rights associated with the potential use of AI to analyse facial expressions, tone of voice and accents when screening job applicants’ suitability for roles.

  • Potential UK shift away from GDPR – following Brexit, the UK government proposed new legislation, the Data Protection and Digital Information Bill (the “Bill”), which was intended to simplify and update the UK’s data protection framework whilst reducing the compliance burden on organisations and creating more flexibility. As we considered in more detail here, it is unlikely that this will change the approach of international employers, who are likely to harmonise their approach to comply with the higher standard of GDPR in any event but it may make data protection compliance easier for domestic companies. One concern of this new approach is whether this ‘dilution’ of GDPR might impact the adequacy decision which the UK has been granted by the EU (which if lost, could mean a significant amount of additional paperwork for UK businesses when it comes to data transfers from the EU to the UK). The Bill is currently expected to be passed in Spring 2024, but there is a risk that the upcoming election in the UK (the date of which is unknown at the time of writing) may impact the passing of the Bill.
  • More guidance from the ICO – as we see more technological and legal developments, we are likely to see more guidance published by the UK’s data protection regulator, the Information Commissioner’s Officer (the ICO). As well as guidance updating and expanding on its AI resources, we also anticipate further guidance on international transfers and specifically targeted at best practice for employers. In particular, the ICO is currently consulting on draft guidance on various issues, including retention of employment records, and recruitment and selection.

  • European Commission review of EU GDPR – in 2024, the European Commission will publish its review of the EU GDPR. Although the EU GDPR was largely considered a success in terms of harmonising data protection rules and strengthening protection, some smaller points have been highlighted for discussion such as compliance burden for small organisations.
  • Areas of regulatory focus – as part of its strategic plans, the ICO has committed to focus its attention on the use of AI in recruitment and data protection compliance in financial services. In October 2023, the ICO issued a preliminary enforcement notice against a technology company for potential failure to properly assess the privacy risks posed by a generative AI chatbot. We suspect that the ICO will increase enforcement against companies that fail to address the privacy implications of generative AI. 

This article was also covered in JD Supra.