In what seems like a blink of any eye, we’re into the second quarter of 2023. Meg Manganaro, trainee solicitor in the Commercial and Technology team, reflects on key stories of the year so far.
TikTok is fined for misusing children’s data
Earlier this month, news broke that TikTok had been issued with a £12.7 million fine for multiple breaches of data protection law between May 2018 and July 2020. The ICO found that, among the breaches, TikTok had done ‘very little, if anything’ to prevent, check or remove under-13s from accessing the platform without parental consent, even as its own rules state that children of that age may not create an account.
For TikTok, the £12.7 million figure was a welcome reduction to the £27 million the ICO initially intended to impose. Nonetheless, it is still one of the largest fines the ICO has issued to date and illustrates the UK’s approach in holding big tech to account when it comes to data protection.
What’s the takeaway?
The ICO’s stated objectives to bolster the protection of children’s data in the digital world should not be taken lightly. This decision, the introduction of the Children’s Code (a data protection code of practice for online services likely to be accessed by children) and the Online Safety Bill (which is currently making its way through Parliament and likely to follow later this year) are indicative of the regulatory regime’s stance when it comes to online harms.
Businesses providing online services, particularly those likely to be accessed by children (such as apps, online games and social media sites), should be aware of and ensure compliance with their data protection obligations, or risk facing significant consequences, as TikTok did.
Patent pending? DABUS reaches the Supreme Court
In September 2021 the Court of Appeal ruled that DABUS, an AI or “creativity” machine that uses neural networks to create and assess new ideas, could not be named as the inventor under the Patents Act 1977. This was after two GB patent applications submitted by Dr Stephen Thaler naming DABUS as the inventor were refused by the IPO.
Fast forward and the case has now been heard in the UK Supreme Court. Judgment can be expected to follow in the next three to nine months and will decide whether a UK patent must always require a human inventor, a tussle that has been almost five years in the making and has divided jurisdictions.
The ICO updates its guidance on AI and data protection
AI is taking the world by storm and many businesses are keen to adopt the technology on offer to increase efficiency and save business costs. However, as Italy’s recent ban of ChatGPT shows, AI is not necessarily without its data protection concerns.
To address some of these concerns, and following requests from UK industry, the ICO has updated its guidance on the interaction of AI and data protection.
In doing so, it’s pledged its support of the government’s ‘mission to ensure that the UK’s regulatory regime keeps pace with and responds to new challenges and opportunities presented by AI’ while reducing the burden of compliance for organisations and protecting people and vulnerable groups.
The key changes and additions to the guidance are:
Updates to the existing factors to consider as part of a data privacy impact assessment (DPIA)
A new standalone chapter on the transparency principle as it applies to AI
New guidance on how to ensure lawfulness, fairness and accuracy in AI
An updated glossary explaining AI-related terms and concepts
While there are currently no plans to introduce legislation, the government has set out a flexible approach to AI regulation in its white paper, published on 29 March 2023. The related consultation will close on 21 June 2023.
The Data Protection and Digital Information (No.2) Bill has its second reading
As an update to our recent report on the UK’s plans for post-Brexit data reform, the Data Protection and Digital Information (No.2) Bill (the “Bill”) has now passed its second recording in the House of Commons. The Bill will now undergo further scrutiny during the committee stage, which is likely to focus on areas highlighted during parliamentary debate:
Maintaining adequacy with the EU
The Minister for Data and Digital Infrastructure, Julia Lopez outlined the government’s intentions:
“If we want a business-friendly regime, we do not want to create regulatory disruption for businesses, particularly those that trade with Europe and want to ensure that there is a free flow of data.”
She confirmed that the UK has been in ‘constant contact’ with the European Commission about the proposals and the government is confident the UK’s adequacy status will be maintained after the enactment of the Bill.
Will the Bill in fact reduce regulatory “red tape”?
While the Bill was lauded for having been developed alongside business leaders and data experts (parties who in principle stand to benefit from reduced compliance burdens), concerns have been raised that the government has ‘forgotten’ that the priority of data protection law is to protect consumers, rather than be helpful to businesses.
Whether the Bill would indeed reduce the regulatory burden for businesses has also come under scrutiny, as it will potentially be asking businesses operating across the UK and EU to comply with multiple standards.
Could automated decision-making and AI undermine key principles of GDPR?
The Bill follows the “pro-innovation approach” the government has adopted in its recent White Paper, but commentators are concerned this approach will remove important GDPR safeguards, including transparency and accountability, that protect the public from algorithmic bias and discrimination.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.