Following our 2023 round up, we have pulled together a selection of significant legal developments that we believe will happen in 2024. As with the previous blog, this is not a comprehensive list and clearly, as with any attempt at prediction, it comes with a general caveat that things may not pan out quite in the way expected so please do sign up to our legal updates to keep up to date. Some of the areas highlighted affect only organisations operating in specific sectors and some may not apply directly in the UK, but we've highlighted them for general awareness purposes.
- Artificial Intelligence – On 8 December 2023, the EU Parliament and Council reached a political agreement on the Artificial Intelligence Act (the "AI Act"), calling it the "world's first comprehensive AI law". The AI Act will introduce obligations for providers and users depending on the level of risk from AI. AI systems considered as posing a threat to people (classified as unacceptable risk) will be banned – though there may be some exceptions for law enforcement purposes. The AI Act sets out (in article 5) the AI practices which are prohibited including AI systems which have social scoring which classify people based on behaviour, socio-economic status or personal characteristics, and real-time and remote biometric identification systems, such as facial recognition. There is also a high-risk category - high-risk AI systems being required to be assessed through a conformity assessment procedure both before being put on the market and also throughout their lifecycle. Note that some systems will be deemed automatically to be high risk – for example, those AI systems to be used as a safety component of a product. AI systems assessed as 'limited risk' will have to comply with transparency requirements, primarily to ensure that users are aware they are interacting with AI, allowing them to make informed decisions as to whether and how they want to use it. Failure to comply with the prohibition on AI systems which are considered as posing unacceptable risk or with the requirements in relation to high risk AI systems may lead to fines up to 30 million euro or 6% of global turnover (for companies), depending on the seriousness of the failure. The next step is for the Parliament and Council to formally adopt the text to become EU law, which is expected to happen this year, with the Act to become fully applicable in 2025. Whilst the AI Act will not apply in the UK, it does have the potential to affect businesses based in the UK which are active in the EU. It may also influence any future UK legislation in this area. It will be interesting to observe over time what effect the AI Act has on the development and use of AI within the EU, particularly in comparison with other jurisdictions (such as the US or the UK) that may take different approaches to AI regulation.
- Consumer Protection - The Digital Markets, Competition and Consumers Bill (the "DMCC Bill") was introduced to the UK parliament on 25 April 2023 and aims to protect consumers by both strengthening the enforcement of consumer protection law and introducing new consumer rights. The DMCC Bill would give expanded powers to the Competition and Markets Authority ("CMA") with regards to enforcement of UK consumer protection laws. The CMA's Digital Market Unit will be granted powers to assign certain firms "strategic market status" meaning such firms will need to abide by any code of conduct and any other conduct requirements imposed by the CMA. The DMCC Bill also aims to regulate subscription contracts including introducing requirements on pre-contract information, reminder notices, ending the contract and implied terms. These provisions are intended to protect consumers against subscription contracts (common with apps, for example) which offer a subscription at a reduced price or for free for a limited initial period but which then auto-renew at the end of the initial period at a higher price, without giving the consumer a fail opportunity to cancel beforehand. The CMA will be entitled to impose penalties of up to 10% of global turnover for breach of requirements under this new consumer law. On 5 December 2023, the DMCC Bill had its second reading in the House of Lords and will now progress to committee stage. It is expected to receive Royal Assent in the spring and come into force in autumn of 2024.
- Data Protection Reform – Whilst the EU-US Data Privacy Framework and the UK-US Data Bridge dominated the data protection headlines last year, UK data protection reform rumbles on in the background. As we mentioned in our blog at the start of 2023, the UK Government introduced a Data Protection and Digital Information Bill (the "DPDI Bill") in 2022 but its progress through Parliament was put on hold before a new one was introduced. The (new) DPDI Bill has now reached the committee stage in the House of Lords and is expected to become law in 2024. The DPDI Bill amends the existing UK GDPR regime with the aim of making it less onerous whilst also maintaining data protection standards at the level set by the EU GDPR (so as not to jeopardise the EU's adequacy finding for the UK). Changes include allowing controllers to refuse a data subject access request or charge a fee for responding to it if that request is 'vexatious or excessive'. The legislation also provides for a new 'recognised legitimate interests' legal basis for processing personal data.
- Digital Services –The Regulation (EU) 2022/2065 on a single market for digital services and amending Directive 2000/31/EC (Digital Services Act ("DSA")) was published 27 October 2022 and came into force 16 November 2022. However, not all provisions entered into force at that time, but most of the provisions of the DSA will be in force from 17 February 2024 (although it already applies to very large online platforms and search engines with more than 45 million users). The DSA regulates online intermediaries and platforms including social networks and content-sharing platforms. Small companies with fewer than 50 employees and less than 10 million euro, however, are exempt. As with the AI Act, the DSA will apply in the EU – not the UK - , but because it applies to non-EU service providers who offer or target services at individuals in the EU, it has the potential to affect UK businesses active in the EU.
- Data Infrastructure Security – On 14 December 2023, the UK Government published a consultation on minimum security standards for UK data infrastructure seeking input from data centre operators, cloud platform, managed services providers and other interested parties. The consultation builds on the evidence gathered through the data storage and processing infrastructure security and resilience call for views in 2022 and is part of the Government's plans to beef up UK resilience in the face of the heightened risks of cyber-attack. The output of this consultation will be a new set of Regulations covering UK based data centre services which will sit alongside (and complement) the Network and Information Systems ("NIS") Regulations. The Government is proposing that cloud services would be out of scope of these proposals. Managed services would also be out of scope because the Government's intention is that they will become regulated under NIS Regulations, under separate proposals to extend their current coverage, as mentioned in our 2023 blog.
- Automated Vehicles – A new Automated Vehicles Bill (the "AV Bill") was introduced to parliament in early November to create a legal framework for self-driving vehicles and to facilitate the roll-out of self-driving vehicle technology. It implements the recommendations of the review of regulation for self-driving vehicles carried out jointly by the Law Commission of England and Wales and the Scottish Law Commission, which was published in 2022. The Government is currently supporting trials and providing funding for self-driving technologies, including the £66 million Commercialising Connected and Automated Mobility fund. The Government has said the purpose of the AV Bill is to put safety at the heart of self-driving technologies. The AV Bill includes an obligation on the Secretary of State to prepare a statement of the principles that they propose to apply in assessing whether a vehicle is capable of travelling autonomously and safely. The AV Bill also includes provisions in relation to liability, protecting users from being held accountable or criminally liable if the offence results from the vehicle's actions.
- Advertising – in the advertising space, new sets of rules are to be introduced to impose requirements concerning claims made for low/non-alcoholic drinks and junk (or "less healthy") food and drink.
- New Rules on Alcohol Alternatives – On 14 November 2023, the Committee of Advertising Practice and the Broadcast Committee of Advertising Practice, which are responsible for writing and updating the UK advertising codes, published a statement introducing new rules and guidance in relation to the marketing of alcohol alternative products. These alternative products do not fall under the alcohol rules. The new rules and guidance, applying to both broadcast (eg. TV and radio) and non-broadcast media (eg. in print or online), are to apply from 14 May 2024 and will be reviewed after 12 months. Alcohol alternatives are defined as products with an ABV at or below 0.5% and are marketed as alternatives to alcohol (such as non-alcoholic beer or non-alcoholic gin).
- Advertising Rules on Less Healthy Food and Drink – On 13 December 2023, the Advertising Standards Agency (the "ASA"), the UK's independent advertising regulator, published a consultation on the implementation of new restrictions on advertising less healthy food and drink on TV, in on-demand programme services and online. The restrictions were introduced by the Health and Care Act 2022 and will apply from 1 October 2025. They will prohibit advertising and sponsorship for less healthy food and drink products between 5:30am and 9pm with a ban for paid-for online adverts for such products aimed at UK consumers. The consultation will close on 7 February 2024.
- Employment – 2024 promises to be a busy year in the field of employment and immigration. Our employment and immigration colleagues have published at 2024 HR, employment and immigration to-do list, which can be accessed via this link.
If you would like to discuss anything raised in this blog in more detail, please get in touch with a member of the corporate and commercial team or your usual Brodies contact.
Contributors
Grant Campbell
Partner
Alison Bryce
Partner
Martin Sloan
Partner
Robert Ross
Partner
Grant Strachan
Partner
Andy Nolan
Partner
Clare O'Toole
Solicitor