The AI Act was published in the Official Journal today, meaning that it enters into force in early August 2024. Most of its rules apply two years after entry into force.

The AI Act puts in place new compliance rules for certain AI systems and models. It classifies AI systems into three categories, based on their level of risk, and the level of compliance obligations flows from that classification.

AI systems not falling within these three categories are not subject to regulation under the AI Act.

The AI Act imposes additional compliance obligations relating to the use of personal data in certain, specified areas, such as emotion recognition and biometrics, which is treated differently and with more granularity than under GDPR.

AI systems – whether or not subject to the AI Act – that process personal data must comply with the EU / UK GDPR, and Article 22 of the EU / UK GDPR is worth considering if your AI system is being used for profiling or decision-making purposes.

In addition, the AI Act imposes obligations on businesses in respect of their use of other types of data or content to train the AI system, and we flag in particular new requirements to disclose the use of AI in the creation of content and to label content created by AI in metadata.

Providers of GPAI models are additionally subject to new obligations relating to the use of copyright content to train their models.

The AI Act has extra-territorial scope, meaning that even if you are based outside of the EU you may be caught by the AI Act if you are using AI systems within the EU or in respect of EU persons.

1. Ensure any processing of personal data in the course of developing and operating the AI system is GDPR-compliant.
2. Determine whether the system falls within the scope of the AI Act.
3. Consider whether there are additional compliance obligations for the use of personal data stemming from the AI Act.
4. Consider whether there are additional relevant AI Act obligations

If you’d like to read the full AI Act yourself (warning: it is long), you can do so here.

The DPDI2 was nearly finalised, but was not pushed through by the Conservative government prior to the elections.

The DPDI2 had proposed to ‘soften’ some of the UK GDPR requirements, particularly around Records of Processing Activity and the requirements for appointing Data Protection Officers / Senior Responsible Individuals.

It did also propose increasing the fines for cookie and direct marketing infringements from £500,000 to UK GDPR standards (the higher of £17.5m or 4% of global turnover).

Some commentators are saying that the DPDI2 has therefore “failed”.

It is unknown what the Labour government’s attitude will be towards the DPDI2 and whether or not it will be revived.

It does seem likely that a version of the DPDI2 (perhaps the Data Protection and Digital Information (No. 3) Bill) will be proposed and will become law at some point in the near future.

But for now, it is a case of wait and see.

It is worth remembering that the ICO remains on the case with cookies and remains active in relation to direct marketing.

Key takeaway: keep your eyes peeled for announcements by the Labour government regarding new data protection legislation.

The proposed Regulation on Privacy and Electronic Communication (the e-Privacy Regulation) remains stuck in interinstitutional negotiations (trilogue), with the European Parliament and the Council unable to agree on a final text.

The e-Privacy Regulation was proposed in 2017 to replace the e-Privacy Directive (2002/58/EC) and focuses on cookies and other tracking technologies, electronic communications data and electronic direct marketing.

The intention was for it to come into force on 25 May 2018!

News reports indicate that Member States have requested the Commission to address online advertising and tracking as a matter of priority in its next mandate, with some Member States requesting the Commission to withdraw the draft legislation and put forward a new proposal. Once the new Commission takes office, we can expect more clarity on next steps.

Meanwhile, the voluntary cookie pledge, announced in 2023 to reduce cookie fatigue, has been shelved, as it failed to gain traction amongst the intended signatories, adding pressure on the need to find a legislative solution to consumer tracking.

Key takeaway: keep eyes peeled on the Commission in the autumn – an announcement on next steps in online tracking is likely.