This Week in Data/Cyber/Tech: The DPDIB Falls at the Last Hurdle; Updating Privacy Notices for AI; and Building the Privacy and Sales Relationship.

May 24, 2024
7 minutes

There's rarely a quiet week in data protection — and this one was no exception. Below are three developments from the past seven days that caught my eye.

Story #1: The DPDIB is dead; long live the DPDIB?

“War has rules. Mud wrestling has rules. Politics has no rules.”

The UK will hold a General Election on 4 July 2024. Important as data protection may be, it’s probably not realistic to think that it will be a key issue on the campaign trail and in the ballot box. Still, the timing of the election does have important ramifications for data protection reform in the UK. 


In short, the Data Protection and Digital Information (No. 2) Bill — which sets out the Conservative Party’s proposed changes to the UK GDPR and DPA 2018 — will now almost certainly not pass into law. 

One never wants to be definitive about these things (see the quote above), but it seems increasingly unlikely that the DPDIB will be caught in the “wash-up” process, during which Bills can be fast tracked through to completion. Those that are not passed cannot be continued to the next Parliament.

On Thursday evening, Baron Prem Sikka (a member of the House of Lords) appeared to confirm that the Government has admitted defeat on the DPDIB. Whether it will be back to square one with a new administration remains to be seen. The Bill isn’t all bad (or all good), so parts of it may form the basis of any future UK GDPR reform.

But for now the message is: Keep Calm and Carry On.


Should you lament the DPDIB not passing? 

On the one hand, some businesses will welcome the loosening of restrictions around Record of Processing Activities (ROPAs), legitimate interest balancing tests, data protection officers and responding to data subject rights requests, among other things. (These changes, while superficially attractive, will be less so for organisations that need to otherwise comply with the GDPR.)

The process of renewal of the UK’s adequacy decision by the European Commission should now also be made easier, given concerns in Brussels around the DPDIB watering down the UK’s data protection standards (albeit those concerns are a mix of genuine and performative sabre-rattling).

On the other hand, there have been criticisms — from interest groups, and others — around the weakening of the ICO’s role under the DPDIB, the sweeping powers of certain government bodies to require information from financial institutions in order to uncover benefit fraud, and the relaxing of accountability requirements (again, among other things).


With the caveat that predicting the outcome of recent political elections has been a fool’s game, the Labour Party is heavily favoured to win the General Election. 

Labour has broadly supported the DPDIB, so it may be the case that, once elected, it looks to breathe life back into the Bill. However, even if that is the case it probably won't be a high priority in a Labour Government's 100-day plan, so it's likely to be "as you were" on the UK's data protection landscape for the foreseeable future.

Story #2: Revising privacy notices for AI processing

Do you ever read privacy notices for fun — or out of curiosity, at least? Perhaps that’s just me?

I ask as there have been stories recently about companies revising their privacy notices to reflect the use of personal data for AI/ML purposes. In some cases, these uses — and the need to opt out of the processing — came as a surprise to customers.


Most organisations already are, or soon will be, grappling with how to use personal data for AI: the legality of doing so, avoiding bias and discrimination, allowing data to be accessed and corrected, and so on. These are the big questions. 

But just as important is telling people how you'll use their data, and one doesn’t need the EU AI Act — or any other regulatory standard — to understand that transparency must be a building blocks of an AI governance programme.

Transparency is a requirement of almost every data protection law in force around the globe, so this is not a new concept. The difference here is that (1) explaining how you will use AI is not always easy (in fact, it's often very hard), and (2) individuals will increasingly be on the lookout for this language.


A good rule of thumb is that organisations with strong public-facing data protection practices will usually also have strong internal policies and processes.

This is not a perfect test. And there is the (not unreasonable) thinking that if you need to focus on only one aspect of compliance, it's your website disclosures — because they are immediately accessible by data subjects, regulators, privacy activists groups and other interested parties.

But having conducted this exercise many, many times, there's definitely a correlation between the strength (or not) of a company's website, cookies and online marketing practices and its wider data protection compliance programme. 


In the U.S., the FTC earlier this year warned companies not to “quietly” update their privacy notices to capture AI processing.

And EU and UK regulatory guidance requires controllers to notify data subjects of material changes to their privacy notice. Would the use of personal data for AI/ML purposes — particularly to train the model — constitute a material update? Yes, it would.

But updating your notice (even the date of the notice), and excepting users to periodically check for changes, isn’t enough. As we’ve established, most people don't read these things for fun.

With that in mind, you will need to proactively bring changes to data subjects’ attention. This could be via email, where you should also signpost the updates rather than providing a generic statement that the notice has been updated. Alternatively (or in addition), you could provide the update via social media channels or a message displayed prominently on your website. 

There is no one-size-fits-all approach. The important thing is that you don't overlook it. You never know who might be reading your privacy notice.

Story #3: Building the relationship between privacy and sales

“Write a legal memo, if you must, and attach it to your email. But what I want is a yes or no answer.”

Last weekend I came across an episode of the Data Protection Breakfast Club podcast with Andy Dale and Pedro Pavon that I think should be mandatory listening for all junior lawyers. 

It's the type of advice that I wish was readily available when I was starting out, and would have taught me things about the practice of law that you simply can't get from text books.


The episode is about the dynamic between in-house lawyers and their sales colleagues, and the challenges — and rewards — of building those relationships.

It packs so much useful (and funny) information into 30 minutes that picking out the highlights wouldn’t do it justice. Just go and listen to the podcast here.

I’ve been lucky enough to have done two client secondments: one in the last seat of my training contract, and the other as a junior-ish lawyer. Both were instrumental in helping me to see things through the client’s eyes, and I'd like to think that I’ve never looked back.

The above quote is what I was told on my first day of one of the secondments, and was a critical step in that journey (and advice that I still think about to this day).

Of course, there are times when a legal memo is required, but the point was — and remains — a good one. I've also heard it said that the takeaways from your advice should be set out in a way that doesn’t require the reader to scroll on their phone. A classically 21st century construct, but also a good one.


Back to the podcast. 

Although it’s focused on the in-house world, the lessons are applicable equally to private practice. Unless you work in a single offering firm, you will interact with colleagues in other departments. Those interactions bring their own rewards and challenges — some of them similar to in-house, and some different.

The common denominator is that, wherever you work, you are — or should be — all rowing in the same direction. One of the ways I ensure that I'm not veering us off course (and this is certainly not an original approach) is by asking myself: what are my colleagues looking to achieve, and how can I help?

That doesn’t mean you should agree to whatever they're asking just to keep them on side. Colleagues, like clients, respect you pushing back and challenging them where appropriate — indeed, they need you to do that.

And although the podcast won't necessarily teach you how to do that, it will help to you understand something about the mindset needed to be a trusted adviser.

Subscribe to Ropes & Gray Viewpoints by topic here.