Blog

The EU AI Act: enforcement overview

The EU Artificial Intelligence Act (the "AI Act") is a legal framework for the regulation of AI in the EU. While it became law on 1 August 2024, many of its provisions won't come into effect until 2025-2026. 

In preparation for when the majority of the provisions of the AI Act come into force, in this article we set out how the AI Act will be enforced, and the penalties for non-compliance with the legislation.

ICO's fifth call for evidence on generative AI

Background

The UK Information Commissioner's Office ("ICO") has announced its fifth and final call for evidence as part of its consultation series examining how data protection law applies to generative AI.

Previous consultations in this series have focused on:

• lawful basis for web scraping to train generative AI models;
• purpose limitation in the generative AI lifecycle;
• accuracy of training data and model outputs; and
• engineering individual rights into generative AI models

Please see here for our insights on the first, third and fourth consultations.

The focus of this fifth consultation is the allocation of accountability across the generative AI supply chain. The results of this and previous consultations will be used to shape the ICO's policy position on generative AI. This call for evidence is open until 18 September 2024 and can be responded to via this link. 

In this blog post, we explore the ICO's analysis, and the policy positions it is consulting on.

Ofcom fines TikTok for failure to comply with information request

On 23 July 2024, Ofcom, the UK’s communications and online safety regulator, issued its final decision to TikTok Information Technologies UK Limited ("TikTok"), imposing a financial penalty of £1,875,000 (reduced from £2,500,000) for breaches related to its compliance with the Communications Act 2003. This decision marks a crucial step in enforcing regulatory standards on video sharing platforms ("VSPs") to ensure the safety and protection of users, particularly minors, and a sign of Ofcom's likely approach to enforcement under the Online Safety Act 2023.

Cracking down on cookies 2.0: Latest complaints and regulatory actions

This blog post provides an update on the latest developments in cookie complaints and regulatory enforcements following our previous blog post on the surge of cookie-related complaints and the consequential regulatory enforcement actions by data protection authorities ("DPAs") in the UK and EU.

For the purposes of this blog post, cookies and similar technologies are collectively referred to as "cookies".

Data Subject Access Requests – Harrison v Cameron and ACL judgment

On 7 June 2024, a significant data protection judgment was handed down in the High Court case of Harrison v Cameron and ACL. The case highlights three key issues for organisations to take into account when handling data subject access requests:

1. individual directors may be under an obligation to respond to a DSAR, as well as their company;
2. requesters may in principle be entitled to be informed of the specific identities of the recipients of their personal data; and
3. the "rights of others" exemption can take into account the motive of the requester and the wellbeing and safety of other parties.

Guidance on enforcement of UK connected products regime - Product Security and Telecoms Infrastructure Act

Background

The UK Office for Product Safety and Standards ("OPSS") has issued guidance explaining its enforcement powers when addressing non-compliance with the UK Product Security and Telecoms Infrastructure Act 2022 ("PSTIA"). PSTIA regulates the security of internet-connectable products and other products capable of connecting to them, as well as electronic communications infrastructure, seeking to enhance the security and resilience of smart devices and the infrastructure that supports electronic communications. This guidance sits alongside the OPSS's Enforcement Policy, which outlines its risk-based approach to non-compliance.

The guidance explains the five enforcement actions available to the OPSS where there has been a breach of duty under Part 1 of the PSTIA. Part 1 of the PSTIA and the related Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the "Security Regulations") came into effect on 29 April 2024. Please see this article for further details about the Security Regulations.

Experian's win against the ICO in Upper Tribunal

On 23 April 2024, in another setback for the UK Information Commissioner’s Office’s ("ICO") enforcement efforts, the Upper Tribunal ("Tribunal") agreed with the First-tier Tribunal's ("FTT") decision last year in favour of Experian Limited ("Experian"), dismissing the appeal brought by the UK ICO ("ICO"). This decision reinforces the lawfulness of the marketing activities in question.

ICO's third call for evidence on generative AI

Background

Important CJEU ruling on automated decision making and credit scoring under GDPR

On 7 December 2023, the Court of Justice of the European Union ("CJEU") delivered two new judgments on the scope and interpretation of the automated decision-making restrictions under the GDPR.