In the King’s Speech on 17 July 2024, it was announced that that the new UK government will introduce a number of bills, including some which will no doubt have an impact on those advising in the technology and data protection space.
It was announced that ‘appropriate legislation’ will be introduced to regulate the use of artificial intelligence (“AI”) and there will also be a new Digital Information and Smart Data (“DISD”) Bill, which will enable “new innovative uses of data to be safely developed and deployed”. This new legislation is among several other bills that are expected to become law over the course of the first parliamentary session of the new government. Other noteworthy bills from a technology and consumer perspective include the Cyber Security and Resilience Bill, and the Product Safety and Metrology Bill (which may have some provisions that have a knock-on effect on technology implementation).
What will AI regulation look like in the UK?
While the details of the King’s Speech indicate the sense of direction for AI regulation in the UK, the detail is yet to emerge. As stated in the King’s Speech:
“[The government] will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”.
The announcement of AI legislation follows the Labour Party manifesto, which pledged to introduce “binding regulation on the handful of companies developing the most powerful AI models” (see page 35). It was also suggested by the (then shadow) Secretary of State for Science, Innovation and Technology that this could include a ‘statutory code’, requiring organisations to share certain data relating to testing AI models with the government.
This approach appears to be in contrast to the previous Conservative government’s policy paper outlining a ‘pro-innovation’ approach, which suggested lighter-touch regulation, although until we get more flesh on the bones in terms of what this ‘appropriate legislation’ might look like, it is hard to say for certain how different the approaches in practice really are.
The introduction of AI legislation is expected to be supported by the creation of a new Regulatory Innovation Office, which will “help regulators update regulation, speed up approval timelines, and co-ordinate issues that span existing boundaries” (as noted in the Labour manifesto).
The news coincides with the publication of the EU AI Act last week (which comes into force next month; see our analysis here). Given the limited detail, it is too early to speculate how closely AI legislation will follow the EU framework, but as noted above, the government will focus on the ‘most powerful’ AI models. It is also worth noting the following from the King’s Speech:
"[The government] will seek to reset the relationship with European partners and work to improve the UK's trade and investment relationship with the European Union."
Therefore, it seems that the new legislation could take a similar harms-based approach to the EU, albeit with a possibly more limited scope with focus on those AI models that pose a particularly high risk. This will be a key topic for organisations that will be impacted by the upcoming EU AI Act, as the extent of divergence between EU and UK AI law could create additional regulatory burden.
What about new data protection law?
Again, it is too early to know exactly what the proposed data legislation will cover but it appears the new DISD Bill is likely to cover the following (see the background briefing notes):
- Reforming data sharing and standards for public services;
- New laws to support science and research;
- More powers for the ICO and a ‘more modern’ structure;
- Establishing ‘Digital Verification’ services; and
- ‘Smart Data’ schemes which relate to the sharing of customer data.
While it is currently unclear what additional obligations this is likely to impose on organisations, this legislation will certainly be relevant to most organisations; in particular, what the additional powers the ICO is likely to have.
For the time being, the UK GDPR and Data Protection Act 2018 will continue to be the main sources of data protection law in the UK, and it appears that the DISD Bill will compliment this framework, rather than replace it. It is also worth noting that there are considerable technical issues relating to the interpretation of the UK GDPR, due to the implementation of retained EU law legislation by the previous Conservative government that should be addressed.
Finally, there will also be a new Cyber Security and Resilience Bill, which will aim to strengthen the protection of digital services. The devil will be in the detail with respect to the impact this will have on business. That said, interestingly, it appears that this will include a mandate for organisations to provide increased incident reporting to give the government better data on cyber-attacks, which could impose additional data incident reporting obligations.
What next?
Now Labour have outlined their plans for legislation, a lot of time and effort will be required to flesh out their proposals which will then need to be introduced and passed through the parliamentary legislative process. While Prime Minister Sir Keir Starmer hints at a fast pace for new law by stating that “the legislation set out at the King’s Speech will build on the momentum of our first days in office”, and (in the case of AI legislation) with the introduction of the Regulatory Innovation Office to potentially support the passage of AI legislation through Parliament, it could be some time before new law is published and enacted. For comparison, the EU AI Act was first proposed in April 2021 and took just over 3 years to be finalised, following extensive debate. While the extent of its regulation is not yet clear, the introduction of AI legislation in some form in the UK is now almost certainly a case of ‘when’ rather than ‘if’. While awaiting these details, it would be prudent to consider how well your organisation's practices are aligned with the EU AI Act.
See our article here which provides a summary of other topics raised in the King’s Speech.