Tag: King’s Speech

The King’s Speech: What now for AI regulation and Data Protection reform?

The new Labour Government’s legislative programme was outlined in the King’s Speech at the State Opening of Parliament yesterday. Here are the key Bills information governance professionals need to look out for.

An AI Bill?

Despite media reports, the King’s Speech did not include a bill to regulate artificial intelligence(AI). The King said that the government would “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. Expect a government consultation to be announced soon.

However, it is likely that new AI requirements will be introduced in other forthcoming legislation e.g the Product Safety and Metrology Bill. The published summary of this bill states that it aims to “support growth, provide regulatory stability, and deliver greater protection for consumers by addressing new product risks and opportunities, allowing the UK to keep pace with technological advances such as AI.” Managing AI in the context of product safety aligns with certain aspects of the EU AI Act. (see below)

When an AI Bill does finally appear, it is likely to focus on the production of large language models (LLMs), the general-purpose technology that underpins AI products such as OpenAI’s ChatGPT and Microsoft’s Copilot. As the Labour election manifesto says:

“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”

Meanwhile Europe is going full speed ahead on AI regulation. The EU AI Act will be on the EU statute books on 1st August 2024 and then become enforceable in stages. (A useful summary has been produced by lawyers at Stephenson Harwood.)

Cyber Security and Resilience Bill

A new Cyber Security and Resilience Bill will be introduced. It will expand regulation to cover more digital services and supply chains, empower regulators to ensure cyber security measures and mandate increased incident reporting to improve the government’s response to cyber-attacks including where a company has been held to ransom.

The Bill seems to be a response to recent high profile cyber-attacks. In June on Synnovis, the NHS service provider responsible for blood tests, swabs, bowel tests, and other critical services was the target of an attack affecting NHS patients across six London boroughs. Two major London hospital trusts had to cancel all non-emergency operations and blood tests.  It later transpired that, Qilin, a Russian cyber-criminal group, shared almost 400GB of private information on their darknet site.   

Digital Information and Smart Data Bill

No reference was made to data protection reform in the King’s Speech, but a Digital Information and Smart Data Bill was announced. The main provisions of the new Bill are:

  • Scientists will be able to ask for broad consent to use personal data for areas of scientific research, and allow legitimate researchers doing scientific research in commercial settings to make more use of personal data.
  • The Information Commissioner’s Office (ICO) will be transformed into a “more modern regulatory structure”, with a CEO, board and chair. It will also have new stronger powers.
  • The establishing of digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services e.g. to help with things like moving house, pre-employment checks and buying age restricted goods and services. This is not the same as compulsory digital ID cards as some media outlets have reported.
  • The creation of a legal framework for Smart Data. This is the secure sharing of customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only active example of a regime that is comparable to a ‘Smart Data scheme’ – but needs a legislative framework to put it on a permanent footing, from which it can grow and expand.

Most of these proposals are not particularly controversial and were in the Data Protection and Digital Information Bill  which failed to make it through Parliamentary “wash up” stage when the election was announced.

There may be more changes to come. We are told there will be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies”.

There is much to chew over for IG professionals in the King’s Speech. As ever the devil will be in the detail (the Bills when published). Interesting times ahead.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.

AI Bill to be included in King’s Speech

A bill to regulate Artificial Intelligence(AI) will be one of 35 bills to be included in the King’s Speech tomorrow according to the Financial Times. The Bill will seek to enhance the legal safeguards surrounding the most cutting-edge AI technologies, according to people briefed on the plans.

The 2024 Labour election manifesto contained pledges to support the development of AI. It stated Labour would ensure their “industrial strategy supports the development of the AI sector and removes planning barriers to new datacentres.”  The Bill seeks to follow through on the manifesto pledge to regulate AI but only in some cases:

“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”

The Bill is likely to focus on the production of large language models (LLMs), the general-purpose technology that underlies AI products such as OpenAI’s ChatGPT.
It is a departure from the previous government’s approach which was not to place AI regulation on a statutory footing but to make use of “regulators’ domain-specific expertise to tailor the implementation of the principles to the specific context in which AI is used.” 

The new Bill follows the EU’s tougher approach.  The EU AI Act was published in the Official Journal of the EU last Friday (July 12th 2024) firing the gun for the enforcement countdown. It will be on the EU statute books on 1st August 2024 and then become enforceable in stages.

The main provisions of Act can be read here. In summary, the Act sets out comprehensive rules for AI applications, including a risk-based system to address potential threats to health and safety, and human rights. The Act will ban certain AI applications that pose an “unacceptable risk,” including real-time and remote biometric identification systems such as facial recognition. Additionally, it will impose strict obligations on those considered “high risk,” encompassing AI used in EU-regulated product safety categories, for example, cars and medical devices. These obligations include adherence to data governance standards, transparency rules, and the incorporation of human oversight mechanisms.

It will be interesting to read the text of the new Bill when it is published especially how it overlaps with the provisions on the UK GDPR.

Our AI Act workshop will help you understand the new law in detail and its interaction with the UK’s objectives and strategy for AI regulation.