The King’s Speech: What now for AI regulation and Data Protection reform?

Ibrahim Hasan assesses the Labour Government’s proposed reforms in the AI and data protection fields.

The new Labour Government’s legislative programme was outlined in the King’s Speech at the State Opening of Parliament yesterday. Here are the key Bills information governance professionals need to look out for.

An AI Bill?

Despite media reports, the King’s Speech did not include a bill to regulate artificial intelligence(AI). The King said that the government would “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”. Expect a government consultation to be announced soon.

However, it is likely that new AI requirements will be introduced in other forthcoming legislation e.g the Product Safety and Metrology Bill. The published summary of this bill states that it aims to “support growth, provide regulatory stability, and deliver greater protection for consumers by addressing new product risks and opportunities, allowing the UK to keep pace with technological advances such as AI.” Managing AI in the context of product safety aligns with certain aspects of the EU AI Act. (see below)

When an AI Bill does finally appear, it is likely to focus on the production of large language models (LLMs), the general-purpose technology that underpins AI products such as OpenAI’s ChatGPT and Microsoft’s Copilot. As the Labour election manifesto says:

“Labour will ensure the safe development and use of AI models by introducing binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes.”

Meanwhile Europe is going full speed ahead on AI regulation. The EU AI Act will be on the EU statute books on 1st August 2024 and then become enforceable in stages. (A useful summary has been produced by lawyers at Stephenson Harwood.)

Cyber Security and Resilience Bill

A new Cyber Security and Resilience Bill will be introduced. It will expand regulation to cover more digital services and supply chains, empower regulators to ensure cyber security measures and mandate increased incident reporting to improve the government’s response to cyber-attacks including where a company has been held to ransom.

The Bill seems to be a response to recent high profile cyber-attacks. In June on Synnovis, the NHS service provider responsible for blood tests, swabs, bowel tests, and other critical services was the target of an attack affecting NHS patients across six London boroughs. Two major London hospital trusts had to cancel all non-emergency operations and blood tests.  It later transpired that, Qilin, a Russian cyber-criminal group, shared almost 400GB of private information on their darknet site.   

Digital Information and Smart Data Bill

No reference was made to data protection reform in the King’s Speech, but a Digital Information and Smart Data Bill was announced. The main provisions of the new Bill are:

  • Scientists will be able to ask for broad consent to use personal data for areas of scientific research, and allow legitimate researchers doing scientific research in commercial settings to make more use of personal data.
  • The Information Commissioner’s Office (ICO) will be transformed into a “more modern regulatory structure”, with a CEO, board and chair. It will also have new stronger powers.
  • The establishing of digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services e.g. to help with things like moving house, pre-employment checks and buying age restricted goods and services. This is not the same as compulsory digital ID cards as some media outlets have reported.
  • The creation of a legal framework for Smart Data. This is the secure sharing of customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only active example of a regime that is comparable to a ‘Smart Data scheme’ – but needs a legislative framework to put it on a permanent footing, from which it can grow and expand.

Most of these proposals are not particularly controversial and were in the Data Protection and Digital Information Bill  which failed to make it through Parliamentary “wash up” stage when the election was announced.

There may be more changes to come. We are told there will be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies”.

There is much to chew over for IG professionals in the King’s Speech. As ever the devil will be in the detail (the Bills when published). Interesting times ahead.

Ibrahim Hasan is a solicitor and director of Act Now Training.

This and other data protection developments will be discussed in detail on Act Now's forthcoming GDPR Update workshop.