A round-up of the latest regulatory developments in the technology, cyber and data space.

AI Regulations

On 12th July the EU’s Artificial Intelligence Act, Regulation (EU) 2024/1689 (“AI Act”) was published in the EU Official Journal. With its publication, EU lawmakers have triggered the countdown for businesses caught by the scope of the AI Act to get prepared for implementation. The Act will come into force from 2nd August 2024 and will introduce obligations at six-month increments. The timeline for implementation is as follows:

However, Article 111(2) of the Act states that the requirements will not apply to high-risk AI systems that are placed on the EU market before 2 August 2026 (and not intended for use by public authorities) as long as there are no significant changes to those AI systems. It would seem that any developers of high-risk systems would be heavily incentivised to place these on the EU market before 2 August 2026.

See our AI Act implementation timeline for a comprehensive overview of key dates and obligations.

However, whilst the EU Regulation comes into force in a little under two weeks, the UK’s approach to regulating AI remains less certain. Despite prior reports that Prime Minister Kier Starmer would introduce an ‘AI Bill’ as part of last week’s King’s Speech, no such announcement materialised. The King’s speech did state that the government would “seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models”, but the legislative form that this approach will take remains to be seen. This suggests that we shouldn’t expect an AI Bill any time soon, and the government is likely to continue to be cautious and adopt a wait and see approach in terms of further regulation, balancing the needs for economic growth and regulation in a sector where the UK has real strengths.

The King’s Speech

After the formation of a new labour government on 4 July, last week’s King’s Speech has provided a clearer insight into Sir Keir Starmer’s legislative priorities.

The speech included 39 Bills that the government intends to introduce into Parliament and, despite omission of an AI Bill (as noted above), it laid out the new government’s plans for technology and cyber regulation.

Digital Information and Smart Data Bill

The Digital Information and Smart Data Bill will put 3 “innovative uses of data” on a statutory footing. These uses include:

1. Establishing Digital Verification Services, which is intended to make people’s everyday lives easier through innovative and secure technology.
2. Developing a National Underground Asset Register, a new digital map that is revolutionising the way we install, maintain, operate and repair the pipes and cables buried beneath our feet.
3. Setting up Smart Data schemes, which will provide for the secure sharing of a customer’s data on their request with authorised third-party providers.
   The Bill will also modernise and strengthen the Information Commissioner’s Office (ICO), transforming its regulatory structure and introducing a CEO, board and chair. The ICO will also receive “new and stronger powers”, although exactly what these will include is not clear at this stage.
   The privacy vs. convenience debate around digital ID services has been rumbling for some years now and will continue to do so. In practice, there will be significant questions around implementation and additional security obligations for organisations handling such large data repositories.

What of the Data Protection and Digital Information Bill?

The Data Protection and Digital Information Bill (DPDI) was introduced by the previous government in the 2022-23 Parliamentary session and made it as far as committee stage in the House of Lords, but by a narrow margin failed to make it through ‘wash-up’ prior to the general election.

The King’s Speech made no reference to the DPDI. However, the announcement of the Data Information and Smart Data Bill (DISD) does suggest that progress made with the DPDI will not be lost completely. Whilst detail is light in the King’s Speech background briefing, it seems that the DISD will pick up where aspects of the DPDI left off. For example, the background briefing states that under the new DISD “Scientists will be able to ask for broad consent for areas of scientific research, and allow legitimate researchers doing scientific research in commercial settings to make equal use of our data regime.”. The previous government had proposed relaxing some restrictions on the processing of personal data for scientific research purposes, broadening the definition of ‘scientific research’ and loosening transparency requirements for the processing of historical data.

The background briefing also suggests that the DISD will look to “support the creation and adoption of secure and trusted digital identity products and services from certified providers to help with things like moving house, pre-employment checks, and buying age-restricted goods and services”.

Similarly, under the DPDI the previous government was looking to set the legislative basis for the UK Digital Identity & Attributes Trust Framework and maintenance of a digital verification services register.

Cyber Security and Resilience Bill

In recognition that critical services remain under severe strain from cyber attack (both state-sponsored and from criminal groups), the government will be looking to update and expand on the existing Network and Information Systems Regulations 2018. The EU updated its original NIS Directive (on which the UK’s current regulations are based) in 2023, to include additional sectors and digital service providers (member states have until 17 October to transpose “NIS2” into national law), and a domestic update has long been on the cards given the UK is now at risk of falling out of regulatory step.

As part of the Cyber Security and Resilience Bill, look out for an expansion in the digital services and supply chains covered in the 2018 regulations (potentially to include managed service providers, as trailed in the previous government’s consultation on updating the 2018 regulations), a beefing-up of regulatory powers and more incident reporting obligations (possibly in recognition of voluntary reporting not being successful in shifting the dial), specifically including reporting on ransomware but potentially stopping short of banning the payment of ransoms outright; the ICO and NCSC have been clear that victims should not pay ransoms and it will be interesting to see how the new reporting obligations complement this stance.

Our Commercial experts can guide you through all aspects of existing technology regulations whilst helping you prepare for those upcoming, such as the AI Act. Contact us today to speak with one of our team.