By Nicola Kerr-Shaw Aleksander J. Aleksiev, of Skadden, Arps, Slate, Meagher & Flom LLP
Last month the new Labour government in the UK announced in the King’s Speech that it will introduce new artificial intelligence (AI) rules alongside cybersecurity and digital information bills. A brief overview of these developments is set out below.
Artificial Intelligence
To date, the UK has taken a principles-based, “pro-innovation” approach to AI that relied on the application of existing laws rather than introducing dedicated AI legislation. This announcement therefore marks a potential shift in the UK’s approach to AI regulation.
There is limited information available but the government has indicated that regulation will focus on “the handful of companies developing the most powerful AI models”. The government has not yet confirmed that it will bring forward legislation, but speaking before the election, Peter Kyle, who is now the Secretary of State for Science, Innovation and Technology, indicated that the government would introduce a “statutory code” requiring companies to release test data for scrutiny by the government’s AI safety institute. Kyle also indicated, however, that “we don’t want to stop this development”, suggesting that the government may stop short of the full prohibitions seen in the EU AI Act and instead impose targeted guardrails on the highest-risk models, such as those currently considered “general-purpose AI systems” under the EU AI Act.
Cybersecurity
The Cyber Security and Resilience Bill will be brought before Parliament in the coming months to “strengthen the UK’s cyber defences”. This announcement follows the previous government’s consultation on updates to the UK’s Network and Information Security (NIS) Regulations, and the proposed changes set out in the government’s briefing note on the King’s Speech are broadly aligned with the EU’s recent amendments to its NIS Directive. However, ransomware is a priority for UK authorities following high-profile incidents affecting the National Health Service, Ministry of Defence and local councils, and the briefing note includes a hint that the government will go further than the EU NIS Directive amendments by requiring companies to report ransom incidents and payments.
Data Use
The Digital Information and Smart Data Bill will also be introduced, aimed at streamlining data use and sharing, including through new exemptions for scientific research and a new legislative regime for digital identity providers. The bill will restructure the UK’s privacy regulator and introduce “targeted reforms” to data laws to improve clarity. These “targeted reforms” will likely align with those set out in the Data Protection and Digital Information Bill that was proposed by the previous government but which were not finalised before the election.