General election: Data protection reform falls, but what does this mean for digital regulation (including AI)?

Not making the cut

On 22 May 2024, the surprise call for a General Election triggered a short "wash-up period" allowing the Government to enact legislation that was essential or subject to minimal debate before Parliament was dissolved on 24 May 2024. The short list of priority legislation that was hurried through during this period did not include the UK's "reform" of its data protection framework through the Data Protection and Digital Information Bill (DPDI Bill).  

As such, the DPDI Bill did not pass through the House of Commons and House of Lords, it was therefore not enacted and now cannot be carried over to the next Parliament.

In the words of the Liberal Democrat peer Lord Clement-Jones the DPDI Bill is now "as dead as a dodo".

UK Data Reform: A case of the Emperor's new clothes?

Whilst the reform was originally premised on the UK "forging its own path" in a post-Brexit age, subsequently it has also been suggested that the DPDI Bill was unlikely to give rise to as significant a divergence from the existing data protection framework in practice as initially envisaged – particularly for organisations operating across a multi-national footprint.

The reform was originally touted by the UK Government as ushering a "golden age of growth and innovation" through its initial Consultation Paper "Data: A new direction" back in September 2021. A number of the changes to the UK GDPR set out in the subsequent DPDI Bill attracted criticism from privacy activists alleging that the proposals "watered down" data subject rights and safeguards – for example, proposals to amend (and arguably relax) rules around decisions made about individuals by solely automated means, and replace the requirement to conduct data protection impact assessments with the less prescriptive "assessment of high risk processing". However, others have suggested that the proposals under the new regime were much less of a departure from the current EU GDPR framework than had initially been anticipated.

It is also worth bearing in mind that the proposed changes would only have applied to the UK GDPR, therefore organisations that operated across both an EU and UK footprint would have needed to comply with both the EU GDPR and UK GDPR (as amended by the DPDI Bill). Given that the majority of the proposals under the DPDI Bill slightly relaxed the rules that currently apply under the EU GDPR framework, it is very likely that these multi-jurisdictional organisations would have just continued to apply the higher EU “gold standard” anyway across all jurisdictions for consistency and efficiency across their international compliance programme.

What does this mean for data protection compliance now?

The status quo therefore remains for now - with data protection in the UK continuing to be governed by a combination of the current:

• UK GDPR (the retained EU law version of the EU GDPR by virtue of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019)
• Data Protection Act 2018 (which introduced the GDPR into English law and repealed and replaced the Data Protection Act 1998) and
• Privacy and Electronic Communications (EC Directive) Regulations 2003.

This is arguably no bad thing from the point of view of the UK maintaining its EU adequacy status in the face of any proposed data protection reform - an issue that tied the Government's hands throughout the reform process and led to the House of Lords European Affairs Committee's recent inquiry into data adequacy and its implications for the UK-EU relationship.

Although adequacy does not require a carbon copy replica of the EU GDPR framework and the Government's proposed DPDI Bill did not represent as drastic a divergence from the EU GDPR as it could have (perhaps as a result of this consideration), revocation of the UK's adequacy status was nonetheless a risk that the Government needed to keep an eye on as part of the proposed reform process. The repercussions of loss of adequacy status are significant - increased costs to organisations of using alternative international data transfer mechanisms and ultimately interrupting the free flow of data between the EU and the UK. A scenario that both the EU and the UK will want to avoid.

Would a Labour Government resurrect the reform?

In the absence of Labour's manifesto, the party's position is not yet clear. Whilst Labour has not broadly opposed the DPDI Bill, reform of the UK GDPR seems unlikely to be a high priority for a Labour Government in the immediate term.

According to Global Counsel's Top in Tech podcast, such a reform is also no longer likely to be politically attractive. In part, this is because of the expectation that Labour wants to prioritise "recalibrating" UK – EU relations, which could influence a broad range of policy areas such as digital regulation and make divergence from the EU data protection framework unappetising (alongside the adequacy status considerations above).

Whilst Access Partnership Senior Policy Manager, Mike Laughton, has stated it is "reasonable to expect" the DPDI Bill "to return in some form" - if so, it is not clear whether this would be in the form of a new revised data bill or as part of a broader digital package.  In fact, Lord Clement-Jones has said that Labour plan a "digital bill in the autumn on entirely different lines" including artificial intelligence.

The extent to which a Labour Government would take forward certain elements of the DPDI Bill also remains uncertain at this stage. Among other initiatives, the Bill sought to put digital identity verification services onto a statutory footing. It seems possible that this may be an example of one of the elements a Labour Government may look to retain going forward – not least given the amount of time and money expended by both "Labour Together" and the "Tony Blair Institute for Global Change" on this topic, as well as Labour's expected push on public sector digitisation, an area in which digital identity could play a supporting role.

What would a Labour Government mean for the regulation of AI in the UK?

Labour has, however, been a little more vocal about the regulation of artificial intelligence.

The current Conservative Government proposed an adaptable, pro-innovation, sector-led approach to regulating AI, empowering existing regulators to create targeted measures in line with five common principles tailored to the risks posed by their different sectors. The Government has adopted a "wait and see" approach, however, it has also acknowledged that legislative action will be required once the risks associated with the technology have matured.

Indeed in a House of Commons Science, Innovation and Technology Committee Report published last week, the Committee examined the current state of AI governance and preparedness ahead of the upcoming General Election. The Report made it clear that "the next Government should be ready to legislate on AI if it encounters gaps in the powers of any of the regulators [under the current approach] to deal with the public interest in this fast developing field". For further information see our blog posts here and here.

Whilst Labour's official policy on AI is currently relatively light, a growth paper on AI is expected to provide further clarity in the summer. That said, the party is thought to view the existing voluntary light-touch approach as inadequate. This has been reiterated by Shadow Secretary of State for Science, Innovation and Technology, Peter Kyle, when back in November 2023 he highlighted that the Bletchley AI Summit was an opportunity for the UK to "lead the global debate on how we regulate this powerful new technology for good. Instead the Prime Minister has been left behind by US and EU who are moving ahead with real safeguards on the technology". He has also voiced concerns specifically around disinformation and deepfakes.

It therefore seems possible that a Labour Government could look to take a more pro-regulation approach to AI, perhaps aligning the UK's approach to some extent with that of the EU (where the comprehensive functional risk-based EU AI Act is due to come into force later this month) - not necessarily a bad thing given the challenge for multi-national organisations looking to comply with the current fragmented international landscape around the regulation of AI. For further information see our blog here.

Whilst there is thought to be divergence between the "Left" and "Right" within the Labour party around regulating AI, an approach more aligned with the EU is thought to go some way to reconcile those differing concerns. In particular, aligning AI policy with the EU would: satisfy the "Left" through legislative actions and legal scrutiny models that support workers' rights; as well as benefiting the "Right" by simplifying market access for UK-based AI companies within the EU. 

Turning the spotlight on technology and AI in the workplace; in its 24 May 2024 document "Labour's Plan to Make Work Pay", Labour has also pledged to examine how to promote best practice in safeguarding against the invasion of privacy through surveillance technology and discriminatory algorithmic decision making and, "at a minimum", to require consultation and negotiation with unions or elected employee representatives before employers introduce surveillance technologies. The party will also no doubt face pressure from the Trade Union's Congress (TUC) to progress legislative reforms contained in the TUC's recently published "ready-to-go" draft Artificial Intelligence (Regulation and Employment Rights) Bill, which adopts a similar risk-based approach to that in the EU's AI Act.

Labour has also proposed creating a "Regulatory Innovation Office" (RIO) "to improve accountability and promote innovation". Whilst further information around its focus is not currently clear given the lack of detail around Labour's tech policy, it is thought that the RIO would work across Whitehall and the existing regulatory infrastructure to accelerate the adoption of new technology, among other aims.

Impact of a Labour Government on existing legislation

There are several pieces of UK legislation governing digital regulation that have already received Royal Assent and will now embark on the implementation process. These include the very recently enacted Media Act 2024 and Digital Markets, Competition and Consumer Act 2024 through the "wash-up" process, as well as the likes of the Online Safety Act 2023 which came into force last year (and under which Ofcom has already published two phases of consultations). One of the main impacts of a Labour Government on the implementation process, is likely to be around the timing for finalising and approving any secondary legislation or codes of practice envisaged under each of the legislative frameworks. Given a new Labour Government will have its own proposals for legislation, it seems likely that it may want to dedicate more time and resource to its own priorities, compared to implementing the legacy of a previous Government (for example through secondary legislation). This may lead to delays in the overall timetable for implementation.

What to expect next?

We expect each of the political parties to publish their manifestos in the coming days and we will then provide a related update. Each manifesto will set out its party's policy and long-term plans for the country, which are likely to give a better indication of the impact of a change in government on data and digital regulation. That said, it may still be difficult to ascertain the timing and relative priority of policies within the manifesto itself, as well as the detail around any of the proposals.