Follow us

Today saw the hotly anticipated first King's speech under a new Labour government. Whilst a new Digital Information and Smart Data Bill mopped up some of the elements of the failed UK data protection reform, we also saw a new Cyber Security and Resilience Bill come to the fore. But the missing AI Bill was one of the biggest surprises of the morning.

Digital Information and Smart Data Bill: Boomerang Britain?

Could we be set for 'boomerang Britain' as plans for a new Digital Information and Smart Data Bill (DISD Bill) seem to signal a return to some elements of the failed UK data protection reform?

The 22 May announcement of the UK general election stalled progress on the overhaul of the UK's data protection framework through the Data Protection and Digital Information Bill (DPDI Bill). This cast doubt over the much-touted shake-up that had been billed as the UK "forging its own path" in a post-Brexit age.

The King's speech and accompanying briefing notes provide some clarity around which elements of the DPDI Bill the Labour party will take forward. Similar to its predecessor, the DISD Bill purports to "harness the power of data for economic growth", by placing certain "innovative uses of data" on a statutory footing to accelerate innovation, investment and productivity across the UK. These include:

  • establishing a legislative framework around digital identity verification services – to support the creation and adoption of secure and trusted digital identity products and services from certified providers. This holdover from the DPDI Bill is unsurprising given Labour's expected drive for public sector digitisation, an area in which digital identity could play a supporting role; and
     
  • setting up smart data schemes, which enable the secure sharing of customer data with authorised third parties who can enhance the customer data with broader, contextual "business" data. Twinned with the digital identity proposals, it seems the Government is  looking to encourage the economic growth seen as a result of Open Banking across other sectors of the economy.

Other policy initiatives include:

  • transforming the UK's data protection regulator, the ICO, into a more modern regulatory structure (with a CEO, board and chair) with new and stronger powers;
     
  • "targeted reforms" to some data protection laws that maintain "high standards of protection" but make improvements where there is currently a lack of clarity impeding the safe development and deployment of new technologies. It will be interesting to see how much of the DPDI Bill proposals are retained - for example the proposed relaxation of the automated decision-making provisions under Article 22 UK GDPR. Either way, the Government's hands are likely to remain tied to ensure the UK maintains its EU adequacy status; and
     
  • enabling more and better digital public services, by making changes to the Digital Economy Act to help the Government share data about businesses that use public services.

The devil will be in the detail around the true impact of these proposals for organisations. That said, for now, the status quo remains and data protection in the UK continues to be governed by a combination of the UK GDPR, Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003. It also seems likely that the DISD Bill will complement and sit alongside this existing framework (rather than replace it), as was the case for its predecessor. 

In what appears to be a move to align with the proposed EU Cyber Resilience Act, the briefing notes also refer to a new Cyber Security and Resilience Bill. The Bill is intended to strengthen the UK's cyber defences and ensure the security of critical infrastructure and the digital services on which companies rely. For further details please refer to our separate blog here.

The gaping hole: The AI Bill

In a dramatic turn of events, a much hyped specific "AI Bill" was missing from the 40 policy bills set out in the briefing notes. This was particularly surprising given that the King's Speech itself referred to the Government seeking to "harness the power of artificial intelligence as we look to strengthen safety frameworks", as well as "establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models".

It is unclear whether the latter is intended to refer to the proposals set out in Labour's manifesto to introduce " binding regulation on the handful of companies developing the most powerful AI models and by banning the creation of sexually explicit deepfakes". If so, this could have been a nod to future targeted requirements which the previous government envisaged around the most advanced highly capable general purpose AI systems (such as large language models). It is also not dissimilar to the "general purpose AI models" categorisation under the EU AI Act (particularly those with "systemic risk").

Alternatively, the references in the King's Speech might, instead, allude to placing the existing AI Safety Institute on a statutory footing. Either way, it sounds like we will be kept guessing a little longer around the UK's approach to regulating AI. However, the current lack of detail risks fostering uncertainty, reducing confidence, and deterring investment in the UK market.

The King's speech does, however, also refer to the Government seeking "to reset the relationship with European partners and work to improve the UK's trade and investment relationship with the European Union". This could influence a broad range of policy areas such as digital regulation and make divergence from the EU unappetising.

With AI evolving so rapidly, developing appropriate legislation is a difficult balancing act. Although a UK version of the EU AI Act is not expected anytime soon, the Government will need to balance the challenge of organisations complying with fragmented international laws against the risk of deterring innovation and investment through over-alignment. Any new AI legislation will mark a more interventionalist approach and a significant departure from the previous government's "wait-and-see" approach, demanding careful management to unlock growth and accelerate Britain’s progress.

Related categories

Key contacts

Miriam Everett photo

Miriam Everett

Partner, Global Head of Data Protection and Privacy, London

Miriam Everett
Alexander Amato-Cravero photo

Alexander Amato-Cravero

Director, Emerging Technology (Advisory), London

Alexander Amato-Cravero
Claire Wiseman photo

Claire Wiseman

Professional Support Lawyer, London

Claire Wiseman
Miriam Everett Alexander Amato-Cravero Claire Wiseman