Major changes to legislation concerning data usage are on the horizon. In 2021, the European Commission unveiled its digital strategy, outlining various laws that will impact digital technology and data. Despite the UK's departure from the EU, its businesses operating in the digital economy will likely be affected, given the extraterritorial reach of most proposed legislation. Furthermore, the UK government has also expressed its intention to introduce new data-related laws, indicating significant shifts in data regulation on both the European and national levels On March 29, 2023, the UK government published a white paper on artificial intelligence (“AI”) entitled “A pro-innovation approach to AI regulation.” The white paper sets out a new “flexible” approach to regulating artificial intelligence which is intended to build public trust in AI and make it easier for businesses to grow and create jobs.
In the UK, there is no comprehensive AI law. Instead, developers, deployers, and users follow a patchwork of existing rules, including cross-cutting frameworks like human rights, equalities, and data protection laws, as well as domain-specific regulations such as those for medical devices.
In contrast to the EU's rules-based approach to AI governance, the UK proposes a sector-based regulatory framework rooted in institutions and the existing regulatory regimes. This approach relies on two main elements: AI principles, like those from the OECD, which regulators will implement, and new 'central functions' to support them.
The AI principles provide instructions to regulators, specifying desired outcomes for AI use within their domains, are (1) “safety, security and robustness”, (2) “appropriate transparency and explainability”, (3) “fairness”, (4) “accountability and governance”, and (5) “contestability and redress”.
The 'central functions' aim to offer cross-cutting support to regulators, facilitating a common understanding of AI risks, anticipation of future developments, improved coordination, and enhanced regulatory capacity. Initially, the government, in collaboration with regulators and other AI actors, will oversee these functions.
This UK approach presents a more challenging regulatory task compared to other international legislators since achieving policy outcomes in a devolved or distributed manner is often more complex than relying on a single accountable institution.
On March 29, 2023, the UK Information Commissioner's Office ("ICO") published updated Guidance on Al and data protection (the "Guidance") following “requests from UK industry to clarify requirements for fairness in Al'. Al has been a strategic priority for the ICO for several years. This highlights the evolving landscape of data governance and the potential implications for businesses and individuals alike.
On 8th March 2023, the UK Department for Science, Information, and Technology (DSIT) unveiled the Data Protection and Digital Information (No.2) Bill, aiming to amend the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR"). The new Bill promises to create a UK version of the EU's GDPR with a common-sense approach, reducing costs and burdens for businesses, promoting international trade, and minimizing repetitive data collection pop-ups online. The reforms are projected to save the UK economy £4.7 billion over the next decade, though the calculation method is not specified.
This new Bill follows the previous Data Protection and Digital Information Bill from July 2022, which was paused in September 2022 for a co-design process with business leaders and data experts. It was then replaced by the current Bill, which retains many proposals from the original one.
Key elements remaining unchanged include an amended definition of personal data, handling vexatious data subject requests, improvements in data subject complaints handling, and changes in data protection officer requirements. Additionally, there will be new leaner assessments for high-risk data processing, a revised approach to international transfers, and transformation of the Information Commissioner's Office into the Information Commission.
The new Bill introduces some modifications compared to the previous one. Notably, the definition of scientific research is expanded to include research for commercial purposes, allowing for broader consent mechanisms. The concept of legitimate interests is clarified, with a non-exhaustive list of cases where organisations may rely on this legal basis, including direct marketing and network security. The restrictions on automated decision-making now consider the relevance of profiling in the assessment of meaningful human involvement. Records of Processing Activities (ROPA) are exempted for most controllers and processors, except for those engaged in high-risk processing.
While concerns about the UK's adequacy status have been raised, impacting data flow between the UK and EU, many believe that the Bill's changes will not significantly affect the UK GDPR's core structure and obligations. Organisations already complying with the UK GDPR are not expected to make substantial adjustments.
The new Bill is currently at the first reading stage, with the second reading scheduled to take place within the next few weeks. It is anticipated to be passed in a form like its current version and come into effect later this year.
The Digital Markets, Competition, and Consumers Bill (DMCC) was introduced in the House of Commons on 25 April 2023. It aims to cover two main topics: (a) digital markets and proposed competition law reforms; and (b) new consumer rights and proposed reforms of consumer law enforcement. The law will have an extraterritorial application and apply to 'digital activities' with a significant connection to the UK.
Overall, the DMCC addresses concerns regarding digital market competition and enhances consumer rights protection and enforcement.
The Online Safety Bill is a new set of laws to protect both children and adults online. It holds social media companies legally responsible for users' safety on their platforms. For children, it mandates the removal of illegal and harmful content, enforces age limits, and enhances transparency and reporting mechanisms. For adults, it provides tools for content control and protects them from illegal and harmful material. The Bill addresses various illegal and harmful content, and social media companies will be required to keep underage children off their platforms using age verification technologies. The proposed act does not enable individuals to bring claims, but rather focuses on transparency and accountability mechanisms, obliging companies to undertake various risk assessments and to have processes in place to reduce or eliminate certain types of content. Ofcom will regulate and enforce the Bill, with penalties for non-compliance. Ofcom will have a range of regulatory powers under the bill. At the top end, it will be able to impose fines of up to £18m, or 10% of global turnover whichever is greater or apply to court for business disruption measures (including blocking non-compliant services). The Bill's impact extends to international companies accessible to UK users. Once enacted Ofcom have between 6-18 months to produce guidance and recommendation for secondary legislation.
The upcoming data protection laws in the UK signify a major shift in the regulatory landscape, with significant implications for businesses and individuals alike. The UK's approach to AI regulation, based on existing legal frameworks and five guiding principles, reflects an effort to strike a balance between innovation and public trust in artificial intelligence.
The Data Protection and Digital Information (No.2) Bill, introduced to amend the UK GDPR and related regulations, aims to create a UK version of the EU's GDPR with a common-sense approach. While concerns about the UK's adequacy status have been raised, it is believed that the changes in the Bill will not substantially affect the core structure and obligations of the UK GDPR for organisations already complying with it.
The Digital Markets, Competition, and Consumers Bill (DMCC) seeks to address competition issues in digital markets and enhance consumer rights protection and enforcement. It introduces a new regulatory regime for designated undertakings in specific digital activities linked to the UK, subjecting them to higher accountability and transparency requirements. The DMCC also includes provisions to prohibit unfair commercial practices and protect consumers in subscription contracts and consumer saving schemes.
Furthermore, the Online Safety Bill aims to protect both children and adults online, holding social media companies accountable for users' safety on their platforms. It requires the removal of illegal and harmful content, enforces age limits, and enhances transparency and reporting mechanisms. Ofcom will regulate and enforce the Bill, with the ability to impose fines and business disruption measures for non-compliant services.
Overall, these upcoming data protection laws and regulations demonstrate the UK's commitment to adapting to the digital era while safeguarding individual rights and fostering fair competition. As these laws come into effect, businesses operating in the UK's digital economy will need to stay abreast of the changes and ensure compliance to navigate the evolving data protection landscape successfully.