Hro Banner
July 22, 2024

What does Labour’s ‘Change begins’ spell for privacy, cybersecurity and AI?

In the past month, there have been two major elections in Europe, in the UK and in France. Whilst the US gears up for its own electoral showdown and the dust settles in France (and we wait to find out what the government there will look like), we know that in the UK, after 14 years, Britain has a Labour government and a new Prime Minister. Sir Keir Starmer has promised ‘Change begins’, so whilst he gets to grips with his new job, we take a look at the changes we can expect for privacy, cybersecurity and AI under the new Labour government.

Data Protection and Privacy

Legislative reform

One of Labour’s priorities must be deciding what, if anything, to do about data protection reform.  The Data Protection and Digital Information Bill (DPDIB), introduced under the Conservatives, was designed to change aspects of current UK data protection legislation (which tracks the European Union’s General Data Protection Regulation (GDPR)) to make compliance less onerous for UK businesses. For example, it would have removed the requirement to have and maintain a record of processing activities and watered-down requirements for the appointment of a data protection officer and the completion of data protection impact assessments. The DPDIB failed to make it through the ‘wash-up’ (the efforts after an election is called when the incumbent government tries to hustle through proposed bills before government is dissolved) and whilst the DPDIB enjoyed cross-party support, so far, Labour has been silent on its resurrection, and on any other significant data protection reform. It is possible that Labour may introduce a new bill, but how closely it might track the DPDIB is up for debate. In particular, questions have been raised as to the UK’s ability to maintain its adequacy decision in the eyes of the EU Commission if any legislative changes resulted in the UK offering a materially different level of data protection. Given that the EU Commission will review and determine whether the UK should maintain its ‘adequacy’ status by next June, it is unlikely that Labour would take steps that would jeopardise that. That, plus the fact that Labour has bigger fish to fry in its first year in office, means we are unlikely to see divergence away from the status quo, for the time being at least.

One piece of legislation we can expect to hear more about in the near future is the Digital Information and Smart Data Bill (DISDB) that was included in the King’s Speech on 17 July in which the list of bills that form Labour’s legislative program for the next few years was set out. The DISDB is intended to enable new and innovative uses of data to help boost the economy; for example, it will include smart data schemes that will allow for secure sharing of customer data upon request with authorised third-party service providers; include measures to modernise and strengthen the Information Commissioner’s Office (ICO); and introduce a ‘digital ID’ which can be used to buy age-restricted products and for pre-employment checks.

Data Centres

Labour states that technology is at the heart of its missions and a fundamental tenet of its manifesto was the unblocking of ‘tech barriers’. In the manifesto, Labour pledged to help ‘kickstart economic growth’ and ‘support the development of the AI’ sector by reforming the planning regime with regards to data centres (the physical facilities that house IT systems used for large-scale computer processing and data storage), which should help address the current shortage. Indeed, Labour appear to have started as it means to go on: Deputy Prime Minister Angela Raynor recently stepped in to recover two giant data centres on green belt sites in Buckingham and Hertfordshire, which had previously been rejected by local councils. Updating the outdated planning framework to accommodate the demands of modern digital infrastructure will be critical if the UK is going to meet the growing demand for cloud computing and fulfil its AI ambitions.

National Data Library

Labour has proposed the formation of a National Data Library that will collate and centralise the nation’s existing research programmes and data to enhance scientists, researchers, academics and developers’ access to public sector data. It is anticipated that the pooling and access to such data will help to attract talent to, and encourage investment in, the UK as well as help to drive technological innovation and provide opportunities for the government to deliver ‘data-driven’ public services.

Artificial Intelligence

Legislation

In contrast to the EU’s stance on AI regulation, which resulted in the enactment of the EU AI Act (which applies a risk-based approach to the development, deployment and use of AI in the EU (or when it will affect people in the EU) and comes into force in August 2024), the Conservative approach to AI regulation was more ‘hands-off’ in flavour and demonstrated a reticence to press for legal controls in the development of AI models for fear of smothering innovation and industry growth with red tape and burdening industry with hefty compliance costs.

Conversely, we can expect Labour to be more proactive in this space; indeed, Labour was explicit in its manifesto that to ‘ensure the safe development and use of AI models’ it would introduce ‘binding regulation on the handful of companies that are developing the most powerful AI models’. If we take Labour’s statement at face value, it is unlikely its regulation will go as far as the EU’s. For example, the EU AI Act applies to many different types of actor in the AI value chain, including providers, deployers, importers, manufacturers, distributors etc., whereas the current position from Labour appears to be limited to those developing AI (although of course this could change) and to the ‘most powerful AI models’, which might align with ‘high-risk’ models under the EU AI Act, but sounds like it echoes more closely the US AI Executive Order where certain restrictions and regulations will only apply to AI models that perform above a certain number of calculations per second, essentially ensuring that the regulations only capture the biggest large language models. Either way, it’s clear that Labour has a challenge ahead in maintaining an environment in which the UK can thrive in the dynamic AI sector, whilst balancing the increasing need for specific legislation to address the considerable risks and novel harms that come with the rapid advancement of complex AI technology.

Somewhat unexpectedly then, an AI bill was not included in the King’s Speech. Labour has maintained that it intends to ‘establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models’, but for now at least, has postponed the introduction of a specific bill. Whether this is because the draft legislation is undercooked or because there is more work to be done in deciding how to progress the regulation of new technologies in a manner that does not stymie innovation, remains to be seen.

Regulatory Innovation Office

Labour has proposed a Regulatory Innovation Office to consolidate strategic regulatory planning, including in relation to AI and tech, into one central body, with the aim of promoting transparency, accountability and perhaps most importantly, consistency, as well as improving efficiency in decision-making and approval processes for innovative products and services. No doubt this will come as welcome news to the existing regulatory bodies, such as the ICO, Competition Markets Authority, Financial Conduct Authority, Ofcom etc., that were tasked with broadening their remit to include developing sector-specific AI guidance and for taking enforcement action, by the Conservative government. Critics of this approach maintain that reliance on these bodies’ experience, power and capacity (as regards AI) alone is inadequate, so the proposal for a dedicated cross-sector body that will support such regulatory bodies and develop AI legislation should go some way to plugging the gaps that inevitably arise in a purely sectoral focused approach.

Mandatory AI safety testing

The AI Safety Institute (AI SI), established under the Conservatives, is comprised of AI experts who conduct assessments and rigorous testing of AI model capabilities, as well as the effectiveness of their safeguards, so that risks can be identified and mitigated before they are commercialised or otherwise made available. Currently, such assessments are voluntary, but Labour has indicated that it intends to make the voluntary assessment mandatory for certain types of AI models and oblige larger organisations to share required data with the AI SI, by placing the assessments on a statutory footing. It is hoped that in doing so, policy makers will be better informed and better equipped to design a suitable regulatory framework that keeps pace with the accelerated rate of innovation in this space, as well as addressing the new and complex risks that AI technology presents.

Cybersecurity

The cybersecurity threat landscape is constantly evolving. The rapid developments in AI further contribute to the volume, and heighten the impact, of cyberattacks. AI lowers the barrier for entry for novice cyber criminals, making it easier and faster for bad actors to conduct reconnaissance and social engineering, as well as making the analysis of exfiltrated data to identify high-value assets more efficient. Critical national services and infrastructure continues to be a target for cyber criminals. The ransomware attack on Synnovis, a pathology partnership between certain NHS trusts and SYNLAB, resulted in a major IT incident for the NHS, a significant reduction in its capacity to process samples and the cancellation of over 6000 appointments and operations.

It is then unsurprising that Labour introduced the Cybersecurity and Resilience Bill (CRB) in the King’s Speech. The CRB will introduce requirements and powers similar to the EU’s proposed Cyber Resilience Act to report incidents such as ransomware attacks, so that more intelligence on such attacks impacting British businesses can be gathered and utilised. The CRB will give greater powers to regulators to require organisations to implement cybersecurity defences and will include new rules designed to protect critical national infrastructure from attackers. Nevertheless, again Labour will need to ensure that the balance is struck between building the UK’s cyber resilience and burdening organisations with overly prescriptive and costly requirements.

Click here to download this article.