The details of the United Kingdom’s data protection reform plans are solidifying with the release of the first public version of the Data Protection and Digital Information Bill (DPDIB), and the government has accompanied this with a set of new proposals for AI regulation.
The new data protection reform bill is the first concrete shape of a new regulatory framework for the country as it breaks off from terms established under the EU’s General Data Protection Regulation (GDPR), emerging from a consultation process that ran for nearly a year. The new AI regulation proposals consist of six core principles that attempt to balance consumer and general safety concerns with the needs and wants of the UK’s $4.6 billion AI sector.
UK direction for data protection reform firms up with draft bill introduced to House of Commons
The new data protection reform bill is the next step in the UK’s gradual process of breaking entirely with the GDPR in the wake of “Brexit,” with the current governing Data Protection Act 2018 largely mirroring those terms. The UK government has expressed a desire to set terms that are more business-friendly, but has to walk a careful path to avoid being considered an “inadequate” data exchange partner by the EU due to lack of GDPR parity.
Initiated in September 2021, the data protection reform consultation process laid out numerous possibilities; the release of the DPDIB is the first clear sign of the government’s intended direction with the process. Minister for Media, Data and Digital Infrastructure Matt Warman said that maintaining EU data partner adequacy was a specific focus for the bill, but also touted an estimated £1 billion cost savings to the country’s businesses.
Isabelle Roccia, Managing Director Europe for IAPP, notes that this was a relief for those hoping that current GDPR adequacy would translate to adequacy under the new terms: “As the UK was consulting on its Data Protection reform, all eyes were focused on if the proposed changes would trigger a re-examination of the EU decision of adequacy to the UK. The business community had said all along that preserving adequacy should be a priority for the UK Government. The fact the proposed reform does not go as far as had anticipated is a sign of relief for many, at least for the time being. But Brussels will continue to look very closely and regularly at how the reform could tip the scale in the wrong direction.”
The data protection reform bill weighs in at 192 pages and is broken up into six main sections addressing data protection, digital verification services, business and customer data, other forms of digital information, oversight and regulation, and a set of final provisions. The content ends up sticking fairly close to what was found in the final remarks to the consultation, which were released in June. Requirements for cookie banner consent popups are to be eased for an assortment of “lower-risk activities,” as are personal data requirements for scientific research. But “robo-callers” and other nuisance advertisers face even stronger regulation, and consumers are promised a broader array of digital identity verification options that do not require sharing sensitive personal documents (such as photo ID) with apps and online services.
Ashley Winton, Partner at Mishcon de Reya and Chairman at UK Data Protection Forum, expands on some of these additional changes: “The devil, as they say, will be in the detail and hopefully that will be revealed shortly. We understand that the draft Data Reform Bill has been prepared by the DCMS and is currently with other government departments for comment. Of the changes proposed by the government’s response to the Data: a new direction consultation, some of the better ones are not in the text but can be found in the Annex. For example, the government proposes to amend the Privacy and Electronic Communications Regulations (PECR) to extend the soft opt-in for direct marketing to non-commercial organisations. This should allow charities and other not for profits to contact potential donors more easily in these times of strife. This is a welcome change. Another big change is also to PECR, with cookie banners to be ultimately replaced by browser preferences and an opt out regime. However, this will apply to some types of tracking and not others and may never apply to websites accessible by children. There is devilish complexity here, lets see what the bill says.”
The Information Commissioner’s Office (ICO), the country’s lead regulatory body, would also be reformed. ICO enforcement powers and maximum fines would be increased, but the agency would also be allowed a longer time in which to assess a penalty after declaring a notice of intent. There would also be a renewed focus on the most serious threats, with “low level” complaints filtered by increasing requirements for data subjects to communicate with controllers before being allowed to file with ICO.
Noris Ismail, Global Data Privacy Consulting Leader for Breakwater and IAPP European Advisory Board Member, believes that this is only the first step in what will prove to be a long process: “Like any legislative reform globally, it’s the end of the beginning. It might ‘arguably’ take at least 3 years to achieving bi-partisan political and policy consensus. Whilst the U.K is ambitious to position its reform distinctively as compared to the rest of the world, we’re intrigued with the ‘how to operationalise’ in practice and ‘how to minimise additional cost’ or ‘compliance fatigue’ for start-ups, small businesses, and mid-sized markets (pending the outcome of the Bill). Of course, it shall not be ‘perfect’ or flawless reform, but we anticipate British and global businesses regards this as progressive headway to balancing innovation, digital trust, data ethics and accountability as part of the board and investors’ strategic risk agenda. Time will tell when the time comes”.
New AI regulation proposals take on emerging market
The AI regulation proposals are a new element in a less developed stage than the data protection reform effort, and the plan at this point appears to be to adopt them as a separate bill enforced by the Competition and Markets Authority, the communications regulator Ofcom, the Financial Conduct Authority and the Medicine and Healthcare Products Regulatory Authority along with ICO.
Accompanying the AI regulation proposals is a policy paper that outlines the government’s planned general approach to the issue. Like the data protection reform bill, this is centered on six core principles: ensuring safe use of AI, embedding security by design in AI systems, making these systems transparent and explainable, considering fairness, ensuring organizations appoint an individual legally responsible for AI, and making clear what the avenues for customer redress are.
The paper also calls for a less centralized approach than the one adopted by the EU, proposing “regulatory sandboxes” as the primary approach to AI regulation. This is another area in which the UK government looks to walk a tightrope between public and private interests, as its AI technology market is the largest in Europe and the third largest in the world (behind the US and China). A study conducted earlier in the year sees UK businesses investing over £200 billion in AI by 2040. These moves follow the 2021 development of the National AI Strategy establishing long-term investment plans for the sector, which has already seen £2.3 billion put into it since 2014.
The next step for AI regulation in the country is a proposed AI White Paper that will examine how to put the core principles into practice and further develop a viable framework.