The King’s Speech 2024: The new government’s vision for cyber security, data protection and AI

Following the Labour Party’s win in the recent UK general election, businesses in the technology space were keeping a close eye on its first King’s Speech to see what may transpire as the main legislative priorities for a new government keen to be seen as hitting the ground running.

Digital Information and Smart Data Bill

To some surprise, and given that the possibility of an AI-focussed bill had been widely trailed, data and cyber took centre stage.

Following the Data Protection and Digital Information (“DPDI”) Bill’s failure to make the previous government’s legislative “wash up” prior to the election, the new government has introduced a “Digital Information and Smart Data Bill” to progress with creating a regulatory framework fit for the modern digital environment. While it is difficult to discern the full scope of the new Bill from the background briefing notes, it appears to take a slightly different approach to the DPDI Bill, with the focus seeming to be on enabling the sharing of data to facilitate growth in the economy in a smoother and more secure way – rather than instigating a UK-oriented data protection Bill in the way the DPDI Bill was structured. 

Smart Data and Digital Verification Services

The emphasis on “Smart Data” delivering the secure sharing of customer data is retained where it strengthens and facilitates economic growth, alongside the use of data in providing digital verification services – which came under the second half of the DPDI Bill. The idea of smart data is designed to mean that organisations are able to share personal data across platforms and with third party providers – in effect, cross-sector data portability. This means that businesses and customers can benefit from smart data solutions (in much the same way as Open Banking has enabled customers to share their account data with third parties to facilitate banking payments). Equally, the implementation of digital verification services means that customers benefit from secure digital identities, enabling them to receive more secure online transactions and other services.

Strengthening the ICO

Perhaps the most notable feature of the Bill is its intention to strengthen the corporate structure of the ICO, which builds upon the earlier aims of the DPDI Bill.  This proposal is accompanied by some reforms to data protection legislation but is seemingly limited to where the government perceives such laws to be impeding the safe development and deployment of “new technologies”.  This is presumably a reference to AI although it is not entirely clear from the briefing note.

Cyber Security and Resilience Bill

The government is also proposing to update the UK’s existing cyber security legislative framework with the introduction of a new “Cyber Security and Resilience Bill”.

The notes suggest that the Bill will expand the remit of the existing legislation (principally the Network and Information Systems Regulations 2018), reflecting the way that the NIS regulations have been updated to NIS 2 Directive in the EU and with the aim of strengthening the UK’s cyber defences against the increasing cyber attacks across the UK’s essential services. 

The Bill also aims to expand the remit of existing regulations beyond essential services to include digital services and supply chains, which the notes highlight as an increasingly attractive threat vector for attackers (as the recent NHS attack in London on Synnovis acutely highlighted).

Other than noting the increased threat from cyber activity there is not a great deal of detail at this point. For example it is not clear if the new legislation will ban ransom payments which insurers may feel would discourage businesses from accessing cyber cover.  However, it is clear that protecting public services from cyber activity will be a priority for the new government to deal with.

AI

So what about AI?  In the absence of any reference to AI legislation, the Speech did reference the government’s intention to “place requirements” on those working to develop the most powerful AI models. Other than this, there was only a passing reference to using AI to strengthen “safety frameworks”. So despite the EU AI Act now coming into force imminently (from 2 August 2024), the government has, for now, resisted the legislative urge to take immediate action in this space, leaving the way for the ‘Principles on AI’ issued following the Bletchley Declaration to continue as the hand on the AI tiller for the time being.

Kennedys’ Data Risk and Privacy team will continue to keep a close eye on legislative developments in this space, but should you require any further thoughts or input on these issues in the meantime, please get in touch.

Related item: ICO call to arms – boost your cyber security and protect personal information