There were significant developments for the world of data, privacy and cyber in the King's Speech on 17th July, although notably, not quite the developments that had been anticipated.
The King's Speech sets out the legislative agenda of the new Government with details contained in the speech itself, supplemented by the background briefing notes. The speech indicates the Government's priorities but is silent on the specific timing of the Bills mentioned.
Our data, privacy and cyber experts have identified some of the implications of what is known about the proposals below:
AI – "appropriate legislation", no specific AI Bill
"Artificial intelligence" is referenced only twice in 104 pages of background briefing notes and neither reference suggests a specific AI Bill will progress. Instead, comments focus on the Government's intention "to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models."
Many have been surprised by this lack of clarity, intention and detail; perhaps intended to leave the Government with more time to fully develop its approach to policy in a complex and rapidly developing area.
Digital Information and Smart Data Bill
Conversely, specific reference to a new "Digital Information and Smart Data Bill" was included. This Bill is intended to harness, develop and deploy new innovative uses of data, which will help deliver on the Government's commitment to better serve the British public through science and tech.
Readers will recall that efforts to pass the Data Protection and Digital Information Bill (DPDI Bill) were thwarted by the General Election. Many commentators suggested that the DPDI Bill would be banished to history. However, the King's Speech indicates that elements of that now-abandoned draft will form part of the new Bill.
The Bill is stated to:
- Establish Digital Verification Services, which support creation and adoption of trusted digital identity products and services. In addition, these services lessen the risk to business by reducing time, costs and data leakage.
- Develop a National Underground Asset Register, a digital map enabling the installation, maintenance and operation of underground pipes and cables through secure and standardised data access.
- Set up Smart Data schemes, which enables the secure sharing of a customer's data to authorise third-party providers when requested by the customer (similar to the Open Banking regime).
- Update the Digital Economy Act to help the Government share data about businesses that use public services.
- Assist scientists in using existing research by allowing them to ask for broad consent for areas of scientific research and allow researchers in commercial settings to make equal use of the Government's data regime.
- Modernise and strengthen the ICO, with a new structure implemented, and stronger powers. Targeted reforms of existing data law will be conducted to maintain high standards of protection where a lack of clarity is preventing new technologies being deployed; and
- Establish a Data Preservation Process that coroners can use to access information needed to support their investigations into a child's death.
Cyber Security and Resilience Bill
This Bill aims to "strengthen UK’s cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure." Essential public services and infrastructure have been subject to recent hostile cyber-attacks, and there is a need "to take swift action to address vulnerabilities and protect our digital economy to deliver growth."
The UK's existing legislation on protecting essential public services and infrastructure (the NIS Regulations) has been in place for several years, reflecting inherited law from the pre-Brexit European Union. The existing regulation covers five sectors (transport, energy, drinking water, health and digital infrastructure) and digital services including online marketplaces and search engines.
The EU has now implemented an updated version (the NIS 2 Regulation), which Member States have until 17 October 2024 to transpose into national law. Plans to similarly update the NIS Regulations in the UK have been afoot since the previous Government confirmed that updates would be made to the regulations. However, the Bill should finally put these in place.
It is particularly interesting to see a number of proposed novel items that extend beyond the expected NIS 2 elements:
- Extending the scope to include supply chains such as the ransomware attack on a London hospital pathology supplier causing interruption to hospital services.
- Potential cost recovery elements for regulators. The regulators are not specified, and the ICO is already entitled to retain a £7.5m litigation pot from the fines that it issues, but the recovery of a regulator's costs would be a novel approach (and raises interesting insurance questions about the insurability of liability for regulators' costs rather than fines).
- Mandatory cyber incident reporting, including ransomware. Expanding the scope of organisations that have to report would fill the gaps in current legislation where only certain types of attacks impacting data subjects or in certain regulated sectors are reported.
Alignment with the European Union
The speech also specifically states that the Government "…will seek to reset the relationship with European partners and work to improve the United Kingdom's trade and investment relationship with the European Union", which could be interpreted to mean pursuing a legislative agenda that is more aligned (and certainly not at odds) with that in the EU across data, privacy and cyber issues.
If you wish to discuss anything relating to the King's Speech or data, privacy and cyber issues, please contact the authors.