Now that 2024 is well and truly underway, our Technology & Digital team highlight the top tech themes that look set to shape the rest of the year and beyond. They cover topics ranging from AI regulation and governance to data reform and product and cyber security.
We publish a regular round-up of legal and non-legal tech-related news stories. To receive this and other similar updates direct to your inbox, click here to register.
If you have queries about any of the top tech themes discussed below, or need further advice or assistance, please get in touch with Sally Mewies, Luke Jackson or one of our Technology & Digital experts.
Without any further ado – let's get started.
Theme #1: A legal framework for AI – clarity at last?
Concrete developments in AI regulation are just around the corner.
European Union AI Act
In December 2023, political agreement was reached on a landmark EU AI Act, described as the world's first comprehensive legal framework on AI. The Act is expected to be finalised in April 2024 and we'll be reporting on its key features and what the Act means for businesses here in the United Kingdom. An AI Liability Directive, which complements the Act, is due to follow.
The UK AI position
The UK, meanwhile, confirmed a different path when it finally published its response to last year's white paper on AI regulation.
Rather than introduce specific AI legislation or create a single AI regulator, the plan is to empower the existing regulators to manage the risks associated with AI systems in the sectors and areas they regulate. This context-specific approach relies on collaboration between the Government, regulators and business.
The next major flurry of activity is in the spring, including the regulators outlining their strategic approach to AI, and publication of updated guidance on the use of AI in HR and recruitment. We're expecting the regulators to start issuing best practice guidance in the months that follow.
In its recently published report into large language models (e.g., what ChatGPT is based on) and generative AI, the Communications and Digital Committee warned that the Government's approach has become too focused on a narrow view of AI safety and the UK will miss out on a potential "AI goldrush" without a more positive vision.
The Government recently announced a new AI Opportunity Forum to boost adoption of AI in the private sector. Bi-monthly meetings will be held.
Partnership, particularly between regulators, will continue to be a defining theme. The Digital Regulation Cooperation Forum is set to launch a new pilot scheme in the spring. It will provide tailored responses to innovators on how to meet regulatory requirements for digital tech and AI.
This cooperative approach will be important for businesses having to get to grips with an increasing number of overlapping rules in areas such as AI, data, and cyber security.
International collaboration and frameworks
While there's a divergent approach to AI regulation nationally (the United States are also doing their own thing), we expect international collaboration to continue in earnest, including through bodies like the United Nations and G7.
Following on from last November's AI Safety Summit, the Republic of Korea is due to co-host a mini virtual summit in May 2024, with France hosting the next in-person event in November 2024. This is very much a continuing dialogue, as our understanding of the risks associated with certain AI systems evolves.
AI and disputes
A note on AI and dispute resolution. As a jurisdiction, England and Wales has been at the forefront of developments in relation to emerging tech for a while now, and we expect that to continue with AI. The Courts and Tribunals Judiciary recently published guidance to assist judicial office holders in relation to the use of AI.
In both the courts and the arbitration community, we can certainly expect the discussions around the risks and practical use cases of AI systems to intensify.
AI governance
"After all the hype surrounding AI in 2023, we expect 2024 to be the year when businesses get down to the basics of deciding what AI systems they want to deploy, including generative AI systems, and implementing their approach to AI governance."
– Sally Mewies, Head of Technology & Digital
Attention is likely to turn to the implementation of AI policies and procedures, and the rollout of staff training programmes.
Consideration will need to be given to contractual arrangements, not only with the providers of AI systems but also with other commercial parties (for example, around AI use and labelling).
One area where we're hoping for some clarity is around the intellectual property implications of training and using AI systems. As well as developments in case law, progress was expected on a voluntary code of practice on copyright and AI. The Government confirmed in its white paper response that a working group has been unable to agree an effective code. Ministers will now lead a period of engagement with the AI and rights holder sectors. Watch this space.
With AI technology rapidly evolving, businesses will need to keep on top of the latest changes and adapt their approach accordingly, maintaining flexibility. And with the overlap between AI and issues of data management and information security, and ESG responsibilities, having a leadership team in place that can pull all of those strands together will be key.
Theme #2: Data reform and guidance
Next in our top tech themes – movement on data reform.
Last year finally saw the introduction of a Data Protection and Digital Information Bill aimed at seizing on post-Brexit freedoms. It's designed to amend, rather than replace, existing data protection laws.
Proposed reforms include:
- Changing rules around data subject access requests (DSARs), cookie pop-ups and the restrictions on solely automated decision making.
- Streamlining data controller and processor obligations.
- Introducing a framework for provision of digital verification services.
- Enabling smart data schemes.
We also expect certain changes to be made to the Privacy and Electronic Communications Regulations 2003 (PECR) to align them with the UK GDPR.
There are some concerns that instead of reducing barriers for business, the Bill will introduce complexities and threaten EU-UK data adequacy.
The Bill could become law by spring, but this depends on how quickly it moves through the House of Lords stages.
"In a significant development, the Information Commissioner's Office (ICO) recently launched a consultation series on generative AI. We can expect to see these consultations throughout the first half of 2024, hopefully leading to concrete guidance on issues such as the training of generative AI models and the accuracy of generative AI outputs."
– Andrew Northage, Partner, Regulatory & Compliance
We're also expecting ICO guidance on:
- Anonymisation and pseudonymisation.
- Biometric data.
- International transfers.
In the case of international transfers, we expect guidance on the international data transfer agreement and UK addendum to the EU standard contractual clauses.
And with the ICO warning organisations to proactively make advertising cookies compliant with data protection law, we may see further action in this area in 2024. Keep your eyes peeled.
The ICO recently published the second edition of its Tech Horizons Report, identifying further technologies that it believes may have a particularly significant impact on our societies, economies and information rights in the next two to seven years. They include immersive virtual worlds, neurotechnologies, quantum computing and the commercial use of drones.
Meanwhile in Europe...
Over in Europe, the Data Act has just entered into force and will apply from September 2025.
Affected businesses will be using 2024 to prepare for implementation. Among other things, manufacturers will have to design their products in a way that allows both business and consumer users to take full advantage of the data created while using connected devices.
Which takes us neatly on to the next of our top tech themes...
Theme #3: A continued focus on product and cyber security
Product security – a new UK regime
From 29 April 2024, manufacturers, importers, and distributors of consumer connectable products will have to comply with the UK's new product security regime. See the recent guidance from the Office for Product Safety and Standards.
We're expecting to see the results of the Government's consultation on plans to overhaul the UK's product safety laws to make them fit for the digital age, including accommodating the shift to online shopping and regulating innovations such as connected devices and AI. Just recently, the Government announced new laws to introduce digital labelling.
Other expected developments include progress on the Automated Vehicles Bill and the ICO publishing its smart tech guidance.
On the continent...
Continued progress is expected on the European equivalent of our new product safety regime – a Cyber Resilience Act to boost digital products' security.
There's also been a flurry of activity to update various legislation on product security, safety and liability to reflect emerging tech, including AI. A new General Product Safety Regulation will apply from 13 December 2024, a new Machinery Products Regulation will apply from January 2027, and a revised Product Liability Directive is expected to be approved shortly.
Cyber security
In relation to cyber security, the Government is currently asking for views until 19 March 2024 on a draft Cyber Governance Code of Practice to help directors and business leaders boost their cyber resilience, with the CEO of the National Cyber Security Centre (NCSC) stressing that "cyber security is no longer a niche subject or just the responsibility of the IT department." The NCSC recently warned that AI will almost certainly increase the volume and impact of cyber-attacks in the next two years.
In related news, the Government has also just published the response to a call for views on software resilience and security for businesses and organisations. Next steps include a voluntary code of practice for software vendors.
There's a particular focus at the moment on the cyber resilience of the UK's critical national infrastructure. The Science, Innovation and Technology Committee launched an inquiry last October which will examine this topic during 2024, and we're waiting for the Government's response to the Joint Committee on the National Security Strategy's recent report on ransomware and UK national security. The Government has also recently been consulting on protecting and enhancing the security and resilience of UK data infrastructure.
We're still waiting to see the changes that will be made to the Network and Information Systems (NIS) Regulations 2018. The NIS 2 Directive in Europe is more wide-ranging. In-scope organisations (which may include non-EU tech providers) will need to make sure they're prepared ahead of 18 October 2024.
In other developments, a voluntary code of practice setting out minimum security and privacy requirements for app store operators and app developers will be implemented in June 2024.
The upshot of all of this? All businesses will need to prioritise how they deal with cyber threats. Businesses whose products form part of the expanding ecosystem of connected devices, which are becoming increasingly powerful, will need to comply with a new security regime and keep an eye out for further developments. Consideration will need to be given to compliance in other jurisdictions, where applicable.
Theme #4: Employment practices
AI in the spotlight
"We can expect increased scrutiny of employment practices in 2024 as businesses look to AI systems to streamline and facilitate their processes."
– Lucy Gordon, Partner, Employment & Immigration
Back in September, the Trades Union Congress (TUC) launched a new AI taskforce as it called for urgent legislation to safeguard workers' rights and make sure AI benefits all.
The taskforce aims to publish an AI and Employment Bill early in 2024 which it will lobby to have incorporated into UK law. The taskforce says AI is already making "high-risk, life changing" decisions about workers' lives – such as line-managing, hiring and firing staff; and employers are buying and using AI systems without knowing fully the implications, such as whether they're discriminatory, unfair or breach the implied duty of trust. See our recent briefing on AI and recruitment issues, with practical tips.
Data protection and employment
We're also expecting the ICO to continue to add to its suite of guidance on employment practices and data protection. 2023 saw publication of guidance on monitoring workers and handling workers' health information. The ICO is currently consulting on the topics of keeping employment records and recruitment and selection.
It's clear that HR departments and in-house teams will have to keep on top of how technology, including AI, is set to impact their people and processes. This will be a key item on the agenda moving forwards (and it won't be going away any time soon).
Theme #5: Tech and financial services
As with other regulators, we're expecting the financial regulators to produce guidance for their sector on AI.
The path is uncertain at the moment. A recent feedback statement on an October 2022 discussion paper on AI and machine learning didn't include policy proposals, nor signal how the regulators are considering clarifying, designing, and/or implementing current or future regulatory proposals on this topic. This will hopefully become clearer as we move through the year.
Crypto on the agenda
We're expecting plans for cryptoasset regulation to progress in 2024. The Government is taking a phased approach, starting with fiat-backed stablecoins that may be used as a form of payment.
Legislation for that first phase is expected early in the year, and the regulators recently consulted to develop their approach to regulation. It's not clear when steps will be taken in relation to the wider cryptoasset regime.
Over in Europe, some provisions of the MiCA regulation on markets in cryptoassets start to apply from June 2024.
In other developments, we're waiting for the Law Commission to publish its consultation on how the rules of applicable law and jurisdiction apply to digital assets and other emerging tech.
Regulations came into force on 8 January 2024 creating a Digital Securities Sandbox that will allow firms and regulators to test the use of new technology across financial markets.
And we've been waiting for a while for the results of HM Treasury and the Bank of England's consultation on the potential case for a digital pound. A detailed response has now been published and feedback will inform the ongoing design phase of the project. In around 2025, a decision will be made on whether to go ahead.
Tackling increased sophistication in online fraud
2024 will see an increased focus on efforts to tackle online fraud. Back in October, the Security Minister gave a speech on fraud and AI, confirming that the UK will host a summit in London in March 2024 to agree a co-ordinated action plan to reform the global system and respond to the growing, transnational threat of fraud. With AI technology being used to both facilitate and tackle fraud; this is one to watch.
Tackling online fraud is a requirement of in-scope companies under the new Online Safety Act. Regulator Ofcom has been consulting as part of its work to implement the new rules over the next 18 months.
In November last year, leading tech companies signed up to an Online Fraud Charter, pledging to implement certain measures within six months. The Government recently launched a major national campaign to fight fraud, backed by the tech, financial and retail sectors. And finally, a mandatory reimbursement scheme for victims of authorised push payment (APP) fraud comes into force on 7 October 2024. Most APP fraud cases originate online.
Advances in tech offer bad actors new avenues to exploit and so it's encouraging to see these developments. We'll need to wait and see how effective they are in practice.
Theme #6: Competition and digital markets
"Progress on digital markets regulation will continue, with the Digital Markets, Competition and Consumers Bill expected to become law in spring/summer 2024, bringing in a new competition regime for digital markets. We'll be keeping a close eye on this and other developments and reporting on the potentially significant impacts for business."
– Sarah Ward, Partner, Competition
The Competition and Markets Authority (CMA) recently published an overview of how it plans to operate the new regime. It also recently released a report on 10 trends in digital markets that could significantly impact competition and consumers over the next five years and beyond. They include the rapid and widespread deployment of AI foundation models, described as a type of AI technology trained on very large amounts of data that can be adapted to a wide range of tasks and operations.
On 17 February 2024, the EU's Digital Services Act started to apply to all online intermediaries accessed by users in the EU. From March 2024, the six "gatekeepers" designated by the European Commission – Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft – will need to start complying with the rules and obligations in the Digital Markets Act. See the key elements of the two regimes here.
In relation to competition and AI, in March 2024 we're expecting an update from the CMA on its AI foundation models review. In related news, the CMA is investigating the partnership between Microsoft and OpenAI (the company behind ChatGPT).
In other developments: in spring we're expecting a joint statement from the CMA and ICO considering areas of crossover between competition, consumer and data protection objectives; and the CMA's investigation into the public cloud infrastructure services market will continue. It's expected to conclude by April 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
