ARTICLE
28 October 2024

AI, Data And Cybersecurity: Insights For In-house Counsel | Autumn 2024

TS
Travers Smith LLP

Contributor

It’s not just law at Travers Smith. Our clients’ business is our business. Independent and bound only by our clients’ ambitions, we are wherever they need us to be. We focus on key areas of work where we are genuinely market leading. If it’s hard – ask Travers Smith.
The EU's AI Act came into force on 1 August 2024 and has implications for businesses around the world, not just in the EU.
European Union Technology

The EU AI Act is now in force

The EU's AI Act came into force on 1 August 2024 and has implications for businesses around the world, not just in the EU. Most of the obligations will apply from 2 August 2026 but the bans outlawing unacceptable systems, and the AI literacy requirement (an obligation to educate and train staff interacting with AI), each apply from 2 February 2025. Our briefing sets out more detail on how the Act applies, as well as some practical steps that organisations may consider taking.

AI Insights

Our AI Insights podcast series explores the key legal issues relating to the development and use of artificial intelligence, including regulatory, data protection, intellectual property, employment, financial services and competition law aspects.

No new AI Bill for the UK…yet

Whilst no AI Bill was announced in the King's Speech last July, the new Labour government has said that it is considering regulation targeting the largest general purpose AI models/systems (systems such as ChatGPT).

On 5 September 2024, the UK signed the Council of Europe's Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law. A legally binding international treaty, it sets out principles which aim to ensure that activities within the lifecycle of artificial intelligence systems are fully consistent with human rights, democracy and the rule of law. Other signatories to the AI Convention include the US and the EU. It requires domestic implementation, rather than applying directly, and it does not necessarily require new legislation and so, practically, it is doubtful that it will change the regulatory path for AI announced by the Labour government to target only the largest models.

A replacement for the Data Protection and Digital Information (DPDI) Bill?

A Digital Information and Smart Data Bill (DISDB) has been announced (but is yet to be introduced). It looks likely to resurrect elements of the DPDI Bill, which fell away at the end of the last parliamentary session.

The DISDB will provide a statutory footing for three data schemes:

  1. Digital Verification Services (which will support digital identification products and services from certified providers to make it easier, for example, to move house and carry out pre-employment checks);
  2. National Underground Asset Register (a digital map of pipes and cables); and
  3. Smart Data schemes, along similar lines to the EU Data Act, building upon the success of Open Banking and extending it to other sectors. It will also introduce further flexibility for scientific research and reform the Information Commissioner's Office.

Whether the DISDB will encompass other data protection reforms is less clear. Targeted reforms to “some data laws” have been mentioned but there is no more detail yet on what these changes might comprise – e.g. nothing on the changes proposed by the previous Conservative government to combat GDPR "red tape" or changes to the marketing and cookie regime.

Reform of cyber resilience rules

The new Government recognises the need to respond to the increasing frequency and severity of cyber-attacks affecting entities in critical sectors and their supply chains and is also concerned that the UK has fallen behind and is “comparably more vulnerable" than the EU in the cybersecurity sphere. It therefore plans to introduce a Cyber Security and Resilience Bill to reform the Network Information Security Regulations 2018 (NISRs). The last government had previously proposed extending the reach of the NISRs to bring into scope managed service providers. The new legislation will cover “more digital services and supply chains” and is likely to include a cost recovery mechanism for regulators in respect of data breaches and increased incident reporting, including for ransomware attacks.

Although information about the detail of the Bill is scant at this point, it looks likely to cover similar ground to the previous proposals. For information about these and how they compared with the EU's NIS2 Directive, read this briefing.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More