Laws/Regulations directly regulating AI (the “AI Regulations”)

The UK government's AI Regulation White Paper¹ of August 3, 2023 (the "White Paper") and its written response of February 6, 2024 to the feedback it received as part of its consultation on the White Paper (the "Response")² both indicate that the UK does not intend to enact horizontal AI regulation in the near future. Instead, the White Paper and the Response support a "principles-based framework" for existing sector-specific regulators to interpret and apply to the development and use of AI within their domains.³

The UK considers that a non-statutory approach to the application of the framework offers "critical adaptability" that keeps pace with rapid and uncertain advances in AI technology.⁴ However, the UK may choose to introduce a statutory duty on regulators to have "due regard" to the application of the principles after reviewing the initial period of their non-statutory implementation.⁵

The UK Government's Office for Artificial Intelligence, which was set up to oversee the implementation of the UK's National AI Strategy, will perform various central functions to support the framework's implementation. Such support functions include (among other things): (i) monitoring and evaluating the overall efficacy of the regulatory framework; (ii) assessing and monitoring risks across the economy arising from AI; and (iii) promoting interoperability with international regulatory frameworks.⁶

However, on July 17, 2024, the King’s Speech⁷ proposed a set of binding measures on AI, which deviates from the previous agile and non-binding approach. Specifically, the government plans to establish "appropriate legislation to place requirements on those working to develop the most powerful [AI] models".⁸ The Digital Information and Smart Data Bill was also announced, which will be accompanied by reforms to data-related laws, to support the safe development and deployment of new technologies (which may include AI).⁹ It is not yet clear exactly how this will be implemented.

Status of the AI Regulations

In February 2024, the UK government wrote to a number of regulators whose work is impacted by AI, asking them to publish an update outlining their strategic approach to AI.¹⁰ The regulators' subsequent responses contained (among other things) plans on regulating AI, actions they have already taken, and expressed their support and adherence to the White Paper’s five principles (see section titled "Key compliance requirements" below for more details). Most notably:

• The Financial Conduct Authority's (FCA) AI update outlines the FCA’s plans for the next 12 months, including collaboration with other Digital Regulation Cooperation Forum (DRCF) member regulators to deliver the pilot AI and Digital Hub, and running its own Digital Sandbox and Regulatory Sandbox¹¹
• The Information Commissioner Office’s (ICO) strategic approach establishes specific areas of focus in relation to AI and data protection, which include foundation models, high-risk AI applications (e.g., emotion recognition technology), facial recognition technology, and biometrics¹²
• The Office of Communication's (Ofcom) strategic approach to AI 2024/25 sets out Ofcom's plan of work in relation to four policy areas: online safety, broadcasting, telecoms, and cross-cutting issues that affect the other three policy areas. The strategy also highlights three key risks and Ofcom's work to date in addressing them, including, synthetic media, personalization, security and resilience¹³
• The Competition and Markets Authority (CMA) AI strategic update reviews foundation models to understand the opportunities and risks for competition and consumer protection¹⁴

Other laws affecting AI

There are several domestic laws that will affect the development or use of AI, including but not limited to:

• Data protection laws
• Intellectual property laws
• Human rights laws (particularly, anti-discrimination laws such as the Equality Act 2010 and the Human Rights Act 1998)
• Consumer and competition laws
• The proposed Digital Information and Smart Data Bill

Definition of “AI”

The White Paper describes "AI," "AI systems" and/or "AI technologies" as "products and services that are ‘adaptable' and ‘autonomous'" but stops short of providing an exhaustive definition.¹⁵

• With reference to the adaptivity of AI, the White Paper emphasizes that AI systems often develop the ability to perform new forms of inference not directly envisioned by their human programmers
• With reference to the autonomy of AI, the White Paper acknowledges that AI systems can make decisions without the express intent or ongoing control of a human

Territorial scope

The proposed regulatory framework applies to the whole of the UK and states that the UK will continue to consider the impacts of devolution as the AI regulatory framework further develops.¹⁶

The White Paper also notes that, as the UK is not currently proposing the introduction of new statutory requirements, the current principles-based AI framework will not change the territorial application of existing legislation applicable to AI (including, for example, data protection legislation). The Response notes that as the UK's approach develops, the government will continue to assess the territorial reach of its AI regulatory framework.¹⁷

Sectoral scope

As noted above, sector-specific regulators will be interpreting and applying the UK's overall principles-based AI framework to the development or use of AI within their respective domains. To date, limited sector-specific guidance has been published. We expect regulators will continue to publish updates outlining their respective strategic approach to AI in the near term.

Compliance roles

There are two key compliance roles that will be impacted by the UK's AI regulatory framework:

• First, regulators will need to: (i) have due regard for the framework and its principles when they introduce sector-specific regulation; and (ii) issue sector-specific guidance on how the cross-sectoral principles apply within their remit. Having due regard for the fact that the principles may eventually become a "statutory duty on regulators"¹⁸
• Second, AI actors across the life cycle of AI systems (including the design, research, training, development, deployment, integration, operation, maintenance, sale, use and governance phases) will have to comply with any sector-specific regulation introduced by the relevant regulators

Core issues that the AI Regulations seek to address

The White Paper identifies a range of high-level risks that the principles-based AI framework seeks to mitigate with proportionate interventions.¹⁹ These include:

• Risks to human rights (e.g., Generative AI may be used to create deepfake video content, potentially damaging the reputation, relationships and dignity of the subject)
• Risks to safety (e.g., an AI system based on LLM technology may recommend a dangerous activity that it has found on the internet, without understanding or communicating the context of the website where the activity was described, potentially leading to physical harm)
• Risks to fairness (e.g., an AI tool assessing creditworthiness of loan applicants that is trained on incomplete or inaccurate data may result in the offer of loans to individuals on inappropriate terms)
• Risks to privacy and agency (e.g., connected devices in a household may continuously gather data —including conversations—and may potentially create a near-complete portrait of an individual's home life. Privacy risks will compound if more parties can access such data)
• Risks to societal well-being (e.g., disinformation generated and propagated by AI could undermine access to reliable information and trust in democratic institutions and processes)
• Risks to security (e.g., AI tools may be used to automate, accelerate and magnify the impact of highly targeted cyber-attacks, increasing the severity of the threat from malicious actors)

Risk categorization

The White Paper states that the UK's AI regulatory framework will adopt a context-specific approach instead of categorizing AI systems according to risk. Thus, the UK has decided to not assign rules or risk levels across sectors or technologies.²⁰ The White Paper also notes that it would be neither proportionate nor effective to classify all applications of AI in critical infrastructure as high risk, as some uses of AI in relation to critical infrastructure (e.g., the identification of superficial scratches on machinery) can be relatively low risk.²¹ Essentially, the UK's context-specific approach to risk categorization is expected to allow regulators to respond to the risks posed by AI systems in a proportionate manner.²²

The Response highlights the UK's continued commitment to a context-based approach "that avoids unnecessary blanket rules that apply to all AI technologies, regardless of how they are used", noting that such an approach is the "best way" to ensure an agile approach that stands the test of time.²³

Key compliance requirements

The White Paper establishes five cross-sectoral principles for existing regulators to interpret and apply within their respective domains:

Principle 1: Regulators should ensure that AI systems function in a robust, secure, and safe way throughout the AI life cycle, and that risks are continually identified, assessed and managed.

To implement this principle, regulators will need to consider:

• Providing guidance as to what good cybersecurity and privacy practices look like
• Referring to a risk management framework that AI life cycle actors should apply
• The role of available technical standards to clarify regulatory guidance and support the implementation of risk treatment measures

Principle 2: Regulators should ensure that AI systems are appropriately transparent and explainable. To implement this principle, regulators will need to consider:

• Setting expectations for AI life cycle actors to provide information relating to: (a) the nature and purpose of the AI system in question; (b) the data being used; (c) the training data used; (d) the logic and process used; and (e) accountability for the AI system and any specific outcomes
• Setting "explainability" requirements, particularly for higher-risk systems, to ensure appropriate balance between information needs for regulatory enforcement and technical trade-offs with system robustness
• The role of available technical standards to clarify regulatory guidance and support the implementation of risk treatment measures

Principle 3: Regulators should ensure that AI systems are fair (i.e., they do not undermine the legal rights of individuals or organizations, discriminate unfairly against individuals, or create unfair market outcomes).

To implement this principle, regulators will likely need to:

• Interpret and articulate what "fair" means with reference to their respective sectors
• Decide in which contexts and instances fairness is important and relevant
• Design, implement and enforce appropriate governance requirements for "fairness" in their respective sectors
• Where a decision involving the use of an AI system has a legal or similarly significant effect on an individual, consider the suitability of requiring AI system operators to provide an appropriate justification for that decision to affected third parties
• Ensure that AI systems comply with regulatory requirements relating to the vulnerability of individuals within specific regulatory domains
• Consider the role of available technical standards to clarify regulatory guidance and support the implementation of risk treatment measures

Principle 4: Regulators should ensure there are governance measures in place to allow for effective oversight of the supply and use of AI systems, with clear lines of accountability across the AI life cycle. To implement this principle, regulators will likely need to:

• Determine who is accountable for compliance with existing regulation and the principles, and provide initial guidance on how to demonstrate accountability in relation to AI systems
• Provide guidance on governance mechanisms including, potentially, activities in the scope of appropriate risk management and governance processes (including reporting duties)
• Consider how available technical standards addressing AI governance, risk management, transparency and other issues can support responsible behavior and maintain accountability within an organization

Principle 5: Regulators should ensure that users, impacted third parties and actors in the AI life cycle are able to contest an AI decision or outcome that is harmful or creates a material risk of harm, and access suitable redress.

To implement this principle, regulators will need to consider:

• Creating or updating guidance with relevant information on where those affected by AI harms should direct their complaint or raise a dispute
• Creating or updating guidance that identifies the "formal" routes of redress offered by regulators in certain scenarios
• Emphasizing the requirements of appropriate transparency and "explainability" in interactions for effective redress and contestability

The Response notes that values and rules associated with human rights, operational resilience, data quality, international alignment, systemic risks and wider societal impacts, sustainability and education, and literacy are largely already enshrined in existing UK laws.

Regulators

The UK does not have a central AI regulator, and the White Paper indicates that there are no existing plans to establish a central AI regulator either.²⁴ As noted above, sector-specific regulators are expected to interpret and apply the principles-based AI framework within their respective domains.

Enforcement powers and penalties

Sector-specific regulators will need to ensure their regulations incorporate the principles of accountability and suitable redress with reference to the UK's principles-based AI framework.

_{1 See the White Paper (here).
2 See the Response (here).
3 See the White Paper (here), Section 3.2 (The proposed regulatory framework), and the Response (here), section 5 (A regulatory framework to keep pace with a rapidly advancing technology).
4 See the Response (here), paragraph 16.
5 See the Response (here), paragraph 109.
6 See the White Paper (here), paragraph 14.
7 The King’s Speech sets out the new Labor government’s proposed laws and its plans for the upcoming parliamentary term.
8 See the King’s Speech here.
9 See the King’s Speech background notes here, page 40.
10 See all the relevant regulator updates here.
11 See the FCA update here.
12 See the ICO strategic approach here.
13 See Ofcom’s strategic approach to AI 2024/25 here.
14 See the Competition and Markets Authority initial review of AI Foundation Models (here).
15 See the White Paper (here), Section 1.3 (A note on terminology) and Section 3.2.1 (Defining Artificial Intelligence).
16 See the White Paper (here), Part 5 (Territorial application).
17 See the Response (here), paragraph 78.
18 See the White Paper (here), paragraph 25.
19 See the Response (here), paragraph 11.
20 See the White Paper (here), Section 3.2.2 (Regulating the use – not the technology), paragraph 45.
21 See the White Paper (here), Section 3.2.2 (Regulating the use – not the technology), paragraph 45.
22 See the White Paper (here), Section 3.2.2 (Regulating the use – not the technology), paragraph 46.
23 See the Response (here), paragraph 11.
24 See the White Paper (here), paragraph 15.}

Daniel Mair (Trainee Solicitor, White & Case, Paris) and Jeffrey Shin (Trainee Solicitor, White & Case, London) contributed to this publication.