King’s Speech: New Digital, Cyber Resilience, and AI laws announced

On Wednesday, 17 July 2024, the incoming Labour government's first legislative agenda was announced in the King's Speech. A total of 40 new legislative initiatives were introduced during the set-piece event. For those working in the data protection and digital space, there is much to consider. A background briefing paper published alongside the King's Speech contains the full list of Bills and further details.

Firstly, we now know that the Data Protection and Digital Information (DPDI) Bill died on Friday, 30 May. Not all of the DPDI's provisions have been abandoned; however, as the introduction of the Digital Information and Smart Data (DISD) Bill features elements from its similarly named predecessor.

The briefing paper explained that the DISD Bill would "enable new innovative uses of data to be safely developed and deployed and will improve people's lives by making public services work better by reforming data sharing and standards; help scientists and researchers make more life enhancing discoveries by improving our data laws; and ensure your data is well protected by giving the regulator [the Information Commissioner's Office (ICO)] new, stronger powers and a more modern structure."

Key provisions of the DISD Bill:

• Establish Digital Verification Services supporting the creation and adoption of trusted, secure digital identity products and services from certified providers;
• Develop a National Underground Asset Register, giving planners and excavators standard access to necessary data to carry out their work effectively and safely; 
• Set up Smart Data schemes, enabling the secure sharing of a customer's data upon their request with authorised third-party providers;
• Make changes to the Digital Economy Act, enabling the government to share data about businesses that use public services; 
• Create an electronic system for the registration of births and deaths;
• Apply information standards to IT suppliers in the health and social care system;
• Enable scientists to ask for broad consent for areas of scientific research and allow legitimate researchers to do scientific research in commercial settings;
• Modernise the structure of the ICO with a CEO, board, and chair and strengthen its regulatory powers. Alongside these changes, the government intends to implement targeted reforms to certain data laws where a lack of clarity is impeding the safe development and deployment of some new technologies. The government stresses that it will maintain the high standards of protection;
• Establish a Data Preservation Process that coroners (and procurators fiscal in Scotland) can initiate to support investigations into a child's death.

In addition to the DISD Bill, the government announced that it planned to introduce the Cyber Security and Resilience (CSR) Bill. 

The briefing paper explained that the CSR Bill would "strengthen the UK's cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure."

Key provisions of the CSR Bill:

• Expand the remit of the regulation to protect more digital services and supply chains by filling a gap in our defences to prevent similar attacks experienced by UK critical public services, such as the recent ransomware attack on Synnovis that impacted several London hospitals and GP services.
• Put regulators on a strong footing to ensure essential cyber safety measures are implemented, including potential cost recovery mechanisms to provide resources to regulators and powers to proactively investigate potential vulnerabilities;
• Mandate increased incident reporting to give the government better data on cyberattacks, including where a company has been held for ransom.

On artificial intelligence (AI), the briefing paper briefly mentions that the government "will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models."

Commenting on the structural changes to the ICO, Data protection law expert Malcolm Dowden of Pinsent Masons wrote, "When the new Bill is introduced, it will be interesting to see whether the more controversial elements of the previous provisions are replicated – specifically, the ability of the Secretary of State to appoint members to the statutory board and determine the number of members the board may have and to set the ICO's priorities and enforcement objectives. Those provisions gave rise to concerns about the EU-UK adequacy decision, which relies on factors including the ICO's status as an independent regulator."

Meanwhile, Jon Baines contributed to a response by law firm Mischon de Reya by saying that the revival of the digital identity verification measures (Digital ID Cards) is surprising as they were not mentioned in Labour's manifesto, and Home Secretary Yvette Cooper had said they were "not our approach". Baines added that it will be interesting to see what has changed in the intervening period.

In a detailed response to the King's Speech, the Open Rights Group posted an analysis addressing several of the Bills in the planned legislative agenda.

On the proposed structural changes to the ICO, ORG also points to the previous issues around independence. ORG also calls for "more urgent changes that the ICO needs, such as the transfer of its appointment to Parliament, the implementation of collective redress mechanisms, and a reform of Section 166 of the UK DPA to allow substantive scrutiny of ICO enforcement decisions by the Information Tribunal."

The analysis highlights that further consultation will be required; however, ORG welcomes the "step-change compared to the previous approach to innovation and AI." While plans to regulate the most powerful AI models are welcome, ORG highlights that the government could go further and legislate other harmful AI applications and also address AI deployment.