Clarkslegal Law Bites
Clarkslegal Law Bites
Regulating AI to protect personal data
Earlier this year, the UK Government announced the introduction of the Data Protection and Digital Information Bill in which the consultation considered specifically on the interplay of AI technologies with the UK’s data protection regime. On 18 July 2022, the UK Government set out its proposals for regulating the use of AI technologies while protecting data and promoting innovation.
In this podcast Melanie Pimenta and Jacob Montague solicitors in the Data Protection team at Clarkslegal discuss the Government’s proposals to regulate the use of AI and what businesses should do.
Melanie Pimenta 0:03
Hi, I am Melanie Pimenta and I’m joined by my colleague Jacob Montague.
Jacob Montague 0:08
Hi everyone.
Melanie Pimenta 0:11
We’re members of the Data Protection team here at Clarkslegal. Today we are going to discuss the Government’s proposals to regulate the use of artificial intelligence, commonly known as “AI”.
So earlier this year, the UK Government announced the introduction of the Data Protection and Digital Information Bill in which the consultation considered specifically on the interplay of AI technologies within the data protection regime. On 18 July 2022, the UK Government set out its proposals for regulating the use of AI technologies while protecting data and promoting innovation. So, what is “AI” Jacob?
Jacob Montague 0:54
Thanks Mel. Well AI refers to systems or machines that mimic human intelligence to perform tasks and can therefore improve themselves based on the information they collect. AI can be implemented in various forms. For example, chatbots use AI to understand customer problems faster and provide more efficient answers. Another example is that recommendation engines can provide automated recommendations for TV shows based on users’ viewing habits. AI is intended to significantly enhance human capabilities and contributions rather than to actually replace humans.
Melanie Pimenta 01:33
So, how has the Government confirmed what role AI has within the UK data protection regime?
Jacob Montague 01:42
Well, the Government has set out a risk-based approach to AI regulation in its AI Regulation Policy Paper, which was published on 18 July 2022. The paper considered the following principles:
- Context-specific: I.e. the Government will acknowledge that AI is a dynamic, general purpose technology and that the risks arising from it depend principally on the context of its application.
- Pro-innovation and risk-based approaches: the Government will ask regulators to focus on applications of AI that result in real, identifiable, unacceptable levels of risk, rather than seeking to impose controls on uses of AI that pose low or hypothetical risk so it avoids stifling innovation.
- There is also going to be a big focus on being Coherent: ensuring the system is simple, clear, predictable and stable.
- And finally, there’s also a big part of the principles are Proportionately and adaptably: the Government will ask that regulators consider lighter touch options, such as guidance or voluntary measures, in the first instance.
Melanie Pimenta 02:54
That will be interesting to navigate, particularly where AI technologies have some underlying issues and risks. The Government has said that it intends to address such issues by developing a set of cross-sectoral principles tailored to the distinct characteristics of these technologies. I think regulators would be tasked with interpreting and implementing these cross-sectoral principles within their regulatory remits in line with their existing roles and remits. And the principles are:
- Ensuring that AI is used safely – that is likely to be a consideration for certain sectors, for example, healthcare;
- Ensure that AI is technically secure and functions as designed – the Government has suggested that systems should be tested but regulators will set out the regulatory expectations in the relevant sector or domain, so there may be some challenges there;
- Make sure that AI is appropriately transparent and explainable;
- Also, embed considerations of fairness into AI – So regulators define “fairness” in their sector or domain and outline when fairness considerations are relevant (for example, in the case of job applications);
- Define legal persons’ responsibility for AI governance – the Government confirms that accountability for the outcomes produced by AI systems and legal liability must rest with an identified legal person;
- And finally, clarify routes to redress or contestability – the Government expects that regulators can ensure that outcomes of AI systems can be contested in “relevant regulated situations”.
So what are you anticipating the challenges to be with this approach?
Jacob Montague 04:52
Well it is going to be a difficult area to navigate. Regulators will be tasked with deciding what ‘fairness’ or ‘transparency’ means for AI development or use in the context of their sector or domain. This poses some challenges with establishing the various risks within many sectors, and may result in a complex regulated landscape, particularly for organisations which operate in a variety of sectors. Next, regulators will need to decide if, when and how their regulated entities will need to implement measures to demonstrate that these principles have not only been considered but complied with, or depending on the relevant context both. Similarly, regulators will need to ensure that a coherent approach is applied across all the principles. Given that there will be various regulators involved in the decision-making, this could result in inconsistencies and a lack of clarity.
Another challenge I think will be ensuring that AI is technically secure, particularly taking account the increasing volume of cyber attacks on businesses. This will place additional burdens on ensuring that systems are tested and updated regularly to ensure that data can be continually protected.
Melanie Pimenta 06:09
Yes, I agree with that approach and when considering the fairness element within the AI systems, it will need to ensure that this covers off anti-discrimination, equality measures and measures to combat bias, which may be difficult to implement. There are also risks that potentially regulators will need to consider as the Government has proposed that regulators will lead the process of identifying, assessing, prioritising and contextualising the specific risks addressed by the principles. Another risk at this stage is anticipating challenges for businesses operating across multiple jurisdictions and seeing if the Government’s proposed cross-sectoral approach will be able to cover this. Regulators will also need to ensure that they have the expertise and skills to effectively regulate AI. So we are expecting further guidance to be issued focused on the interpretation of terms used within the principles, risks and proportionality, to support regulators in their application of the principles.
So, what are the next steps to the Government’s approach?
Jacob Montague 07:23
Well as you just touched on the Government will certainly appreciate that it will need to implement a framework to refine its approach and therefore drive innovation, boost consumer and investor confidence and support the development and adoption of new AI systems. Specifically, we believe it will be considering the following key areas:
- Firstly, the proposed framework and whether it adequately addresses the Government’s prioritised AI-specific risks in a way tailored to the UK’s values and ambitions while also enabling effective coordination with other international approaches. This includes considering whether any gaps exists in the existing regulator coverage that require potentially a more targeted solution.
- It’s also likely that the Government will need to consider how their approach is actually put into practice: this will involve considering the roles, powers, remits and capabilities of regulators; the need for coordination and how this should be delivered across the range of regulators (both statutory and non-statutory) involved in AI specific regulation; and whether new institutional architecture is needed to oversee the functioning of the landscape as a whole and therefore anticipate future challenges. The Government has said that it would also consider if there are any areas of high risk that demand an agreed timeline for regulators to interpret the principles into sector or domain specific guidance. Such work will also involve working with the key regulators, including the Information Commissioner’s Office or ICO, Competition and Markets Authority, Ofcom and the Equality and Human Rights Commission.
- Finally emphasis will be placed on monitoring of the Framework to ensure it delivers the Government’s vision for regulating the use of AI in the UK and that it is capable of foreseeing any future developments, mitigating future risks and maximising the benefits of future opportunities. This will mean that an effective monitoring system will need to be implemented to ensure a robust approach is adopted to identifying and managing the evolving risks presented by AI whilst also ensuring that data can remain protected.
So Mel, do you think that AI and data protection will become prevalent in the future and what should businesses do to address this?
Melanie Pimenta 10:00
Thanks Jacob, so I think the short answer to this is “yes”. At the moment, the Government is seeking initial views from stakeholders on the proposal set out in the Policy Paper and the call for views is open until 26 September 2022. Following the call for views, we are expecting the UK Government to publish an AI White Paper in late 2022 which will set out a framework for AI regulation in the UK.
Therefore, would suggest that businesses should monitor the publication of the AI White Paper to consider the Government and regulators’ approach to regulating AI, and in particular, how the cross-sectoral approach will be interpreted. Once we receive further updates on this, we would suggest that businesses check whether their AI strategy and procedures align with the strategy as set out in the AI White Paper.
Jacob Montague 11:01
If your organisation needs support with anything we have mentioned here today, you can contact our data protection team via email at contact@clarkslegal.com or find us via our website Clarkslegal.com.
Melanie Pimenta 11:15
Thank you for listening to this podcast!