Artificial Intelligence, data and IP

Even the CEOs of the big AI firms, like Sam Altman of OpenAI (the developers of ChatGPT), say that AI needs regulating, but there is very little consensus about how to go about regulating it. Governments across the globe are grappling with how to balance promoting innovation and economic growth with protecting citizens' privacy, safety and other human rights.

Our briefing explores the UK's approach to the regulation of AI, highlights its key differences from the EU's proposed AI Act and looks at steps organisations can consider taking now, amidst the regulatory uncertainty.

Data is often described as AI's "lifeblood" but there's widespread concern about personal data being unlawfully exploited or processed using AI tools. While the future approach to regulation of AI is still being heavily debated, existing data protection legislation, such as the GDPR and its UK equivalent, is likely to play an influential role – not least because regulators already have powers which they can use to oversee the new technology.

Our briefing looks at how big a role data protection can play in regulating AI and what lessons it may have for other areas. We also discuss how regulators in the UK and EU are responding and what businesses need to do to comply if they are considering the use of AI tools to handle personal data.

There's now a new route to transfer personal data to the US under the EU GDPR. In July, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). This means that transfers of personal data can be made compliantly from the EU to organisations in the US that have certified to the DPF, without the need for additional safeguards, such as standard contractual clauses, or for a transfer impact assessment. See our briefing for more.

The UK Government has now agreed a UK-US data bridge, as an extension to the DPF, that can be used in a similar way for transfers between the UK and DPF-certified organisations in the US. Our briefing looks at what this means for data transfers from the UK to the US, what the next steps are, and whether the DPF and its UK extension will last.

Following a chequered journey through Parliament, the Online Safety Act (OSA) finally received Royal Assent on 26 October 2023. The OSA imposes new duties on user-to-user services (e.g., social media, online forums, gaming services, dating apps etc.) and search services to tackle online illegal content and online “lawful but harmful” content to children, as well as introducing measures to enable adult users to avoid “lawful but harmful” content. These services will be caught if they target the UK, regardless of where they are established.

The OSA will be enforced by Ofcom, and its enforcement powers are extensive – with fines of up to £18 million or 10% of annual worldwide revenue for non-compliance, and potential criminal liability for corporate officers for certain breaches. There will be a phased approach to enforcement, starting this month with a series of consultations on Ofcom's Codes of Practice and draft guidance. The majority of the OSA’s provisions will commence in early 2024.

For more, read this previous briefing which compared the Online Safety Bill with the EU's Digital Services Act.