On Friday 5 July 2024, voters in the UK elected the Labour Party to form a new government. Below we share our initial thoughts on what a Labour government might mean for the development and regulation of data protection, artificial intelligence and digital products and services in the UK.
Data protection
What is the Labour Party's policy?
Labour's election manifesto commits to "improv[ing] data sharing" across public services, with a "single unique identifier" to "better support children and families". The Labour Party also intends to create a "National Data Library" to bring together existing research programmes and "help deliver data-driven public services". Notably, Labour's manifesto was silent on wider data protection reform.
What is the context?
The National Data Library forms part of the Labour Party's broader national industrial strategy that "supports the development" of the AI industry in Britain, including by removing "planning barriers to new data centres" (a topic that my private equity real estate colleagues have written about here). Although the specifics of the National Data Library have not been publicised, governments and industry alike are increasingly focused on the opportunities presented by large-scale data repositories — see, for example, the European Health Data Space.
Whether Labour seeks to resurrect the Data Protection and Digital Information Bill — the Conservative Party's attempt to revise the UK's GDPR-based legislative framework — remains to be seen. Readers may recall that Labour MPs in the House of Commons were broadly supportive of the Bill, which appeared to be close to passing but ultimately fell due to the timing of the General Election.
Data protection reform is not a critical issue for most voters, but the DPDIB proposed a number of helpful changes to the current regime, as well as a partial restructuring of the Information Commissioner's Office, and it would be surprising if the Labour Party didn't put some type of data protection reform back on the table — albeit perhaps not during its first year in power.
Who does it affect?
Although some private sector actors play a role in the provision of public services, introducing a single unique identifier is likely to have limited impact for most businesses. By contrast, the development of a National Data Library — i.e., a centralised, secure platform to bring together high-quality data for scientists and start-ups — will be of great interest to research institutions and life sciences companies as well as the private capital and venture firms that invest in the sector.
As regards the reform (or not) of the UK GDPR and Data Protection Act 2018, time will tell. The European Commission must decide by June 2025 whether to renew its finding of UK data adequacy. Some European legislators have suggested that passing the DPDIB into law could impact the decision to renew adequacy — and although there is an element of sabre-rattling to those comments, it wouldn't be surprising to see the Labour Party wait until the adequacy finding is renewed before deciding how, if at all, to revise the UK's data protection laws.
Artificial Intelligence
What is the Labour Party's policy?
Labour's election manifesto states that it will introduce "binding regulation" on the handful of companies that are developing the most powerful AI models, as well as ensuring that the UK's industrial strategy "supports the development of the AI sector". As described above, the Labour Party intends to encourage the building of new data centres — and will also ban "the creation of sexually explicit deepfakes".
What is the context?
Unlike the European Union, whose AI Act is a comprehensive and wide-ranging law governing the development, deployment and use of artificial intelligence, the previous UK government introduced a light-touch regulatory framework for AI that relies on existing laws and regulatory authorities. The Labour Party's stated position broadly maintains the status quo in the UK. However, organisations in the UK that have European operations or place or put AI systems into service in the EU are likely subject to the AI Act, and therefore will need to determine whether or not to put in place a Europe-wide AI governance framework that also applies to their UK business (i.e., undercutting of a light-touch regulatory framework).
Who does it affect?
The Labour Party has not provided further details about what constitutes a "powerful AI model", but one can reasonably assume that the majority of companies operating in the UK will not fall into this bucket. Indeed, most organisations are users of AI (i.e., rather than developers), and even those businesses that develop AI-enabled products or services are — with a small number of exceptions — also unlikely to be caught. But as with all manifesto pledges, the devil will be in the detail. And given that the global direction of travel is towards introducing AI laws that apply broadly, it will be interesting to see whether the Labour Party changes — that is to say, hardens — its approach during its time in government.
Digital regulation
What is the Labour Party's policy?
Labour's election manifesto states that it will "build" on the Online Safety Act, "bringing forward provisions as quickly as possible, and explore further measures to keep everyone safe online, particularly when using social media". The Labour Party also intends to give coroners "more powers to access information held by technology companies after a child's death" and to create a "Regulatory Innovation Office" which will help existing regulators "update regulation, speed up approval timelines and co-ordinate issues that span existing boundaries". Interestingly, the manifesto is silent on facial recognition.
What is the context?
Like the EU's Digital Services Act, the OSA forms part of an alphabet soup of post-GDPR digital regulation that is, or soon will be, in effect (see also the DMA, the NIS2 Directive and DORA). The access to children's data is a highly emotive issue, and although the OSA already contains certain information gathering powers in the case of a child's death, the Labour manifesto suggests that it does not consider these powers are sufficient. Watch this space.
The introduction of a Regulatory Innovation Office comes at a particularly interesting time, given the breadth of work that regulators are now expected to handle, in respect of both current and upcoming laws. A case in point is that the UK's current approach to AI regulation does not involve the creation of a new dedicated regulatory authority. Rather, the ICO, FCA and MHRA (among others) will be tasked with developing guidance for and taking enforcement action again organisations under their respective authorities.
The RIO will likely benchmark and track the performance of the UK's regulators, and we will be watching closely to see whether this oversight impacts the ICO's largely hands-off approach to enforcement.
Who does it affect?
The Online Safety Act has broad application — including on an extra-territorial basis — to online services that allow users to share content or interact; social media companies, online search services, messaging platforms and mobile games will all be caught. The intense focus on artificial intelligence during the past 18 months has meant that the application of the OSA may have been overlooked by some businesses that, upon further investigation, are likely to be in scope.
Given that Labour's manifesto suggests that this will be an area of regulatory — and possibly legislative — focus going forward, it would now be a good time for companies that haven't done so to assess whether they are or may be in scope of the OSA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.