There's rarely a quiet week in data protection — and this one was no exception. Below are two developments from the past seven days that caught my eye.
Story #1: Analysing the UK's upcoming technology regulations
On Wednesday (17 June 2024), the UK's newly formed government announced its legislative agenda for the upcoming parliamentary session. In line with one of the quirks of the British political system, this was done in a speech given by King Charles that forms part of the State Opening of Parliament.
Among the 40 proposed laws set out in the King's Speech, two in particular give us a good indication about the future of technology regulation in the UK.
Artificial Intelligence
Most surprisingly, the Government has not tabled specific legislation on AI. Rather, and mirroring the language in its election manifesto (see here), Labour says that it will "seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models". What that means in practice, who the law will affect, and when it may begin the legislative process are therefore all to be determined.
So, for the time being, the position in the UK with respect to AI regulation remains the same as under the previous government — that is to say, a light-touch regulatory regime with no new AI-specific laws or regulators. That will likely change in time, but the contrast between and the approaches of EU — where the clock is now ticking on implementation of the AI Act — and the UK continues to be stark.
Data Sharing
The first of the big data-related initiatives is the Digital Information and Smart Data Bill, which the Government says will put on a statutory footing three "innovative uses of data". These include a National Underground Asset Register that give planners and excavators access to data, and Smart Data schemes that will allow sharing of customer data with authorised third-party providers — the latter sounding like a souped-up version of the Article UK GDPR 20 right to portability.
Most interesting of all is the government's plan to introduce Digital Verification Services — which Labour says will "lessen the everyday burdens on businesses by reducing costs, time and data leakage" and allow for the development of digital identity products and services (e.g., for moving house, pre-employment checks and buying age-restricted goods).
The introduction of a digital ID card in the UK has been mooted several times before, but in each case was met with resistance from a variety of stakeholders. Indeed, the Labour Party itself appeared to rule out the use of a digital ID earlier this month, so it's interesting to see the concept partially remerge in a legislative context. The background reading to the Bill (link here) says that the use of online IDs will be voluntary — and will link to other manifesto proposals to establish large-scale and interlinked data ecosystems in the UK, including a National Data Library.
Whatever one's views on the benefits (and downsides) of government-issued digital identities, it goes without saying that centralised repositories of personal data are attractive targets for cybercriminals. In practice, this will mean an increase in the security requirements for organisations in the supply chains that support these initiatives.
Data Protection
Labour says that it will make "targeted reforms to some data laws", also via the Digital Information and Smart Data Bill. Although data protection reform wasn't discussed in the Labour election manifesto, the indications are that it will cherry pick some of the concepts that made most sense in the previous government's Data Protection and Digital Information Bill, particularly those around scientific research and secondary uses of data.
The restructure of the Information Commissioner's Office is also a hangover from the Conservatives' data protection reform, and the reference to "new, stronger powers" caught my eye. Given that the ICO has been criticised for its approach to enforcement, it will be interesting to see what Labour has in mind here — and the extent to which those powers apply beyond data protection and electronic marketing. Conversely, businesses that had been hoping for Labour to carry over the DPDIB's approach to reducing compliance documentation look like they will be disappointed.
Cyber Security
The second significant initiative, a Cyber Security and Resilience Bill will expand the remit of the "existing regulation" (i.e., NIS1), "putting regulators on a stronger footing" and "increasing reporting requirements". On its face the Bill will closely align the UK's cyber regulatory framework to NIS2, which takes effect in the EU on 17 October 2024. Please see here for a slide deck that I used to speak about NIS2 at the Privacy + Security forum in Washington, DC earlier this year.
Notably, the Bill will require in-scope organisations to make regulatory notifications in cases where they have been asked to pay a ransom. The context here is that regulators in the UK advise companies not to make ransom payments — and lawyers have been told by the ICO and the Law Society that they should do the same with their clients. The ICO has also made clear that paying a ransom will not mitigate the effects of a personal data breach — but some organisations see making such payments as a commercial reality, and, in some cases, a necessity.
So, a key question is: will the Bill require in-scope organisations to notify regulators of a cyber incident before they make a ransom payment, if indeed one is made? The previous government reportedly intended to introduce a licensing regime for ransom payment, and there isn't enough information in the background briefing notes to the King's Speech to be definitive either way.
As with each of the Government's legislative initiatives, the devil will be in the detail. Ropes & Gray will continue to monitor developments and provide updates when the text of the bills are publicised. In the meantime, if you have questions or comments about what these laws may mean for your organisation, please do get in touch.
Story #2: DORA — six months to go...
Wednesday 17 July marked an important date for European technology regulation: the six month deadline until the EU's Digital Operational Resilience Act — aka DORA — applies, on 17 January 2025.
DORA will apply to many financial services business in the EU — and in some cases, to organisations located outside Europe. Providers of services to the financial industry can also be subject to DORA, whether directly or indirectly.
If you're wondering whether your business is in scope, click here for a flowchart prepared by Ropes & Gray on when and how DORA applies.
Often the answer will be clear. But as is usually true for European legislation, other cases will require careful analysis — particularly for organisations with a global footprint. Six months will pass very quickly, so if you haven't yet considered whether you are subject to DORA, now is the time to act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.