Status of the AI Regulations 

The UK government has written to a number of regulators whose work is impacted by AI, asking them to publish an update outlining their strategic approach to AI by April 30, 2024.  To date, there have been limited developments in sector-specific regulation concerning AI:

• Only a limited number of regulators have issued initial guidance on AI, such as the Information Commissioner Office's guidance on AI and data protection (last updated in March 2023) and the Medicines and Healthcare regulators roadmap (last updated in June 2023)⁸
• The Competition and Markets Authority published a review of foundation models to understand the opportunities and risks for competition and consumer protection⁹
• The Office of Gas and Electricity Markets (Ofgem) and Civil Aviation Authority (CAA) are working on AI strategies to be published in late 2024¹⁰

Other laws affecting AI

There are several domestic laws that will affect the development or use of AI, including but not limited to:

• Data protection laws
• Intellectual property laws
• Human rights laws (particularly, anti-discrimination laws such as the Equality Act 2010 and the Human Rights Act 1998)
• Consumer and competition laws
   

Definition of “AI”

The White Paper describes "AI," "AI systems" and/or "AI technologies" as "products and services that are ‘adaptable' and ‘autonomous'" but stops short of providing an exhaustive definition.¹¹

• With reference to the adaptivity of AI, the White Paper emphasizes that AI systems often develop the ability to perform new forms of inference not directly envisioned by their human programmers 
• With reference to the autonomy of AI, the White Paper acknowledges that AI systems can make decisions without the express intent or ongoing control of a human

Territorial scope 

The proposed regulatory framework applies to the whole of the UK and states that the UK will continue to consider the impacts of devolution as the AI regulatory framework further develops.¹²

The White Paper also notes that, as the UK is not currently proposing the introduction of new statutory requirements, the current principles-based AI framework will not change the territorial application of existing legislation applicable to AI (including, for example, data protection legislation). The Response notes that as the UK's approach develops, the government will continue to assess the territorial reach of its AI regulatory framework.¹³ 

Sectoral scope

As noted above, sector-specific regulators will be interpreting and applying the UK's overall principles-based AI framework to the development or use of AI within their respective domains. To date, limited sector-specific guidance has been published. We expect regulators will continue to publish updates outlining their respective strategic approach to AI in the near term.

Compliance roles 

There are two key compliance roles that will be impacted by the UK's AI regulatory framework:

• First, regulators will need to: (i) have due regard for the framework and its principles when they introduce sector-specific regulation; and (ii) issue sector-specific guidance on how the cross-sectoral principles apply within their remit. Having due regard for the fact that the principles may eventually become a "statutory duty on regulators"¹⁴
• Second, AI actors across the life cycle of AI systems (including the design, research, training, development, deployment, integration, operation, maintenance, sale, use and governance phases) will have to comply with any sector-specific regulation introduced by the relevant regulators

Core issues that the AI Regulations seek to address

The White Paper identifies a range of high-level risks that the principles-based AI framework seeks to mitigate with proportionate interventions.¹⁵ These include:

• Risks to human rights (e.g., Generative AI may be used to create deepfake video content, potentially damaging the reputation, relationships and dignity of the subject) 
• Risks to safety (e.g., an AI system based on LLM technology may recommend a dangerous activity that it has found on the internet, without understanding or communicating the context of the website where the activity was described, potentially leading to physical harm)
• Risks to fairness (e.g., an AI tool assessing creditworthiness of loan applicants that is trained on incomplete or inaccurate data may result in the offer of loans to individuals on inappropriate terms)
• Risks to privacy and agency (e.g., connected devices in a household may continuously gather data —including conversations—and may potentially create a near-complete portrait of an individual's home life. Privacy risks will compound if more parties can access such data)
• Risks to societal well-being (e.g., disinformation generated and propagated by AI could undermine access to reliable information and trust in democratic institutions and processes)
• Risks to security (e.g., AI tools may be used to automate, accelerate and magnify the impact of highly targeted cyber-attacks, increasing the severity of the threat from malicious actors)

Risk categorization

The White Paper states that the UK's AI regulatory framework will adopt a context-specific approach instead of categorizing AI systems according to risk. Thus, the UK has decided to not assign rules or risk levels across sectors or technologies.  The White Paper also notes that it would be neither proportionate nor effective to classify all applications of AI in critical infrastructure as high risk, as some uses of AI in relation to critical infrastructure (e.g., the identification of superficial scratches on machinery) can be relatively low risk.  Essentially, the UK's context-specific approach to risk categorization is expected to allow regulators to respond to the risks posed by AI systems in a proportionate manner.¹⁸

The Response highlights the UK's continued commitment to a context-based approach "that avoids unnecessary blanket rules that apply to all AI technologies, regardless of how they are used", noting that such an approach is the "best way" to ensure an agile approach that stands the test of time.¹⁹

Key compliance requirements 

The White Paper establishes five cross-sectoral principles for existing regulators to interpret and apply within their respective domains:

Principle 1: Regulators should ensure that AI systems function in a robust, secure, and safe way throughout the AI life cycle, and that risks are continually identified, assessed and managed. 

To implement this principle, regulators will need to consider: 

• Providing guidance as to what good cybersecurity and privacy practices look like
• Referring to a risk management framework that AI life cycle actors should apply 
• The role of available technical standards to clarify regulatory guidance and support the implementation of risk treatment measures

Principle 2: Regulators should ensure that AI systems are appropriately transparent and explainable. To implement this principle, regulators will need to consider:

• Setting expectations for AI life cycle actors to provide information relating to: (a) the nature and purpose of the AI system in question; (b) the data being used; (c) the training data used; (d) the logic and process used; and (e) accountability for the AI system and any specific outcomes 
• Setting "explainability" requirements, particularly for higher-risk systems, to ensure appropriate balance between information needs for regulatory enforcement and technical trade-offs with system robustness 
• The role of available technical standards to clarify regulatory guidance and support the implementation of risk treatment measures

Principle 3: Regulators should ensure that AI systems are fair (i.e., they do not undermine the legal rights of individuals or organizations, discriminate unfairly against individuals, or create unfair market outcomes).

To implement this principle, regulators will likely need to: 

• Interpret and articulate what "fair" means with reference to their respective sectors 
• Decide in which contexts and instances fairness is important and relevant 
• Design, implement and enforce appropriate governance requirements for "fairness" in their respective sectors 
• Where a decision involving the use of an AI system has a legal or similarly significant effect on an individual, consider the suitability of requiring AI system operators to provide an appropriate justification for that decision to affected third parties 
• Ensure that AI systems comply with regulatory requirements relating to the vulnerability of individuals within specific regulatory domains 
• Consider the role of available technical standards to clarify regulatory guidance and support the implementation of risk treatment measures

Principle 4: Regulators should ensure there are governance measures in place to allow for effective oversight of the supply and use of AI systems, with clear lines of accountability across the AI life cycle. To implement this principle, regulators will likely need to:

• Determine who is accountable for compliance with existing regulation and the principles, and provide initial guidance on how to demonstrate accountability in relation to AI systems 
• Provide guidance on governance mechanisms including, potentially, activities in the scope of appropriate risk management and governance processes (including reporting duties) 
• Consider how available technical standards addressing AI governance, risk management, transparency and other issues can support responsible behavior and maintain accountability within an organization

Principle 5: Regulators should ensure that users, impacted third parties and actors in the AI life cycle are able to contest an AI decision or outcome that is harmful or creates a material risk of harm, and access suitable redress.

To implement this principle, regulators will need to consider:

• Creating or updating guidance with relevant information on where those affected by AI harms should direct their complaint or raise a dispute 
• Creating or updating guidance that identifies the "formal" routes of redress offered by regulators in certain scenarios 
• Emphasizing the requirements of appropriate transparency and "explainability" in interactions for effective redress and contestability

The Response notes that values and rules associated with human rights, operational resilience, data quality, international alignment, systemic risks and wider societal impacts, sustainability and education, and literacy are largely already enshrined in existing UK laws.

Regulators

The UK does not have a central AI regulator, and the White Paper indicates that there are no existing plans to establish a central AI regulator either.²⁰  As noted above, sector-specific regulators are expected to interpret and apply the principles-based AI framework within their respective domains. 

Enforcement powers and penalties 

Sector-specific regulators will need to ensure their regulations incorporate the principles of accountability and suitable redress with reference to the UK's principles-based AI framework.

_{1 See the White Paper (here).
2 See the Response (here).
3 See the White Paper (here), Section 3.2 (The proposed regulatory framework), and the Response (here), section 5 (A regulatory framework to keep pace with a rapidly advancing technology).
4 See the Response (here), paragraph 16.
5 See the Response (here), paragraph 109.
6 See the White Paper (here), paragraph 14.
7 See the Response (here), paragraph 15.
8 See the ICO's guidance on AI and Data Protection (here) and the Medicines & Healthcare products Regulatory Agency's roadmap (here).
9 See the Competition and Markets Authority initial review of AI Foundation Models (here).
10 See the Response (here), paragraph 14.
11 See the White Paper (here), Section 1.3 (A note on terminology) and Section 3.2.1 (Defining Artificial Intelligence).
12 See the White Paper (here), Part 5 (Territorial application).
13 See the Response (here), paragraph 78.
14 See the White Paper (here), paragraph 12.
15 See the White Paper (here), paragraph 25.
16 See the White Paper (here), Section 3.2.2 (Regulating the use – not the technology), paragraph 45.
17 See the White Paper (here), Section 3.2.2 (Regulating the use – not the technology), paragraph 45.
18 See the White Paper (here), Section 3.2.2 (Regulating the use – not the technology), paragraph 46.
19 See the Response (here), paragraph 11
20 See the White Paper (here), paragraph 15.}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}

Daniel Mair (Trainee Solicitor, White & Case, Paris) contributed to this publication.