s the balance right with the UK's pro-innovation AI White Paper?
Recently, discussions on the race to develop Artificial Intelligence ("AI") – ranging from Elon
Musk and Steve Wozniak's proposed six-month moratorium on training AI systems to Bill
Gates' call for establishing "rules of the road" so that the benefits of AI exceed its risk
appetency – have dominated international debate. Against this backdrop, the UK
Government ("Government") set out its current position in the race by publishing a white
paper titled "A pro-innovation approach to AI regulation" ("White Paper"), detailing a
proposed 'light touch' framework which seeks to balance regulation with spurring
responsible AI innovation. However, more recent announcements by the Prime Minster,
Rishi Sunak, may result in a re-assessment of this strategy, largely driven by the
accelerated growth of generative AI and an awakening to the significant impact this may on
our lives and the economy.
This insight will provide an overview of the features of the proposed framework set out in
the White Paper (the "Framework").
Background
The White Paper is based on the original premise that a principle based framework will
ensure that the "…UK [is] on course to be the best place in the world to build, test and use
AI technology…" (Rt Hon Michelle Donelan MP, Secretary of State for Science, Innovation
and Technology). Fundamentally, it is based on existing regimes – it is in lieu of new
legislation, and it does not amend the scope of existing legislation which relates to AI (e.g.
data protection laws). According to the Government, the use of existing legislative regimes
(coupled with proportionate regulatory intervention) will result in a future-proof framework
that can be adapted according to AI trends, opportunities and risks. Whether this approach
is retained after the current consultation remains to be seen.
Diverging approach – UK vs EU
In contract to the light touch principles based approach in the White Paper, the EU is over 2
years into the process of agreeing a detail and prescriptive AI regulation (the "AI Act"). The
AI Act is designed to regulate AI systems based on their level of risk to humans, prohibiting
the use of particularly harmful AI systems, introducing stringent controls for "high-risk" AI,
and imposing moderate transparency requirements for "low-risk" AI. Its granularity and
detail is very similar to that under the General Date Protection Regulation.
Irrespective of the path ultimately to be taken by the UK, there are separate regimes on the
horizon for the UK, EU and the rest of the world. Therefore, it is critical that businesses
developing and offering AI products and systems, and those implementing AI into their
operations, are aware of how the proposed rules will apply. Understanding the diverging
regimes will be important in developing commercial approaches and preparing for
compliance.
Deep dive
What does the Framework aim to achieve?
In light of the UK's ambition to become a science and technology superpower, the
Framework aims to be an instrumental tool in "…getting regulation right…" so that
international businesses feel confident in investing, and retaining their investment, in the
UK. It aims to increase prosperity and growth in AI markets by removing barriers to
innovation, augment public trust in AI systems to drive up AI adoption, and reinforce the
UK's position as a global leader in AI.
�The White Paper also notes that the Government wants to ensure that UK businesses
benefit from global AI opportunities by managing cross-border risks in AI supply chains.
What is the territorial scope and ambition of the Framework?
The Framework will apply to those developing, deploying and using AI systems across the
UK, irrespective .
What doesn't the Framework cover, and why?
The Framework does not address all societal and global challenges associated with using
and developing AI systems, such as data access and sustainability.
The Framework does not cover the allocation of liability during the AI life cycle. According to
the White Paper, it would be premature at this stage to conclude on the topic of liability "…
as it's a complex, rapidly evolving issue…", which requires careful manoeuvring so as to not
disrupt the UK's AI ecosystem.
What AI does it apply to?
The Framework does not provide an oven-ready definition of AI. Instead, it describes AI by
reference to "adaptivity" and "autonomy", features that are baked into the functionality of AI
systems. It is designed to regulate the use – or in other terms, the outcomes – of AI
systems, as opposed to regulating the technology itself. In summary:
Adaptivity refers to AI systems' ability to perform new forms of inference that are not
predicted by their human programmers, in turn making it challenging to explain the
logic of the AI systems' output.
Autonomy refers to AI systems' ability to make decisions without the direct intent or
control of a human, leading to difficulties in allocating responsibility for AI systems'
resulting outcomes.
Whilst this approach should avoid the application of a rigid definition, such a broad and
flexible approach may lead to inconsistencies between regulators who could, in pure
isolation, interpret the features according to the specificities of their respective industries.
The Government recognises this potential pitfall and has put forward a concoction of
supporting inter-regulator coordination and centralised monitoring.
A principles-based approach
The Framework is based on a set of cross-sectoral principles ("Principles") that aim to
encourage responsible AI design, development and use. The use of these Principles is
intended to deliver a consistent and proportionate application of the Framework, whilst
affording regulators with a degree of flexible interpretation.
Since our insight on the DCMS AI Policy Statement, the Principles embedded in the
Framework have been "…updated and strengthened…". The Principles now consist of:
Safety, security and robustness: AI systems should operate "…in a robust, secure
and safe way throughout the AI life cycle…", especially in light of the autonomous
nature of AI decision-making. Risks present at each stage of the AI life cycle should
be spotted, assessed and managed.
Appropriate transparency and explainability: Transparency is defined as the
provision of appropriate information on AI systems (e.g. the purpose of the AI
system, how and when it will be used) to the relevant parties. Explainabilty relates to
a relevant party's ability to access and understand the decision-making rationale of
an AI system.
Fairness: Fairness pertains to protecting the legal rights of individuals and
organisations. AI systems should not weaken these legal rights, nor should they
� result in discriminatory market outcomes. For example, errors in an AI-generated
credit score can negatively affect an individual's livelihood.
Accountability and governance: Governance measures should be implemented to
oversee the supply and use of AI systems, and lines of accountability should be
clearly demarcated throughout the AI life cycle.
Contestability and redress: Affected third parties and actors within the AI life cycle
should be able to make a complaint about or contest AI that creates harm or a
material risk of harm.
Who will regulate compliance?
Instead of establishing a standalone body for AI regulation, the White Paper proposes to
enhance the remit and capacity of existing regulators to develop a sector-specific, principle-
centered approach. Authorities such as the ICO, CMA, FCA, Ofcom, Health and Safety
Executive, and the Human Rights Commission will need to adhere to Principles to foster
trust and clarify guidelines for innovation.
Regulatory coordination, collaboration and centralisation
As the Framework is in lieu of a standalone piece of cross-sectoral AI regulation, there is
uncertainty as to how the Framework will effectively work within the perimeters of "… a
complex patchwork of legal requirements…". Without coordination, regulatory burdens on
businesses could grow, leading to small players struggling to compete, market and public
confidence in AI deteriorating, and innovation being stunted. In order to overcome this, the
Government has proposed greater coordination at the central and regulator level to ensure
that the Framework does function in a "cross-cutting, principles-based" manner.
The government plans to offer centralized support for monitoring and evaluating the new AI
regime, identifying barriers and inconsistencies, predicting emerging AI risks, fostering AI-
focused sandboxes, promoting AI education for businesses and consumers, and
maintaining compatibility with international frameworks. Although it's unclear which entity
will fulfil this role, initial indications suggest responsibility will sit with governmental,
potentially evolving into an independent regulator dedicated to AI in the future.
Adaptability
In practice, not all of the Principles will be relevant to a particular context and in some
instances the Principles may come into conflict. In instances of conflict, regulators will be
able to prioritise certain Principles in line with the White Paper's context-driven approach.
The Government may adapt the Framework in the future should regulators find certain
Principles irrelevant.
The Government may also adapt the Framework in light of the fact that some sectors, such
as the AI-enabled military sector, already have their own principles which go beyond the
scope of the Principles (e.g. The Ministry of Defence published its own AI strategy in June
2022).
Complementary tools
The Framework will not operate in isolation, it puts forward a range of complementary tools:
Regulatory sandbox for AI: a one-stop-shop for regulators to test the Framework,
identify technology and market trends that may change the Framework, and assist
innovators in getting their products to the market quicker.
Assurance techniques: processes such as impact assessments, audits and
performance testing will be used to assess and determine AI systems'
trustworthiness.
� Technical standards: standards that can be applied uniformly across sectors will be
used, such as safety and robustness, bias, and risk management. Regulators may
also use these standards as a benchmark, and integrate them into sector-specific
guidance.
Next steps in the consultation
The consultation under the White Paper is now closed (21 June 2023) and within the next 6
months we should expect a more detailed response and potential guidance on the
implementation of the White Paper principles and proposed framework. However, there is
significant scope for the approach to change, and plenty of political talk of more
internationally coordinated approaches.
Other regulatory developments to be aware of
A number of other regulatory developments in the UK, the EU and other jurisdictions will
also affect the development, use and rollout of AI systems. Impacted businesses must
therefore understand how these may affect their current and future AI endeavours. These
developments include (but are not limited to):
The EUs AI regulation setting out the blocks current detailed framework for the
regulation of AI.
The EU's Data Governance Act – which will provide more opportunities and structure
in regard to data sharing, and also relevant parts of the Digital Services Act, Data Act
and Cyber Reliance Act.
The EU's Artificial Intelligence Liability Directive – an EU proposal that will provide
uniformity in rules for non-contractual civil liability for damage caused with AI
involvement.
The UK's Data Protection and Digital Information Bill - set to change (among other
things) the rules on how personal data is processed by automated systems
automated processing regulation. Our data protection bulletin (published regularly
on our hub here) is tracking the progress of this new legislation.
Canada's proposed Artificial Intelligence and Data Act – which would establish
common requirements for the design, development, and use of artificial intelligence
systems, including measures to mitigate risks of harm and biased output. It would
also prohibit specific use of AI systems that may result in serious harm to individuals
or their interests.
US State Bills and Federal AI laws – there are a number of laws and regulatory
orders on the cards in the US, including the Federal Trade Commission's expansion
of its rulemaking into AI enforcement. To date there have been over 40 bills
introduced across US States that would regulate in some way the use or deployment
of AI. In June 2023, U.S. senators introduced two separate bipartisan artificial
intelligence bills amid growing interest in addressing issues surrounding AI
technology.
AI Providers must also consider non-legal regulation which may influence AI Systems such
as AI assurance frameworks, and regulatory guidance.
What you should be doing now in preparation
Whilst the regulatory frameworks in the UK and EU, and around the world, are yet to be
finalised, there is sufficient information and common themes for organisation to implement
steps to prepare for new requirements that lay ahead. In fact, making headway on these
now will almost certainly ease the compliance burden down the line. Actions to consider
include:
� develop an AI asset register – knowing where and how AI is used in your
organisation will enable you to assess risks and implement policies and compliance
requirements;
implement policies that govern how AI should be developed or implemented. These
should address how to manage risks such as bias, dataset integrity, and
transparency;
carry out and document risk assessments, in particular where the AI could
present higher risks. Start building these into standard operating procedures (in the
same way data protection impact assessments are implemented);
establish an AI governance body – if AI is, or will, form a key part of your product
portfolio, or internal operations, establish a governance structure to guide the
business and act as the gatekeeper; and
track legislative progress so you keep up to date with developments. When AI is
becoming deeply embedded in your organisation, you need to plan well ahead.
Our concluding thoughts
Whilst the Framework's pro-innovation stance is intended to provide flexibility in how the
use of AI is controlled in the UK, the fact that the Framework has to operate within a
patchwork of regulations may create gaps that are in practice, too burdensome and
complicated to effectively fill. The White Paper's inclusion of complementary tools and
centralised functions appear to be helpful in addressing this concern (if implemented
properly by regulators), however such a wide range of regulator tools and partly centralised
mechanisms might lead to confusion if coordination and collaboration are not encouraged to
the extent required to affect any meaningful change on the UK's AI regulatory landscape.
We eagerly await the outcome from the consultation on the White Paper and look forward to
providing an update on the UK's approach in due course.
