The UK Government recently published its AI Governance and Regulation: Policy Statement (the “AI Statement”) setting out its proposed approach to regulating Artificial Intelligence (“AI”) in the UK. The AI Statement was published alongside the draft Data Protection and Digital Information Bill (see our blog post here for further details on the Bill) and is intended to live alongside the Government’s post-Brexit data protection reforms. The Statement builds on the UK Government’s ten year National AI Strategy (as detailed in our blog post here) and includes a call for views and evidence that closes on 26 September.

Unlike the EU’s cross-sector AI Act which is currently making its way through the legislative process (see our post on the proposed Regulation here), the AI Statement does not propose introducing a new standalone regulatory framework for AI. The UK Government notes that it does not think it is currently necessary to introduce legislation on AI; rather it envisages adopting a set of high-level AI principles to be developed and implemented by sectoral regulators. Regulators will be asked to consider guidance or voluntary measures in the first instance, and the UK Government will keep this non-statutory approach under review.

Scope – defining AI

The AI Statement does not put forward a universally applicable definition of AI, and instead suggests two broad characteristics that would put an AI system within the scope of regulation:

  • Adaptive systems that operate on the basis of instructions and “have not been expressly programmed with human intent”, highlighting in particular the difficulties in explaining the logic or intent by which an output has been produced; and
  • Autonomous systems that can operate in dynamic environments by automating complex tasks and making decisions without the ongoing control of a human, highlighting the challenges of assigning responsibility for actions taken by AI systems.

The UK Government hopes that this approach can be as flexible as the technology requires and regulators will be able to develop a more granular and bespoke definition of AI within each sector.

Cross-sectoral AI principles

The AI Statement identifies several key challenges the Government will seek to address as part of its approach to regulating AI: lack of clarity over how the UK’s existing laws apply to AI; inconsistency between the powers of regulators to address the use of AI within their remit; and current and future AI risks not being adequately addressed by existing legislation. The AI Statement confirms that the UK is heading towards a sector-based approach for AI regulation, and asserts that regulators are best placed to shape the approach for their area of expertise. The intention is that AI regulation should be context-specific, and that interventions are based on “real, identifiable, unacceptable levels of risk” so as not to stifle innovation.

Acknowledging that there’s less uniformity in a cross-sectoral approach, the AI Statement proposes that all regulation of AI systems be subject to six overarching principles to ensure coherence and streamlining. The six principles are based on the OECD’s Principles on AI (as previously discussed on this blog) and demonstrate the UK’s commitment to them:

  1. Ensure that AI is used safely
  2. Ensure that AI is technically secure and functions as designed
  3. Make sure that AI is appropriately transparent and explainable
  4. Embed considerations of fairness into AI
  5. Define legal persons’ responsibility for AI governance
  6. Clarify routes to redress or contestability

These principles will be interpreted and implemented by existing regulators. The AI Statement notes that in considering the roles, powers, remits and capabilities of regulators, the Government will work with a broad selection of regulators, such as the Information Commissioner’s Office (“ICO”), the Competition and Markets Authority (“CMA”), Ofcom, the Medicine and Healthcare Regulatory Authority (“MHRA”) and the Equality and Human Rights Commission (“EHRC”). Importantly, the Government will consider if there is a need to update the powers and remits of these regulators to be able to apply this new regime, noting at the same time that equal powers for regulators is unnecessary, and neither is a uniform approach.

Next steps

In addition to the AI Statement, the Government published its AI Action Plan, rounding up actions taken and planned to deliver the UK’s National AI Strategy. The plan confirms that a white paper on AI governance will be published towards the end of this year along with a public consultation. The call for views that forms part of the AI Statement will be open until 26 September.

* * * *

Covington regularly advises the world’s top technology companies on their most challenging regulatory, compliance, and public policy issues in the UK and other major markets. We are monitoring the UK’s developments very closely and will be updating this site regularly – please watch this space for further updates.

Photo of Marianna Drake Marianna Drake

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating…

Marianna Drake counsels leading multinational companies on some of their most complex regulatory, policy and compliance-related issues, including data privacy and AI regulation. She focuses her practice on compliance with UK, EU and global privacy frameworks, and new policy proposals and regulations relating to AI and data. She also advises clients on matters relating to children’s privacy, online safety and consumer protection and product safety laws.

Her practice includes defending organizations in cross-border, contentious investigations and regulatory enforcement in the UK and EU Member States. Marianna also routinely partners with clients on the design of new products and services, drafting and negotiating privacy terms, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of AI technologies.

Marianna’s pro bono work includes providing data protection advice to UK-based human rights charities, and supporting a non-profit organization in conducting legal research for strategic litigation.

Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Lisa Peets Lisa Peets

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more…

Lisa Peets is co-chair of the firm’s Technology and Communications Regulation Practice Group and a member of the firm’s global Management Committee. Lisa divides her time between London and Brussels, and her practice encompasses regulatory compliance and investigations alongside legislative advocacy. For more than two decades, she has worked closely with many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU and UK legal frameworks affecting technology providers, including data protection, content moderation, artificial intelligence, platform regulation, copyright, e-commerce and consumer protection, and the rapidly expanding universe of additional rules applicable to technology, data and online services.

Lisa also supports Covington’s disputes team in litigation involving technology providers.

According to Chambers UK (2024 edition), “Lisa provides an excellent service and familiarity with client needs.”

Photo of Tomos Griffiths Tomos Griffiths

Tomos Griffiths is an associate working across the technology regulatory and competition groups in London.

Tomos joined the firm as a trainee solicitor in 2021, qualifying in 2023. His practice covers technology regulation, competition law, and regulation that spans the two. His recent…

Tomos Griffiths is an associate working across the technology regulatory and competition groups in London.

Tomos joined the firm as a trainee solicitor in 2021, qualifying in 2023. His practice covers technology regulation, competition law, and regulation that spans the two. His recent experience includes advising clients on data protection compliance, foreign direct investment screening, and competition law litigation.

As a trainee solicitor, Tomos also gained experience in capital markets and commercial litigation for clients in the technology and life sciences sectors.