Recent developments in AI regulation make it clear that the
burden, and risk, of regulating this exciting but difficult new
area in the UK will fall squarely on existing sectoral regulators
for now, including those regulators who will not necessarily have
significant technical expertise in this high-tech space.
We look at some of those developments and consider the
difficulties for regulators, and the implications for those subject
to regulation who need to keep a close eye on their regulator(s) in
this context over coming months.
Regulators’ role in broader AI regulation
In stark contrast to the recent EU AI Act, the UK
Government’s response to its AI Regulation White Paper made it
clear that, at least for now, a light touch sector-led
pro-innovation approach remains the favoured course (see our more
detailed blog post here). It placed existing regulators front and
centre of this approach. Multiple sectoral regulators, including
the CMA, FCA, Ofcom, Ofgem, ONR, HSE and others, have been tasked
with outlining their strategic approach to AI by the end of April.
In addition to outlining steps they are already taking in line with
the principles-based approach set out by the Government, they
should also be analysing AI-related risks in their sectors,
considering their own current capability to address AI and
producing a forward looking plan for the next 12 months. This is
quite a task in a short timeframe if regulators have not yet
engaged fully with the impact AI may have in their area.
To assist, the Department for Science, Innovation &
Technology (“DSIT“) has produced its own
initial guidance to regulators on Implementing the
UK’s AI Regulatory Principles. It sets out considerations to
which regulators may wish to have regard when developing their own
tools and guidance on AI, but is not intended to be prescriptive as
issues are ultimately left to regulators’ discretion. DSIT
notes that it will perform some centralised functions, including
supporting coherence across regulators and reviewing potential
gaps. However, DSIT is clear that it will not be taking
responsibility for regulation – it remains the responsibility
of regulators to develop their own guidance and they are trusted to
know their remits best.
Regulators are told they can establish published policy
material, in respect of AI, that is consistent with their
respective regulatory objectives, setting out clearly and concisely
the outcomes regulators expect, so that regulated firms can meet
these expectations through their actions. They should consider the
nature and the severity of AI risk in the context and the
audience(s) they are targeting. They should also be considering
relevant guidance published by other regulators.
Ofcom has already published its strategic approach to AI and is probably the
regulator most familiar with this area given its technology focus.
It supports the Government’s high level AI principles and
explains that its focus is on the outcomes for consumers and
markets rather than the underlying technology used. Ofcom sees
potential AI issues in a number of areas it already regulates,
giving the Online Safety Act as a recent high-profile example.
However even for Ofcom, which has in house technical expertise
(including AI experts) and which has clearly already spent time
considering AI, the document is fairly generic. The only real
direction to industry is an encouragement to adopt and embrace the
AI principles where possible and maintain open dialogue.
Other regulators, whose employees may be technical experts in
their particular sector but who do not have a technology focus, are
now being expected to turn their hands to something completely new,
with only generalised high-level guidance from DSIT. It will be
interesting to see what level of detail regulators are able to
produce in their own tools and guidance over coming months, with
the expectation being that their guidance will be similarly high
level and principles based so as not to stifle the innovation and
agility championed by Government.
For those subject to such regulation, and themselves getting to
grips with AI, there is a risk that they are expected to meet
uncertain and untested standards. If and when any real detail
emerges, it seems likely that there will be variations in the
approaches taken by different regulators, which may result in
discrepancies in regulation between sectors. For organisations who
fall within the remit of more than one regulator, it may prove
impossible to comply with competing regulatory approaches. Those
subject to sectoral regulation should consider ongoing dialogue and
engagement with their regulator as they develop their own use of
AI.
As with all regulatory guidance, the risk of challenge by way of
judicial review will hang over the regulators, and be a potential
tool for the organisations they supervise, to ensure that
development of this new area of regulation takes place fairly and
in accordance with the necessary protections and safeguards that
public law principles provide. Whereas regulators can often feel
confident that their expert decision making in their particular
area will be given due deference by the courts in judicial review,
the same may not be true of their attempts to make decisions
regulating the use of technology of which they might have only a
limited level of experience and knowledge.
Public sector use of AI
At the same time, regulators and the broader public sector have
to practice what they preach in terms of their own use of AI.
Earlier this year, the Government published the Generative AI Framework for HM Government. It
seeks to guide public sector organisations in their use of
generative AI, containing both abstract advice (its second
principle is that civil servants use generative AI lawfully,
ethically and responsibly) and technical detail on how generative
AI models work.
Members of this team have previously considered some of the
legal risks of the use of generative AI by public bodies in an
expert Q&A for Practical Law, available here.
The 2024 Framework replaces earlier, briefer guidance to civil
servants on the use of generative AI, which was quite limited in
scope, and seemed primarily aimed at civil servants using
generative AI on an ad hoc basis, to assist them with tasks such as
drafting policy papers. The 2024 Framework is more expansive,
covering not only ad hoc use but also the use of generative AI in
larger projects to increase productivity, reflecting the expected
increase in use of AI in the public sector going forward. Indeed,
recent reports from both the National Audit Office and the Turing
Institute indicate there is already notable use of AI in the public
sector.
The 2024 Framework sets out 10 broad principles for the use of
generative AI as follows:
- Principle 1: know what generative AI is and what its
limitations are. - Principle 2: use generative AI lawfully, ethically and
responsibly. - Principle 3: know how to keep generative AI tools secure.
- Principle 4: have meaningful human control at the right
stage. - Principle 5: understand how to manage the full generative AI
lifecycle. - Principle 6: use the right tool for the job.
- Principle 7: be open and collaborative.
- Principle 8: work with commercial colleagues from the
start. - Principle 9: have the skills and expertise that you need to
build and use generative AI. - Principle 10: use these principles alongside your
organisation’s policies and have the right assurance in
place.
Of these, the most relevant for holding public bodies to account
using public law are Principles 2 and 4. Principle 2 touches on
some of the significant risks in the use of generative AI in
decision-making, including fairness, discrimination and
accountability. Principle 4 states that an appropriately trained
and qualified person needs to review AI tool outputs, and that
there needs to be validation of all decision making that generative
AI outputs have fed into. These requirements tie into
accountability and transparency – there needs to be human
review to ensure that there is human accountability for the
decisions taken, and, at a minimum, the system needs to be
transparent to those conducting that review.
On the crucial issue of transparency, the government has
announced that the Algorithmic Transparency Recording Standard
(ATRS) will become mandatory for government
departments, with a further roll-out to other public sector
organisations in due course. This should significantly improve
transparency, but it is improving from a poor starting point, as
the ATRS has not been widely used in its voluntary phase. Greater
transparency should allow greater scrutiny from society as a whole,
and those specifically affected by the use of AI in their
interactions with public bodies. For example, the Advertising
Standards Authority has publicised its increasing use of AI and
plans to scale this use up significantly in its monitoring and
compliance work. This level of visibility should be standard
practice for regulators. On a similar theme, the Cabinet Office has
also released a separate note on improving transparency of AI use in
procurement, again aimed at public bodies.
Comment
The UK seems to be sticking to its approach of avoiding
centralised specialist regulation of AI for now, but of course some
structure and certainty is needed as both technological
developments, and public interest and concern, grow at pace.
Existing sectoral regulators appear to be the identified answer to
this conundrum. Often already under resourced and with enough on
their plates, they are now being asked to do a great deal more in a
new area with only rather generalised guidance to assist and direct
them. The capacity for inconsistency across sectors, or more
concerningly, rushed and unclear guidance, is clearly significant
and may pose real challenges to commercial organisations operating
in those areas who want to take advantage of the opportunities
presented by AI.
At the same time expectations around responsible and transparent
use of AI by regulators themselves, and other public bodies, are
becoming more prescriptive. Regulators may think they are caught
between a rock and a hard place, having to take an innovative and
agile approach to regulating others’ use of AI but being held
to high standards and needing to be cautious themselves about using
such developments to aid their own functions and ever-increasing
workloads.
Those subject to regulation in these areas should be keeping a
close eye on their regulator, not only for the strategic plans they
produce to govern use of AI in their sectors, but also to ensure
they are complying with their own obligations.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Eyes #Regulators #Age #Dawns #Technology
