The Government has proposed the DISD Bill which replaces the previously proposed Data Protection and Digital Information Bill (“DPDI”) introducing a variety of provisions that range from digital identity to data protection. Most notably, the proposal includes a new data preservation process with specific relevance in the context of Online Safety, which has been raised in the context of Ofcom’s (the UK’s online safety regulator) ongoing implementation of the UK’s Online Safety Act, as well as a framework to set up Smart Data schemes.

The DISD Bill reforms the current UK data protection regime and in some areas will diverge from the EU GDPR (e.g. regarding processing for research purposes, solely automated decision making, appointment of representatives, other substantive provisions and regarding the role and functions of the UK regulator - the Information Commissioner’s Office). For some aspects, this may give greater clarity or in fact raise the bar in terms of data protection compliance, but in others the regulatory compliance burden on organisations may be lessened. The Government will therefore need to walk a fine line to ensure that the UK’s reformed regime will not be seen to be too light touch on data protection such that it could put the European Commission’s adequacy decision (which allows personal data to pass freely from the EU to the UK) at risk.

This Bill was proposed in response to the increasing frequency and severity of cyber-attacks affecting entities in critical sections and their supply chains. The CSR Bill aims to address existing vulnerabilities and strengthen the UK’s defence against cyber threats by expanding the scope of the current cyber regulations, empowering regulators and increasing reporting requirements.

In the EU by comparison, the NIS directive is being superseded by the NIS 2 Directive. Having left the EU, the UK will not be implementing the NIS 2 Directive, NIS 2 entered into force on 16 January 2023 and should be brought into national law by EU Member States by 17 October 2024. The recent draft implementing regulation which will apply to entities such as cloud computing service providers, data centre providers, providers of online marketplaces, search engines and social network platforms, sets out technical and methodological requirements for risk management measures and the criteria for when an incident can be considered significant for those entities.

This Bill aims to preserve the UK’s status as a global leader in product regulation and aims to ensure a level playing field between high street and online marketplaces. It also pledges to support businesses and foster innovation whilst protecting consumers. 

Despite recent press reports, the Government has not committed to introducing AI-specific legislation in this Parliamentary session, but the Government has indicated that their priority is to specifically regulate the developers of the most powerful AI models. The UK at present has an AI Regulation Framework that draws on existing laws and regulations. 

By comparison, the EU has already brought into force (as of 1 August) the widely publicised EU AI Act, which establishes a regulatory and legal framework for the use of AI models and systems within the EU.