Tech - 2020 roundup

You can read our tech predictions for 2021 here. Looking back at 2020's legal and regulatory developments around tech, AI is the area that really stands out.

AI

Committee on Standards in Public Life report

The Committee on Standards in Public Life published a report and recommendations on AI and public standards in February. Recommendations include:

• establishing a single set of authoritative ethical principles for public sector use (rather than the three current sets) and creating user-friendly guidance
• requiring all public sector organisations to publish statements setting out how their use of AI will be legally compliant before starting to use it
• requiring the government to set procurement requirements which ensure private companies developing public sector AI solutions meet public standards
• introducing tools to help public bodies locate ethically compliant AI products and services.

EC White Paper on AI

The EC published a White Paper on AI as part of its Digital Package in March. The White Paper on AI presents policy and regulatory options to help create excellence and trust in AI. To achieve excellence, the EC proposes:

• setting up a new public-private partnership in AI and robotics
• strengthening and connecting AI research excellence centres
• having at least one digital innovation hub per Member State specialised in AI
• providing more equity financing for development and use of AI, with the help of the European Investment Fund
• using AI to make public procurement processes more efficient
• supporting the procurement of AI systems by public bodies.

To develop trust, the EC proposes:

• new legislation on AI which should take a risk-based approach, it should be effective but not limit innovation
• requiring high-risk AI systems to be transparent, traceable and under human control
• allowing authorities to check AI systems, just as they check cosmetics, cars or toys
• ensuring unbiased data sets
• launching an EU-wide debate on the use of remote biometric identification (eg facial recognition).

Contrary to expectation, the EU has not proposed a ban on the use of facial recognition technology. High-risk AI will be subject to strict rules including compliance tests, controls and sanctions. High-risk AI covers AI used in critical sectors of healthcare, transport, the police and the legal system, or where the use of AI is critical in that it has legal effects or carries a risk of death, personal injury or damage.

In terms of regulatory plans, the EC intends to build on existing frameworks in order to cover the most significant risks associated with the use of AI (including personal data and privacy protection and non-discrimination) as well as safety and liability issues.

The EC also published a report on safety and liability implications of AI, IoT and robotics. It concluded that current product safety legislation already confers a high degree of protection in terms of the safety risks of using AI, IoT devices and robotics. It does, however, think that provisions explicitly covering new risk created by emerging digital technologies may be required to provide greater legal certainty.

OECD observatory for AI

In March, the Organisation for Economic Co-operation and Development (OECD) launched a new policy observatory to collate information from around the world about AI policies and initiatives. The database will be searchable and it is hoped that it will inform policy-making and help develop best practice.

ICO and Alan Turing Institute guidance on AI processes and decisions

The ICO, working with the Alan Turing Institute, published guidance to help organisations explain the processes, services and decisions made or assisted by AI to the individuals those decisions impact. The guidance which runs to 136 pages, is divided into three sections. Their relevance will partly depend on the level of expertise of the reader:

• The basics of explaining AI – this is aimed at DPOs and compliance teams. It outlines a number of different types of explanations and will be relevant to all staff involved in developing AI systems.
• Explaining AI in practice – this is aimed at technical teams and helps with the practicalities of explaining decisions and providing expectations to individuals. It is intended primarily for technical teams but may also be useful for the DPO and compliance team.
• What explaining AI means for your organisation – this is aimed at senior management and goes into the various roles, policies and procedures that an organisation can set up to provide meaningful explanations to individuals. Again, the DPO and compliance team may also find it useful.

The guidance focuses on GDPR and DPA18 compliance with rules on automated processing for decision making and use of profiling. It also touches on other relevant laws which organisations may need to consider when using AI to make decisions about individuals.

UK public procurement guidelines for AI

In June, the UK government has issued new procurement guidelines to help inform and empower buyers in the public sector to evaluate suppliers and responsibly procure AI technologies for citizens.

EC AI risk-assessment checklist

The EC published a risk-assessment checklist for trustworthy AI, as a word document and an online tool in July. It puts the Commission's 2019 ethics guidelines into practical terms.

ICO guidance on AI and data protection

The ICO published guidance on AI and data protection as part of its framework for auditing AI in August. The guidance was jointly developed by the ICO's AI team and Reuben Binns and is intended to help organisations understand how data protection principles will apply to the development and use of AI systems. It is considerably more digestible (and higher level) than the ICO guidance produced with the Alan Turing Institute on Explaining Decisions made with AI, but it is aimed at similar audiences – DPOs, general counsel, risk managers, senior management and technology specialists. The guidance does not look at AI ethics but at how to ensure the data protection principles are observed when developing and using AI which processes personal data.

IPO consultation on intellectual property and AI

In September, the IPO published a consultation on how IP relates to AI and on future policy developments in the area.

US and UK sign cooperation declaration on AI

The US and the UK signed a declaration of cooperation on research and development relating to AI. They have agreed to:

• review and optimise cooperation under current frameworks
• set priorities for future cooperation
• coordinate planning in areas of collaboration and partnership
• promote research and development relating to AI including a promise to try and prevent authoritarian and oppressive regimes from using it.

EP legislative initiatives and report on AI

The European Parliament adopted two legislative initiatives and a report on AI in October. The legislative initiative on an Ethics Framework for AI urges the Commission to adopt a human-centric approach to a legal framework for AI and robotics, including software, algorithms and data. The legislative initiative on liability for AI causing damage calls for operators of high-risk AI to be held strictly liable for any damage. The report focuses on IPRs in AI and calls for safeguards in the EU's patent system to protect innovative developers but also protections for human developers. AI should not have legal personality so ownership of IPRs should only be grated to humans. A legislative proposal from the Commission is expected early in 2021.

AEVs (UK)

Government consultation on smarter and greener transport

The government launched a consultation to make journeys easier, smarter and greener through new technology as part of the Future of Transport regulatory review. The review is accompanied by £90m funding to support trials of new transport innovation.

The CMA launched a market study into charging infrastructure in December.

Law Commission analysis of responses to second consultation on driverless cars

In June, the Law Commissions of England and Wales, and Scotland, published responses to their second consultation on regulatory changes which may be needed to allow the introduction of driverless cars. There is considerable support for a single national system for licensing operators of automated passenger services and for a lighter regime to regulate private vehicles. The view is that legal responsibility for private driverless cars should be on the registered keeper with the duties transferred to a lessee where appropriate. A third consultation will bring together proposals relating to safety assurance and operator licensing and also consider corporate liability and access to data. A final report with recommendations for new legislation will be published in 2021.

Internet of Things (IoT)

IoT devices to face new regulation in the UK and scrutiny in the EU

IoT devices were the subject of UK and EU initiatives launched in July.

The UK's focus is on cybersecurity with the announcement of a call for views on a proposed new law to help protect users of smart devices from cyberattack.

The proposals, drawn up by the DCMS and NCSC, are in line with European standards and focus on:

• the need for unique device passwords which cannot be reset to universal factory settings
• the requirement for manufacturers to provide a public point of contact for anyone seeking to report a security vulnerability
• the need to provide customers with information stating the minimum length of time for which the device will receive security updates.

The government is also intending to comply with product safety standards and intends the legislation will:

• prohibit "producers" (including manufacturers and importers) from supplying or making a product in scope available on the market unless it meets security requirements
• place a duty of care on distributors (which includes retailers and online marketplaces) to only supply or make available in-scope products which meet the security requirements.

Feedback on proposals for enforcement will shape the eventual regime.

The EC is focusing more on use of data and competition issues and launched a sector inquiry into the consumer internet of things. The Commission is concerned that wearables and home smart devices collect significant amounts of data, including personal data, which might contribute to market power. The Commission suggest there are indications that companies in this sector are distorting competition by restricting access to data and interoperability, using self-preferencing practices and proprietary standards which create barriers to entry and innovation. A report will be published for consultation in spring 2021 with a final report following in summer 2022.