In recent weeks, the U.K. government has been trying to cultivate an image of itself as an international mover and shaker in the nascent field of AI safety — dropping a flashy announcement of an upcoming summit on the topic last month, along with a pledge to spend £100 million on a foundational model task force that will do “cutting-edge” AI safety research, as it tells it.
Yet the self-same government, led by U.K. prime minister and Silicon Valley superfan Rishi Sunak, has eschewed the need to pass new domestic legislation to regulate applications of AI — a stance its own policy paper on the topic brands “pro-innovation.”
It is also in the midst of passing a deregulatory reform of the national data protection framework that risks working against AI safety.
The latter is one of several conclusions by the independent research-focused Ada Lovelace Institute, a part of the Nuffield Foundation charitable trust, in a new report examining the U.K.’s approach to regulating AI that makes for diplomatic-sounding but, at times, pretty awkward reading for ministers.
The report packs a full 18 recommendations for leveling up government policy/credibility in this area — that is, if the U.K. wants to be taken seriously on the topic.
The Institute advocates for an “expansive” definition of AI safety — “reflecting the wide variety of harms that are arising as AI systems become more capable and embedded in society.” So the report is concerned with how to regulate harms that “AI systems can cause today.” Call them real-world AI harms. (Not with sci-fi-inspired theoretical possible future risks, which have been puffed up by certain high-profile figures in the tech industry of late, seemingly in a bid to attention-hack policymakers.)
For now, it’s fair to say Sunak’s government’s approach to regulating (real-world) AI safety has been contradictory — heavy on flashy, industry-led PR claiming it wants to champion safety but light on policy proposals for setting substantive rules to guard against the smorgasbord of risks and harms we know can flow from ill-judged applications of automation.
Here’s the Ada Lovelace Institute dropping the primary truth bomb:
The UK Government has laid out its ambition to make the UK an “AI superpower,” leveraging the development and proliferation of AI technologies to benefit the UK’s society and economy, and hosting a global summit in autumn 2023. This ambition will only materialise with effective domestic regulation, which will provide the platform for the UK’s future AI economy.
The report’s laundry list of recommendations goes on to make it clear the Institute sees a lot of room for improvement on the U.K.’s current approach to AI.
Earlier this year, the government published its preferred approach to regulating AI domestically — saying it didn’t see the need for new legislation or oversight bodies at this stage. Instead the white paper offered a set of flexible principles the government suggested existing, sector specific (and/or cross-cutting) regulators should “interpret and apply to AI within their remits.” Just without any new legal powers or extra funding for also overseeing novel uses of AI.
The five principles set out in the white paper are safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. All of these sound fine on paper — but paper alone clearly isn’t going to cut it when it comes to regulating AI safety.
The U.K.’s plan to let existing regulators figure out what to do about AI with just some broad-brush principles to aim for and no new resource contrasts with that of the EU where lawmakers are busy hammering out an agreement on a risk-based framework that the bloc’s executive proposed back in 2021.
The U.K.’s shoestring budget approach of saddling existing, overworked regulators with new responsibilities for eyeing AI developments on their patch without any powers to enforce outcomes on bad actors doesn’t look very credible on AI safety, to put it mildly.
It doesn’t even seem a coherent strategy if you’re shooting for being pro-innovation, either — since it will demand AI developers consider a whole patchwork of sector-specific and cross-cutting legislation, drafted long before the latest AI boom. Developers may also find themselves subject to oversight by a number of different regulatory bodies (however weak sauce their attention might be, given the lack of resource and legal firepower to enforce the aforementioned principles). So, really, it looks like a recipe for uncertainty over which existing rules may apply to AI apps. (And, most probably, a patchwork of regulatory interpretations, depending on the sector, use case and oversight bodies involved, etc. Ergo, confusion and cost, not clarity.)
Even if existing U.K. regulators do quickly produce guidance on how they will approach AI — as some already are or are working to — there will still be plenty of gaps, as the Ada Lovelace Institute’s report also points out — since coverage gaps are a feature of the U.K.’s existing regulatory landscape. So the proposal to just further stretch this approach implies regulatory inconsistency getting baked in and even amplified as usage of AI scales/explodes across all sectors.
Here’s the Institute again:
Large swathes of the UK economy are currently unregulated or only partially regulated. It is unclear who would be responsible for implementing AI principles in these contexts, which include: sensitive practices such as recruitment and employment, which are not comprehensively monitored by regulators, even within regulated sectors; public-sector services such as education and policing, which are monitored and enforced by an uneven network of regulators; activities carried out by central government departments, which are often not directly regulated, such as benefits administration or tax fraud detection; unregulated parts of the private sector, such as retail.
“AI is being deployed and used in every sector but the UK’s diffuse legal and regulatory network for AI currently has significant gaps. Clearer rights and new institutions are needed to ensure that safeguards extend across the economy,” it also suggests.
Another growing contradiction for the government’s claimed “AI leadership” position is that its bid for the country to become a global AI safety hub is being directly undermined by in-train efforts to water down domestic protections for people’s data — such as by lowering protections when they’re subject to automated decisions with a significant and/or legal impact — via the deregulatory Data Protection and Digital Information Bill (No. 2).
While the government has so far avoided the most head-banging Brexiteer suggestions for ripping up the EU-derived data protection rulebook — such as simply deleting the entirety of Article 22 (which deals with protection for automated decisions) from the U.K.’s General Data Protection Regulation — it is nonetheless forging ahead with a plan to reduce the level of protection citizens enjoy under current data protection law in various ways, despite its new ambition to make the U.K. a global AI safety hub.
“The UK GDPR — the legal framework for data protection currently in force in the UK — provides protections that are vital to protecting individuals and communities from potential AI harms. The Data Protection and Digital Information Bill (No. 2), tabled in its current form in March 2023, significantly amends these protections,” warns the Institute, pointing for example to the Bill removing a prohibition on many types of automated decisions — and instead requiring data controllers to have “safeguards in place, such as measures to enable an individual to contest the decision” — which it argues is a lower level of protection in practice.
“The reliance of the Government’s proposed framework on existing legislation and regulators makes it even more important that underlying regulation like data protection governs AI appropriately,” it goes on. “Legal advice commissioned by the Ada Lovelace Institute . . . suggests that existing automated processing safeguards may not in practice provide sufficient protection to people interacting with everyday services, like applying for a loan.”
“Taken collectively, the Bill’s changes risk further undermining the Government’s regulatory proposals for AI,” the report adds.
The Institute’s first recommendation is thus for government to rethink elements of the data protection reform bill that are “likely to undermine the safe development, deployment and use of AI, such as changes to the accountability framework.” It also recommends the government widen its review to look at existing rights and protections in U.K. law — with a view to plugging any other legislative gaps and introducing new rights and protections for people affected by AI-informed decisions where necessary.
Other recommendations in the report include introducing a statutory duty for regulators to have regard to the aforementioned principles, including “strict transparency and accountability obligations” and providing them with more funding/resources to tackle AI-related harms; exploring the introduction of a common set of powers for regulators, including an ex ante, developer-focused regulatory capability; and that the government should look at whether an AI ombudsperson should be established to support people aversely affected by AI.
The Institute also recommends the government clarify the law around AI and liability — which is another area where the EU is already streaks ahead.
On foundational model safety — an area that’s garnered particular interest and attention from the U.K. government of late, thanks to the viral buzz around generative AI tools like OpenAI’s ChatGPT — the Institute also believes the government needs to go further, recommending U.K.-based developers of foundational models should be given mandatory reporting requirements to make it easier for regulators to stay on top of a very fast-moving tech.
It even suggests that leading foundational model developers, such as OpenAI, Google DeepMind and Anthropic, should be required to provide government with notification when they (or any subprocessors they’re working with) begin large-scale training runs of new models.
“This would provide Government with an early warning of advancements in AI capabilities, allowing policymakers and regulators to prepare for the impact of these developments, rather than being caught unaware,” it suggests, adding that reporting requirements should also include information such as access to the data used to train models; results from in-house audits; and supply chain data.
Another suggestion is for the government to invest in small pilot projects to bolster its own understanding of trends in AI R&D.
Commenting on the report findings in a statement, Michael Birtwistle, associate director at the Ada Lovelace Institute, said:
The Government rightfully recognises that the UK has a unique opportunity to be a world-leader in AI regulation and the prime minister should be commended for his global leadership on this issue. However, the UK’s credibility on AI regulation rests on the Government’s ability to deliver a world-leading regulatory regime at home. Efforts towards international coordination are very welcome but they are not sufficient. The Government must strengthen its domestic proposals for regulation if it wants to be taken seriously on AI and achieve its global ambitions.