1 . Constitutional law and fundamental human rights
1.1. Domestic constitutional provisions
The UK’s constitution is not set out in a single written document, it is comprised in a series of statutes, judicial decisions, treaties and conventions. There are no aspects of the UK constitution directed specifically at AI.
1.2. Human rights decisions and conventions
The most important elements of Human Rights law are:
- the European Convention on Human Rights (ECHR);
- the Human Rights Act 1998 (HRA), which enables people to bring cases in the UK courts to uphold their ECHR rights; and
- the Equality Act 2010.
(See also Section 4. Bias and discrimination, below.)
Respect for private and family life (Article 8 ECHR)
Automated facial recognition (AFR) is a controversial application of AI. The Court of Appeal case of R (Bridges) v. Chief Constable of South Wales Police & Ors  EWCA Civ 1058, is a key decision on the use of AFR and human rights. South Wales Police (SWP) used an AFR system to check CCTV footage of the public against 'watchlists' of target individuals held in police databases.
The court held that SWP had not established clear criteria for when to use AFR, and left too much discretion to individuals as to who was on the watchlist, and where to deploy. However, the use was held to be a proportionate interference in accordance with Article 8(2), as the benefits to the community of using AFR outweighed the negative impact on individuals.
Prohibition of discrimination (Article 14 ECHR )
In the Bridges case, it was held that SWP had failed to comply with its Public Sector Equality Duty (Equality Act, section 149) to consider whether a policy could have a discriminatory impact. This was partly because SWP automatically deleted data of individuals whose images didn't match those on the watchlist, hence there was no analysis of whether the AFR system was biased. Also, SWP did not check the database used to train the AFR, and so couldn't identify or address any imbalance in the training data.
Other practical uses of AI that could breach Article 14 rights include, for example, use of algorithmic software in sentencing and parole decisions; AI recruitment interviewing and CV assessment; and AI determination of applications for credit or insurance. (See also Sections 3. Data and 4. Bias and Discrimination of this chapter.)
Other human rights
The potential ubiquity of AI means that other aspects of the ECHR may be breached by its use, including:
- the right to liberty and security (Article 5);
- the right to a fair trial (Article 6);
- the right to freedom of expression (Article 10); and
- the right to freedom of thought, conscience and religion (Article 9).
In light of such concerns, the UN Commissioner for Human Rights has called for a moratorium on the “sale and use of artificial intelligence systems that pose a serious risk to human rights” (see United Nations Human Rights Office of the High Commissioner, Artificial intelligence risks to privacy demand urgent action, Bachelet (15 September 2021) (accessed 1 June 2022).
2 . Intellectual property
Patents for AI
UK patent law is contained in the Patents Act 1977 and associated case law.
UK law excludes from patent protection both mathematical algorithms, and computer software “as such” (i.e., disembodied computer software). However, patents can protect AI systems integrated into software embodied in computing hardware, which together provide a tangible technical advancement. Examples include AI models, user interfaces, and ways of training AI systems resulting from technical improvements such as an increase in speed or accuracy, or improved extraction of features from images.
Patents can be granted where AI tools assist the creation of an invention. However, UK law does not allow patents for inventions created solely by AI, on the grounds that a patentable invention must have a human inventor. This follows a case where patent applications stated that the inventor was an AI machine called DABUS, owned by the applicant (see Thaler v. Comptroller General of Patents Trade Marks and Designs).
The UK Intellectual Property Office (IPO) is considering whether patent law should be changed, either to create a new type of IP right for AI-generated inventions (possibly with a more limited scope and term of protection), or to allow patent protection for them, with authorship/ownership given to the human who made the arrangements necessary for the AI to devise the invention.
Copyright for AI
UK copyright law is mainly contained in the Copyright, Designs and Patents Act 1988 and associated case law. Copyright subsists in the software in which an AI system is embodied, protecting the particular expression of the AI system which is embodied in the software in question, but not the underlying ideas and principles. Copyright may also protect the databases used to train and test AI systems, if there is sufficient skill in selection and curation of data, such that it amounts to the intellectual creation of the author.
Copyright for AI-generated works
According to the Copyright, Designs and Patents Act 1988, copyright applies to computer-generated works which will include AI systems. The author (hence the first owner of the copyright) is deemed to be “the person by whom the arrangements necessary for the creation of the work are undertaken”. The law is uncertain as to what counts as making the necessary arrangements, but this might include conceiving of the project, creating algorithms, or selecting data used to train the AI. This copyright lasts for 50 years.
This provision applies only in a situation where there has been no human authorial input at all (with no copyright protection for a work made jointly by a human and an AI). However, if an AI system is simply used as a tool by a human author to create a work, copyright protection will apply in the usual way, with the human being as author.
The IPO is considering whether the law should be changed, for example by withdrawing all copyright protection from AI-generated works, or by retaining copyright, but with a shorter term of protection.
Text & Data Mining exception
UK copyright law has an exception which allows a user to make a copy of a protected work in order to conduct computational modelling of the information in it, provided that it is for the sole purpose of research for non-commercial purposes. This can be useful where a data set used for training a machine learning (ML) system is subject to copyright. The exception applies only if the user already has lawful access to the data set (such as under a subscription). The IPO is considering whether to make changes to the exception, which could include extending it to cover research for commercial scientific purposes, or even research for any purpose, as well as also applying the exception to databases.
Data sets used for AI training may also be protected by database rights under the Copyright and Rights in Databases Regulations 1997, provided there has been substantial investment (whether financial, human or technical) in obtaining, verifying or presenting the database contents.
Database rights belong to the person who takes the initiative in, and assumes the risk of investing in, the obtaining, verifying or presenting of the database contents. As there is no originality requirement, database rights can apply to databases generated by AI systems.
2.3. Trade secrets/confidentiality
The content and functionality of many AI systems, and the training data sets, can be protected by both the laws of confidentiality and trade secrets. In some situations, this is the only type of IP protection available for data. The common law of confidentiality protects information about AI systems and datasets against unauthorised use, provided that it is confidential, that it was obtained in circumstances such that a duty of confidentiality applied, and that there is actual or likely unauthorised use which is detrimental to the owner.
The UK’s trade secrets regime (derived from EU law) is partly contained in the Trade Secrets (Enforcement, etc.) Regulations 2018. It applies to information which is secret (not generally known), has commercial value because it is secret, and has been subject to reasonable steps to keep it secret.
3 . Data
3.1. Domestic data law treatment
Except for personal data privacy, the UK government has so far taken a hands-off approach to data law. It does not currently envisage enacting major legislation specific to AI issues in data.
3.2. General data protection regulation
The UK GDPR is largely identical to the EU GDPR but localised to the UK. The Data Protection Act 2018 (DPA) enacts the UK GDPR, makes ancillary provisions (e.g., conditions for processing and legality of processing), and regulates personal data processing by police and intelligence services.
The DPA also creates criminal offices, including an offence of knowingly or recklessly re-identifying (without consent) personal data which has been de-identified or processing it. This has relevance for AI systems whose correlation and prediction systems may inadvertently re-identify individuals in the course of sifting their databases, even if that is not an explicit function.
The UK GDPR has extra-territorial reach, covering, for example, those processing outside the UK personal data about individuals in the UK to whom they are offering goods/services, or whose behaviour they are monitoring.
Consistent with the EU GDPR, one of the main provisions specifically relevant from the AI perspective are the restrictions on automated decision-making where this has serious consequences for individuals, and associated obligation to provide meaningful information about the logic of the processing operation. The ICO has produced guidance on this. See also Section 4. Bias and discrimination of this chapter.
UK Data reform
The government intends to make changes to the UK GDPR, including adjusting the ‘human-in-the-loop’ requirement for automated decision-making to enable such processing by AI; and facilitating processing of special category data for monitoring, detection and correction of bias in relation to AI systems.
3.3. Open data & data sharing
As part of its National AI and Data strategies, the government wishes to encourage data sharing to improve outcomes for individuals and increase innovation. It has adopted a policy of ‘Open by Default’ for public sector data across all government departments.
3.4. Biometric data: voice data and facial recognition data
As is the case with the EU GDPR, voice data which is specifically processed for the purposes of identifying individuals is personal biometric data, and hence subject to the additional constraints on use inherent in processing special category personal data.
The ICO has taken action against use of biometric voice recognition systems by Her Majesty's Revenue and Customs (HMRC). HMRC asked customers to record a set phrase in order to use its voice authentication service, which allowed the customer's voice to be used as a secure password for access. Over 7 million recordings were collected. The ICO held that HMRC had no lawful basis for collecting the voice data, and issued an enforcement notice instructing it to delete the voice recording from its systems (except where it had user consent) and to require its suppliers to do likewise (see https://ico.org.uk/media/action-weve-taken/enforcement-notices/2614924/hmrc-en-201905.pdf.
The ICO has issued guidance on video surveillance systems making it clear that voice recording is rarely justifiable and that any sound recording functionality in surveillance equipment should normally be off by default.
Facial Recognition data
Alongside human rights law, the most important sources of regulation of AFR is the UK GDPR, whose provisions relevant to AFR data are (at the time of writing) the same as those of the EU GDPR. Facial images are personal data, and, when processed for the purposes of identifying individuals, they are special category data under the UK GDPR.
Use of AFR is an area of particular concern and focus for the ICO. The Bridges v. South Wales Police  EWCA Civ 1058 case made clear that use of AFR is in principle lawful, but subject to tight constraints. Following that case, the ICO issued an Opinion on the data protection aspects of AFR in public places, stressing the importance of data protection impact assessments, appropriate legal bases, transparency, data minimisation, and the involvement of humans in the process.
In 2022, the ICO took action against Clearview AI Inc., a provider of AFR systems, fining them over GBP 7.5 million and ordering that they delete all images of UK subjects from their database. Clearview provided in the UK a system which allowed organisations such as law enforcement to check facial images against a vast database of images which it had scraped from various publicly available online sources without the subjects’ knowledge or consent. Clearview argued that it was not subject to the UK GDPR as it was based in the USA. The ICO rejected this argument, stating that the use of images of UK-based data subjects entailed monitoring, (thus bringing Clearview within the scope of the UK GDPR), and holding that Clearview were joint data controllers with the UK organisations deploying the systems.
The ICO's Surveillance Camera Code of Practice applies where AFR is deployed in surveillance camera systems, and there are several other potentially relevant laws, regulations and codes of practice (for example: Article 8 of the European Convention on Human Rights, the UK's Human Rights Act, The Protection of Freedoms Act 2012, The Regulation of Investigatory Powers Act 2000, the Intelligence Services Act 1994, The Private Security Act 2001 and the Police Act 1997).
4 . Bias and discrimination
Algorithmic bias can result from use of non-representative data to train AI systems, for example, an insufficiently diverse and representative data set. Serious risks for fundamental rights may arise where AI systems operate on the basis of such biased data.
4.1. Domestic anti-discrimination and equality legislation treatment
Equality Act 2010
The right to equal treatment and non-discrimination is a fundamental principle given specific effect in the UK by the Equality Act 2010 (Equality Act) which applies to those providing services to the public.
Where use of biased or otherwise flawed training data sets skews AI system outputs in a way which disadvantages one of the legally “protected characteristics” under the Equality Act – age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex and sexual orientation – bias can become illegal discrimination (Chapter 1 Equality Act 2010).
To determine whether there has been unlawful discrimination under the Equality Act, it is necessary to decide whether there has been prohibited conduct in respect of one of the “protected characteristics” set out above.
Organisations deploying algorithms do not need to intend to discriminate for their conduct to be unlawful. Indeed, indirect discrimination is likely to be most relevant where AI technology is concerned.
Ordinarily, indirect discrimination occurs where an organisation adopts a “provision, criterion or practice” (PCP) that puts protected people at a disadvantage (Section 19 Equality Act 2010). Use of an algorithm within an AI system may be seen as a PCP within the meaning of the Equality Act and thereby within the remit of indirect discrimination rules (see www.equalityhumanrights.com/sites/default/files/servicescode_0.pdf). For example, if a data set is used to train an adaptive algorithm-based AI in such a way as to cause the AI to show adverts for high-paying jobs more often to men than to women, it can be regarded as a PCP which places women at a disadvantage within the meaning of the Equality Act. A woman who would have applied for the high-paying role, but couldn't because she was not shown the advert, may be within the protection of the Equality Act.
The sophistication of pattern-learning AI systems means that even if restrictions are set on the algorithms produced, for example to ignore protected characteristics like sex, this may not solve the problem, as the AI may instead identify proxies for such characteristics. For example, a review of Durham Constabulary’s HART algorithm (used to aid custody decisions) led to a postcode field being removed from the system amid concerns that it could lead to discrimination against people from poorer areas (see Wired: UK police are using AI to inform custodial decisions – but it could be discriminating against the poor).
The “black box” nature of some AI decision-making means that users may not realise that discrimination is occurring, or be able to tell which organisation contributed to any discriminatory features (e.g., was it those who formulated the algorithm, those who supplied the initial training data set, or the AI-user?).
This lack of transparency can also make it difficult for individuals to identify discriminatory acts and, consequently, to enforce their rights, although discrimination law does allow for inferences of discrimination to be drawn from certain factual scenarios and for the burden of proof to be reversed.
This lack of knowledge can also be an issue for defendants. Whilst it is possible to defend indirect discrimination claims on the basis that apparently illegal discrimination is in fact objectively justified, understanding the way that AI systems are making decisions will be essential to support a defence of objective justification.
Data Protection - Automated Decision Making (ADM)
The UK GDPR (Article 22) restricts the ability to make decisions about individuals based on automated data processing if this “produces legal effects” on, or “similarly significantly affects”, the individual, unless there is direct human involvement.
A “legal effect” is something which affects an individual's legal status/rights (for example, rights to sickness pay). What constitutes “similarly significant affects” is more nebulous, but guidance points to it meaning something which significantly affects the circumstances, behaviour or choices of individuals, having a prolonged or permanent impact and, at the extreme, leading to the exclusion or discrimination against individuals. For example, AI systems used in e-recruiting practices (such as use of automated psychometric testing to filter-out candidates) may well be subject to these restrictions.
5 . Trade, anti-trust and competition
The UK’s competition/anti-trust regime is contained in the Competition Act 1998 (CA 1998) and is regulated by the Competition and Markets Authority (CMA). It is based upon two “core” rules:
- Chapter 1 CA 1998 prohibits “agreements between undertakings, decisions by associations of undertakings or concerted practices which may affect trade within the United Kingdom, and have as their object or effect the prevention, restriction or distortion of competition within the United Kingdom”. Agreements between competitors are most likely to infringe Chapter 1.
- Chapter 2 CA 1998 prohibits “conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market … if it may affect trade within the United Kingdom”. In effect, this imposes responsibilities upon dominant companies not to act in a way that distorts competition.
5.1. AI related anti-competitive behaviour
There are two main forms of “algorithmic collusion”. Firstly, AI-embodied algorithms enable more price transparency and high-frequency trading, enabling competitors to react quickly, which could lead to collusive strategies. Secondly, companies can use deep learning techniques to monitor prices, implement common policies, send market signals or optimise joint profits. These AI tools can facilitate tacit collusion between competitors, resulting in anti-competitive outcomes such as price coordination.
Algorithmic systems enable companies to offer different prices to different customers depending on the information they hold about them, for example offering higher renewal prices to customers identified as being more likely to renew with the same company. This ‘personalised pricing’, if directed at consumers, may infringe the Consumer Protection from Unfair Trading Regulations 2008 (CPUT) if it amounts to an unfair commercial practice (i.e., is contrary to professional diligence in a way which would be likely to materially distort the economic behaviour of a consumer).
Personalised search rankings
The CMA also highlights that personalised search rankings (where algorithmic systems facilitate preferences for particular services, products or suppliers) may potentially lead to negative outcomes for consumers by manipulating their decision-making. Personalised rankings based on protected characteristics (e.g., age, disability, sex, or race) could amount to unlawful discrimination and breach equality legislation (see also Section 4. Bias and discrimination, of this chapter).
It may also breach consumer protection law in relation to the protections awarded to vulnerable consumers under CPUT and other legislation as a result of consumers’ protected characteristics (such as age or disability) or being “situationally vulnerable” (for example, bereaved individuals targeted by funeral providers).
“Dark patterns” are practices designed to influence users into making commercial decisions (e.g., buying or signing up) to their detriment, such as, for example, using AI systems to target users with messaging designed to create a sense of urgency (e.g., stating that there is only limited availability). These messages are contrary to CPUT if they are untrue, misleading, or otherwise amount to undue influence, or unfair, aggressive or coercive commercial practices.
The CMA has repeatedly enforced in this area, and there are suggestions that dark patterns should be specifically regulated under the UK's planned Digital Markets, Competition and Consumer Bill.
Abuse of dominance
Companies in a dominant position have a greater potential to use AI in a manner that may distort competition and therefore breach the CA 1998.
For instance, competition is likely to be harmed where a dominant platform’s algorithms favour its own products and services over those of rivals. This may have the effect of promoting the dominant company’s products or services such that it does not need to compete on its own merits.
Dominant players may have an advantage if their size gives them access to larger data pools than those of their competitors. In digital markets, the user data that certain players have access to, often combined from multiple channels, power the AI systems which deliver targeted advertising. This data, to which competitors do not have access, is a key barrier to competition for challenger players trying to compete with the larger firms. It is expected that future UK legislation will seek to tackle this problem.
5.2. Domestic regulation
There is currently no specific UK legislation that regulates AI from a competition/anti-trust perspective, but use of AI will be caught by the competition rules where it results in a breach of the CA 1998. The CMA has published two papers analysing potential harms caused by algorithmic systems and stated that it intends to work closely with other regulators to develop its work in relation to anti-competitive use of AI systems. (See CMA working paper “Pricing algorithms: Economic working paper on the use of algorithms to facilitate collusion and personalised pricing, 2018” and CMA paper “Algorithms: How they reduce competition and harm consumers”, which focusses on the potential harm caused by the use of algorithms by market participants).
6 . Domestic legislative developments
At the date of writing, no AI-specific laws exist or have been proposed in the UK, though the government is actively looking at changes to various existing laws to take account of developments in AI.
National AI Strategy
In 2021, the UK government published its “National Artificial Intelligence (AI) Strategy” presenting a vision of a pro-innovation environment to make the UK an attractive place to develop and deploy AI technologies, keeping regulation to a minimum, whilst ensuring the “ethical, safe and trustworthy development of responsible AI”. The National AI Strategy has three core pillars:
- Investment in the long term needs of the AI ecosystem, to ensure competitiveness.
- Supporting transition to an AI-enabled economy, considering all sectors and regions.
- Ensuring the right national and international governance of AI technologies, working with global partners to promote responsible AI development.
Alternatives to a broad AI-specific regulation are considered, for example:
- Removing regulatory burden when creating unnecessary barriers to innovation.
- Retaining the sector-led approach whilst ensuring that various regulators have flexibility to ensure AI delivers the right outcomes.
- Introducing cross-sector principles or rules to supplement existing regimes.
National Data Strategy
The government launched an ambitious “National Data Strategy” in 2020 together with a public consultation. Whilst the Strategy is not specific to AI systems, the importance of data for the creation and operation of AI systems is acknowledged to be a key driver of data strategy, in particular for the government's key mission of “Unlocking the value of data across the economy”. In its response, the Department for Digital, Culture, Media and Sport (DCMS) highlighted the scope to “capitalise on [the UK's] independent status and repatriated powers” following the UK leaving the EU, but also the need to “maintain interoperability” with other regimes for businesses which operate across borders (see www.gov.uk/government/consultations/uk-national-data-strategy-nds-consultation/outcome/government-response-to-the-consultation-on-the-national-data-strategy).
Data: a new direction
In 2021, DCMS conducted a public consultation on proposals to reform aspects of UK data protection laws in order to provide a more flexible regime and to shift away from the “one size fits all” approach to compliance inherited with the UK GDPR following the UK's withdrawal from the EU.
7 . Frequently asked questions
1. Will the EU's forthcoming Artificial Intelligence Act (AIA) apply to the United Kingdom?
At the present time there are no plans for the UK to adopt the AIA. Since the UK exited the EU in January 2020 it is not obliged to implement EU law. This of course means that the AIA will not directly apply to UK businesses developing AI systems once it comes into force. As the EU is however one of the UK's largest export markets there is the prospect of it applying indirectly to AI developers seeking to export to the EU market.
2. Are there plans for the UK to legislate on the topic of Artificial Intelligence?
See above, Section 6. Domestic legislative developments. Currently it seems unlikely that the UK will bring forward a unitary measure similar to the AIA, but will rather follow a sector led 'light touch' approach. Precise details are likely to be contained in a delayed AI Governance White Paper, which at the time of publication is due to be published in the autumn of 2022.
3. What should I be doing in the UK in relation to either the use or development of AI systems to prepare for regulation?
At the time of writing it seems very likely that even though a unitary law is not expected, the overall approach adopted will be similar in theme to that of the EU. There is very likely to be an emphasis on the use of ethical or "responsible" AI. In practical terms this means that you should consider undertaking an impact assessment (in a similar manner to the requirements specified in relation to data under the UK GDPR) to ensure that you have considered and mitigated (to the extent practicable) all of the actual risks which could potentially occur in the development and use of your AI system. At the very least, this impact assessment should take into account specific AI related ethical issues, such as the potential for bias to arise in the system (and the extent to which that can be corrected); dealing with transparency issues (understanding how the AI system makes decisions and providing appropriate instructions and guidance for use) and addressing accountability (making sure that there are appropriate human decision makers "in the loop").