Welcome to the latest edition of Technol-AG - practical commentary on our pick of the latest tech law developments. In this edition, we provide an easy to digest overview of the latest AI news and consider the practical takeaways from some of the key announcements in two other areas: cyber resilience and telecoms.
Technol-AG: 3 tech law updates that have caught our attention recently
3 tech law updates:
- Cyber resilience: Government scrutiny increasing
- AI: The story so far in 2024
- Telecoms: Ofcom proposes ban on inflation-linked price increases
Cyber resilience: Government scrutiny increasing
On 23 January 2024, as part of its £2.6 billion National Cyber Strategy to protect and promote the UK online, the Government published a draft Cyber Governance Code of Practice and a response to its call for views on security and software resilience for organisations and businesses. The clear indication is that cyber resilience is a topic Boards should be taking seriously.
Draft Cyber Governance Code of Practice
The Government has published a draft Cyber Governance Code of Practice aimed at executive and non-executive directors and other senior leaders. The Code is intended to bring together the critical cyber governance areas directors need to take ownership of and formalise the Government's expectations of directors regarding these. A call for views on this Code is open until 19 March 2024.
Key points
- Scope: On the basis that cyber risk comprises a material risk to any business, whether directly regulated or not, the intention is that all organisations would be expected to adopt the Code.
- Legal force: As a code of practice, it would be voluntary rather than mandatory, however the intention is that it would become common practice and support existing regulation such as the General Data Protection Regulation (GDPR) and the Network and Information Systems (NIS) Regulations.
- Areas of focus: The draft Code focusses on risk management, cyber strategy, people and incident-planning and response.
Practical takeaways
The key message from the Government is that directors and Boards need to give as much attention to governing cyber risk as they do to other important risks. They see business resilience and cyber security as intrinsically linked and expect organisations to implement a top-down approach. This requires the most senior leaders of an organisation (directors, the Board or equivalent) to take ownership of cyber risk, understand the cyber threats to the organisation and assess the action being taken to manage them.
Although the Code is currently only in draft form, it identifies what the Government considers to be the most critical areas that business leaders must engage with (the areas of focus set out above). Organisations should give serious thought to these areas and ensure that their business has strong accountability frameworks in place regarding cyber governance.
Security and software resilience for organisations and businesses
On the same day it published the draft Cyber Governance Code of Practice, the Government also turned its attention to software resilience for businesses and organisations by laying out proposed interventions in a policy framework in its response to a call for views. The stated purpose was to further help address software risks, make organisations more resilient to cyber threats and give more clarity on best practice.
Key points
- Key themes to be addressed by the Government:
- Setting clear expectations for software vendors
- Addressing systemic risks and protecting high-risk users
- Strengthening accountability in the software supply chain
- Planned approach:
- Once again, rather than regulation, the Government proposes to adopt a new voluntary Code of Practice. In this case this would be a Code for software vendors setting out expected requirements in secure development and regarding communication and transparency with customers.
Practical takeaways
The Government highlighted the severe impacts which attacks on software and digital supply chains can have, giving the example of the recent cyber incident which took the NHS 111 service offline. They emphasised that, given how fundamental software has become to organisations and how much reliance is placed on it, protecting it is crucial.
Of most interest to software users are the proposals to help strengthen software vendor accountability. These include:
- creating standardised procurement clauses for organisations to insert into their contracts with software vendors; and
- potential introduction of accreditation as a useful means of enabling software users to hold software vendors to account.
In the meantime, organisations should consider reviewing their contractual requirements for software vendors to ensure there is accountability regarding security practices and resilience.
AI: The story so far in 2024
Following the big AI news to end last year with, in the form of agreement being reached on the EU AI Act (please refer to our commentary on this) (the Act), 2024 has already seen some interesting legal developments regarding AI. Here’s our pick of the key things you need to know about.
EU AI Act text
Although agreement was reached on the Act in principle in December, the text of the Act is still making its way through the formal legislative process and will ultimately have to be formally adopted by both the European Parliament and the EU Council to become EU law. It came as a bit of a surprise therefore when on 22 January 2024 a journalist leaked the text and it was quickly circulated and discussed as though in final form.
Since then, the text of the provisional agreement has been officially published and a major hurdle has been cleared with unanimous approval by the EU Council's Committee of Permanent Representatives. Several further stages remain but it seems increasingly likely that text, substantially in the form of the one published, will be formally adopted in April.
UK approach to AI regulation and copyright
In contrast to the EU position, on 6 February 2024 the Government issued a response to the consultation on its March 2023 white paper setting out proposals to establish a regulatory framework for AI (the White Paper Response). This confirmed their pro-innovation approach and the fact that they are not intending to implement regulation in the near future, instead opting to combine cross-sectoral principles and a context-specific framework. However, alongside various other updates, they announced that they have asked a number of regulators to publish an update outlining their strategic approach by the end of April this year and this information will have a bearing on whether they continue to favour a non-legislative approach.
The White Paper Response also provided an update regarding the Government's approach to AI and copyright. It was revealed that the Code of Practice on Copyright and AI being developed by the Intellectual Property Office (IPO) to clarify the protection of rights holders had been shelved and the Government made clear that it has no immediate solution. Instead, they are intending to continue to engage with both the AI sector and the creative and media sector and their international counterparts who are facing the same challenge.
Practical takeaways
The way in which the legal issues associated with AI are to be addressed by regulators and governing bodies continues to evolve. Organisations should continue to follow the latest developments in the jurisdictions in which they operate, particularly where they or their supply chain are already starting to make use of AI tools.
Telecoms: Ofcom proposes ban on inflation-linked price increases
An Ofcom consultation launched on 12 December set out Ofcom's plans to protect consumers from uncertain price increases with a proposed ban on telecoms companies providing price increases which are inflation-linked or set out in percentage terms.
Why is Ofcom proposing these changes?
- Telecoms companies are increasingly including a contract term allowing an annual price increase that is linked to inflation plus an additional percentage of typically 3.9%. This type of contract term leaves customers confused by the complexity and unpredictability of price rises.
- Research undertaken by Ofcom shows that one third of customers do not have a clear understanding of whether their price is likely to rise and more than half do not know what CPI or RPI are. The research also showed that even those customers who had awareness of the inflation-linked price rises could not estimate the likely rise in price.
- Ofcom is concerned that these terms require customers to "unfairly assume the risk and burden of financial uncertainty from inflation".
When will the final decision be published?
- Ofcom's final decision will be published in spring 2024.
Practical Takeaways
If the proposals go ahead, telecoms companies will be banned from including any inflation-linked price rises and any percentage-based price rise terms. If they want to increase the price, they will be required to do so by setting out the amount in pounds and pence and clearly outlining when the change in price will occur.
If you would like to discuss what any of these news stories or updates might mean for your business, please get in touch with David Berry or your usual Addleshaw Goddard contact.
David Berry >
David Anderson >
Susan Garrett >
Damon Rosamond-Lanzetta >
Related insights
Key contacts
Related Sectors
Related Specialisms
Related Locations
Find out more about our Technology advisory practice.
Find out moreTo the Point
Subscribe for legal insights, industry updates, events and webinars to your inbox
Sign up nowGet up to date with our latest news on LinkedIn
Follow now