Regulation must be an enabler of innovation, not a barrier to it.
This simple statement rests at the heart of Greater Manchester’s tech sector now more than ever before - but regulation is undoubtedly difficult to get right.
With emerging technologies like Artificial Intelligence (AI) and facial recognition now evolving at an unprecedented rate, just what needs to be done?
Here, David Gardner, a partner at Manchester-based law firm TLT and tech specialist, gives his professional opinion:
How must regulations and ethics sit with tech like AI and automated facial recognition (AFR)?
In many respects, the º£½ÇÊÓƵ already leads the way with a developed regulatory framework for data privacy under the GDPR and the Data Protection Act 2018.
This framework provides some oversight of specific areas like automated decision making where AI processes personal data) and surveillance (which would cover certain uses of AFR) under the Regulation of Investigatory Powers Act 2000 (RIPA).
However, technology always outpaces regulation and the gap is widening as technology developments accelerate.
Most Read
Even the GDPR, which represented a step change in modern regulation and started life as an EU proposal dating back to 2012, took over four years to negotiate into law in 2016 and a further two years to take effect in 2018.
Developments in AI and AFR in the meantime have been significant.
The GDPR places general restrictions on the identification of individuals through the use of biometric data, but the increased sophistication and adoption of AFR powered by AI means specific privacy issues around transparency, consent and bias will need to be addressed by regulation or, at least, best practice guidance, to ensure the technology is not misused.
Neither AI nor AFR is separately regulated in the º£½ÇÊÓƵ or anywhere else in Europe.
There is a danger that the current regulatory framework is too fragmented and unstructured in the face of these rapid developments and there is considerable debate about how to address this.
Professor Hannah Fry has proposed a “Hippocratic oath” for data scientists, which would impose ethical standards on the people who are directly responsible for designing and deploying AI and AFR systems.
Who is responsible for enforcing the regulations?
Don’t miss
Because of the varied and far-reaching deployment of AI and AFR, a range of bodies potentially have oversight and enforcement rights when things go wrong.
These include the courts, the Information Commissioner's Office (ICO), the Investigatory Powers Tribunal and industry-specific regulators.
The Financial Conduct Authority (FCA) and Financial Services Ombudsman would be involved where AI or AFR is used in banking services to identify customers or make decisions.
The GDPR makes privacy by design and privacy by default key concepts, meaning that organisations who plan to implement AFR and AI solutions are required to build responsible solutions and consider privacy issues from the outset in performing their data protection impact assessments.
How do we manage these regulations post-Brexit?
Complications arise post-Brexit for at least two reasons.
First, immediately following the exit date, the º£½ÇÊÓƵ will constitute a non-EU third country for the purposes of EU member states.
Though the ICO has said º£½ÇÊÓƵ entities will be able to export data to the EU, member states will need to ensure they have appropriate mechanisms in place to export data to the º£½ÇÊÓƵ.
This will require new instruments such as data transfer agreements.
Want more business news straight to your inbox?
BusinessLive is your home for business news from around the country - and you can stay in touch with all the latest news through our email alerts.
You can sign up to receive morning news bulletins from every region we cover and to weekly email bulletins covering key economic sectors from manufacturing to technology and enterprise. And we'll send out breaking news alerts for any stories we think you can't miss.
Visit our email preference centre to sign up to all the latest news from BusinessLive.
This will be the case until the EU approves a data protection adequacy decision for the º£½ÇÊÓƵ, but that process is expected to take some time after exit.
Second, in the longer term, the º£½ÇÊÓƵ will have the unpalatable choice of either continuing to follow EU developments in data regulation with no direct influence in those developments, or proposing divergences.
This runs the risk of disrupting data import/export arrangements with the EU and could jeopardise any future adequacy decision that may have been granted by the EU.