A Chat With James Clark, Partner At Spencer West LLP On What Digital Regulation May Look Like Under An Andy Burnham Government

Is the Burnham administration likely to move the UK away from its light-touch approach to AI regulation?

 

I see two possibilities.

The less revolutionary – and probably the more likely in practice – is that Burnham retains the existing ‘de-centralised’ approach to AI regulation, whereby the UK goes without a comprehensive AI law (in the mould of the EU AI Act) and instead relies on existing regulatory frameworks to address the risks of AI within their respective domains.

However, Burnham can strengthen this approach by applying more political direction to regulators – including potentially specific statutory responsibilities regarding AI supervision. The more ambitious approach would be to introduce new, AI-specific laws – particularly on a horizontal / cross-sectoral basis – but this would be a big departure from the UK’s approach to date and would likely eat up a lot of time in terms of policymaking and parliamentary process.

 

What would a more interventionist, state-led AI policy look like in practice?

 

It would likely involve clearer statutory duties rather than reliance on guidance alone. For example, you might see mandatory risk assessments for certain AI use cases, stronger central coordination (perhaps via a dedicated AI regulator or strengthened central function), and more prescriptive rules around high‑risk applications such as employment, health, or critical infrastructure. It would also probably include greater public sector leadership in funding and deploying AI.

 

How significant was Burnham’s comment that “you can’t just leave it to the market” when it comes to AI?

 

Arguably quite significant as it is a notable departure from the stance of the government and DSIT ministers to date, which has been focused on a ‘pro-innovation’ approach and arguably a fear of spooking the big tech industry and the supposed inward investment it can offer for the UK. However, we should remember that the statement was made prior to Burnham becoming an MP and is fairly vague – ‘not leaving it to the market’ gives a wide discretion for manoeuvre and, as explained above, doesn’t necessarily mean the sledgehammer approach of a headline new AI law.

 

Could stronger public control over AI help the UK avoid the political and social tensions seen in the US?

 

Potentially yes, but my view is that regulation alone won’t eliminate those tensions. Many of the issues seen in the US – such as workforce disruption, misinformation, and concentration of power – are structural. Thoughtful regulation can mitigate risk, particularly around transparency and accountability, and arguably slow down the rush to implement AI across the board, forcing companies and public bodies to do things in a more considered way. But in addition to regulation, broader policy measures such as skills, competition enforcement, and public trust initiatives are undoubtedly needed to tackle social harms.

 

How might a Burnham government balance AI innovation with tighter regulation?

 

The most likely approach is targeted intervention rather than blanket regulation. That means focusing rules on clearly defined high‑risk use cases while preserving flexibility elsewhere. Much will depend on how effectively regulators coordinate, and whether the UK can maintain a proportionate approach—avoiding both regulatory fragmentation and overreach.
 

 

What should businesses expect if the UK takes a tougher stance on AI governance?

 

Businesses should expect increased scrutiny rather than immediate radical change. In practice, that may mean more detailed expectations from regulators such as the ICO, FCA and CMA, particularly around explainability, fairness and risk management. Companies that already have robust AI governance frameworks in place are unlikely to face major disruption, but those relying on informal or ad hoc processes may need to mature quickly.

 

How important is the Cyber Security and Resilience Bill in preparing the UK for AI-enabled cyber threats?

 

It’s an important piece of the puzzle. AI is accelerating both the sophistication and scale of cyber threats, so resilience frameworks need to keep pace. The Bill is less about AI specifically and more about raising baseline security standards and expanding regulatory scope, which indirectly strengthens defences against AI‑enabled attacks.

 

Is the UK falling behind the EU on cyber resilience, especially after the introduction of NIS 2?

 

In the immediate term, yes, which is why prompt finalisation of the Bill is important. The big change posited by the Bill is the extension of legal responsibility for cyber security into the supply chain of critical industries, which is arguably essential given the extent to which organisations are increasingly reliant on cloud infrastructure and managed IT service providers. Longer term, the risk is probably more about divergence.

The EU’s NIS 2 Directive sets out a comprehensive and relatively prescriptive framework, whereas the UK has taken a more flexible approach. An issue for businesses will be managing compliance across two increasingly distinct regimes

Could political change slow down progress on cyber security legislation, even if the Bill has cross-party support?

Cyber security tends to attract relatively strong political alignment, so any delay is more likely to be procedural than substantive.

No party wants to be seek as weak on this issue, although there might be scope for debate about how onerous the rules are and the impact of more red tape on business.

 

What unanswered questions remain around the proposed under-16 social media ban and wider online safety restrictions for young people?

 

There are several key uncertainties.

First, enforceability – particularly around robust age assurance without creating disproportionate privacy risks.

Second, scope – what exactly constitutes a “social media” service in a converged digital environment.

Third, unintended consequences, such as displacement to less regulated platforms.

And finally, how these measures interact with existing obligations under the Online Safety regime and data protection law.