What could a more interventionist UK approach to digital regulation mean for businesses?

James Clark Spencer West Partner 7 July 2026

James Clark, Partner specialising in Data Protection, AI and Digital Regulation, considers how a future Andy Burnham-led government could reshape the UK’s approach to AI, cyber resilience and online safety.

The UK has so far resisted adopting a single, comprehensive AI law, preferring a flexible, sector-led model. But as political pressure grows around the impact of artificial intelligence, questions are emerging about whether that light-touch approach can continue unchanged.

In a recent discussion with TechRound, James Clark considered what digital regulation could look like under a future Andy Burnham-led government, including stronger public control of AI, tougher cyber security expectations and further protections for young people online.

James noted that the most likely path would not be a wholesale break with the UK’s current approach, but a strengthening of it. Rather than adopting an EU-style AI Act, a future government could retain the decentralised framework while giving regulators clearer political direction and, potentially, statutory responsibilities for supervising AI risk.

In practice, this could mean clearer statutory duties rather than guidance alone, including mandatory risk assessments for certain AI use cases and more prescriptive rules for high-risk applications in areas such as employment, health and critical infrastructure.

Burnham’s comment that AI “can’t just be left to the market” signals a possible shift away from the current pro-innovation emphasis. However, James cautioned that it leaves room for interpretation and does not necessarily point to immediate sweeping legislation.

For businesses, the key message is that tougher regulation is likely to be targeted rather than blanket in nature. Organisations should expect increased scrutiny from regulators including the ICO, FCA and CMA, particularly around explainability, fairness, accountability and risk management.

Those with robust AI governance frameworks are unlikely to face immediate disruption, but businesses relying on informal processes may need to mature quickly. Preparation should include documenting AI use cases, assessing risk, assigning governance responsibilities and aligning compliance teams with deployment.

The discussion also covered the Cyber Security and Resilience Bill, part of the UK’s response to increasingly sophisticated cyber threats. While not focused specifically on AI, the Bill aims to raise baseline security standards, expand regulatory scope and strengthen resilience against AI-enabled attacks.

Prompt finalisation will be important if the UK is to keep pace with the EU’s NIS 2 Directive. A key proposed change is the extension of legal responsibility into the supply chains of critical industries, reflecting reliance on cloud infrastructure and managed IT service providers.

Finally, James highlighted unresolved questions around proposals for an under-16 social media ban and wider online safety restrictions for young people. These include how age assurance could be enforced without disproportionate privacy risks, how “social media” should be defined, whether young users may move to less regulated platforms, and how new restrictions would interact with existing obligations.

Read the full TechRound interview with James Clark here: A Chat With James Clark, Partner At Spencer West LLP On What Digital Regulation May Look Like Under An Andy Burnham Government

James Clark
Partner - Data Protection, AI and Digital Regulation
James Clark Spencer West Partner