The EU AI Act places strict requirements on data governance and management for high-risk AI systems and general-purpose AI models, particularly regarding personal data processing governed by the GDPR. The Act complements the GDPR by addressing AI-specific privacy issues, introducing new legal grounds for personal data processing, and penalties for non-compliance with data governance and personal data processing requirements. The Act also introduces new measures to combat AI-related bias and permits the processing of personal data in certain cases in regulatory sandboxes. The Act and the GDPR have differing market operators, obligations, and impact assessments, but both aim to address risks to fundamental human rights and freedoms. The feedback loops of AI systems present challenges for personal data protection under the current EU regime. Compliance with the EU AI Act requires additional and sophisticated data and AI governance measures apart from the GDPR.

The UK is introducing the Public Authority Algorithmic and Automated Decision-Making Systems Bill (HL Bill 27) to regulate the use of automated and algorithmic tools in decision-making processes within public authorities. The proposed legislation applies to all algorithmic and automated decision-making systems developed or procured by public authorities, excluding those used for national security and routine calculations. The bill introduces requirements for algorithmic impact assessments, algorithmic transparency records, monitoring and auditing, employee training, and adherence to human rights and democratic values. The legislation aims to align with the Council of Europe's Framework Convention on AI.

The Council of Europe's (CoE) Framework Convention on Artificial Intelligence and Human Rights, Democracy, and the Rule of Law has opened for signature, and has already been signed by several countries including the United States, the European Union, and the United Kingdom. The Convention applies primarily to States and certain international organizations. It establishes a comprehensive set of obligations designed to ensure that all activities throughout the AI system lifecycle align with human rights, democratic principles, and the rule of law. Its central aim is to ensure that AI systems are developed, deployed, and used in ways that respect human rights, democracy, and the rule of law. The Convention also sets out several guiding principles and a risk management framework for AI systems. The Convention is a pivotal step in the global governance of AI, expanding the geographic influence of such initiatives through the Council of Europe's broad reach.

The new UK Labour government, led by Prime Minister Keir Starmer, plans to regulate powerful AI models, although it has not released any specific bill yet. Existing UK laws like the UK GDPR and Equality Act 2010 affect AI use, and the Labour Party's approach contrasts with the previous government's pro-innovation stance, aiming for binding regulations and transparency. The new AI Opportunities Action Plan and DSIT’s expanded role will support AI-driven growth and public service improvements, and the UK public remains concerned about AI’s impact on the labor market. The Digital Information and Smart Data Bill, the AI Opportunities Action Plan, and the DSIT restructure are some potential regulatory pathways for future regulation. Compliance with Holistic AI can act as an effective guardrail for organizations amidst uncertainties and a rapidly evolving AI regulatory ecosystem.

The Digital Services Act (DSA) is a set of rules designed to create a secure and trustworthy online environment in the European Union (EU). It imposes specific obligations on Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) with over 45 million monthly active users in the EU, including disclosing information, implementing complaint mechanisms, and undergoing annual independent audits. The first audit period closed on 25 August 2024, and VLOPs and VLOSEs must submit an audit report, describe how they will address any operational recommendations, and make the audit report publicly available within three months of receiving it. Resources are available for those wanting to learn more about the DSA.