On 28 February 2023 the Home Office published an updated version of its right to work guidance for employers. This includes important information on the limits of using Identity Document Validation Technology (IDVT) for compliant right to work checks, as well as other significant information.

Text:

The Employer’s guide to right to work checks (the guidance) is the main guidance document for employers to refer to when seeking to carry out right to work checks that will provide a statutory excuse against liability for an illegal working civil penalty and general compliance with the UK’s illegal working regime.

The updates cover a range of topics as set out below.

Important clarification on using IDVT for right to work checks

Since 6 April 2022, the Home Office introduced the possibility of an employer carrying out a compliant digital right to work check for British and Irish citizens with a valid British or Irish passport (or Irish passport card). This process includes the use of Identity Validation Technology (IDVT) provided by an Identity Service Provider (IDSP). IDVT provides digital identity verification by obtaining evidence of the person’s identity (e.g. a passport) and then checking the validity of the evidence and that it belongs to the person claiming it (e.g. through checking the biometric information from the passport against a selfie and liveness check of the person claiming to be the passport holder). See our earlier article on this here.

The updated guidance clarifies that although IDVT can be used as an additional optional measure to enhance pre-employment checking processes and minimise the risk of fraud, it does not form part of an employer’s statutory excuse against liability for an illegal working civil penalty in the case of a manual or online check. IDVT can only be relied on as part of the statutory excuse for a digital check.

The significant practical issue for employers is that some IDSPs and pre-employment screening providers currently use processes that involve the provider (rather than the employer) completing elements of manual and/or online right to work checks, and which may lead to a statutory excuse not being available. This may be the case if the provider accesses the Home Office’s online system directly, or if the relevant original document(s) for a manual check are not copied by an employee of the employer.

Although liability for a civil penalty only arises if an individual does not in fact have the right to work in the UK, employers who are also sponsors under the points-based system are required to comply with the right to work guidance as part of their sponsor duties. Carrying out checks in a way that does not attract a statutory excuse may lead to sponsor compliance action.

We would suggest employers consider:

• Reviewing the processes of any provider used, alongside their own internal processes, to verify whether they are capable of providing a statutory excuse;

• Adjusting processes where needed to obtain a statutory excuse (this will include ensuring that an employee of the employer carries out all elements of manual and online checks, rather than these being delegated to a third-party provider); and

• Ensuring that the visual check (imposter check) element is carried out by an employee of the employer and is adequately documented.

Please contact us if you require assistance with carrying out a review.

IDSPs using Reusable Identities

Some IDSPs have the capability to create a reusable digital identity or attribute service. What this means in practice for digital right to work checks is that the holder of a British or Irish passport (including Irish passport card) may be able to complete the document and biometric checking process once and reuse the resulting IDVT output each time they are due to start a new job, until the passport expires.

The guidance now sets out the technical requirements for reusable identities to be accepted for digital check purposes.

End of COVID-19 adjusted right to work checks

The guidance includes a reminder that COVID-19 adjusted right to work checks ended on 30 September 2022. Although employers do not have to carry out a retrospective check for employees whose right to work was checked between 30 March 2020 and 30 September 2022, standard prescribed checks must be carried out on or after 1 October 2022.

Expansion of online right to work check system capability for eVisa holders with statutory immigration permission

An eVisa holder who has made an in-country eVisa application for permission to stay in the UK may now issue a share code for an employer to verify their right to work using the online right to work check system in the following circumstances:

• They are an eVisa holder and are applying for a further eVisa for permission to stay (i.e. they have applied using the UK Immigration: ID Check app);

• They do not have permission under the EU Settlement Scheme or as a frontier worker;

• Their application has been made after 26 January 2023 and before the expiry of their existing immigration permission; and

• Their application, or any related administrative review or appeal is pending.

The employer will obtain a statutory excuse for six months once the online check has been completed in line with the guidance. They no longer need to contact the employer checking service. The employer must do a repeat check before the expiry of the six-month timeframe.

The Home Office has produced a factsheet with further information on this change.

This change will only benefit a limited number of eligible individuals initially, but will become more extensively used as eVisas are rolled out more widely between now and 2025.

Additional acceptable document for manual right to work checks

A Re-Admission to the UK (RUK) endorsement in a current passport is now footnoted (in List A) as an acceptable document for manual right to work checks. An individual who presents this endorsement has an ongoing right to work and is not required to complete a follow-up right to work check.

Expanded information on sponsored workers and students

The updated guidance now includes additional text at Annex B.

Skilled Workers

The guidance now refers to Skilled Workers’ ability to undertake limited supplementary employment with a different employer without the need to obtain additional sponsorship or immigration permission.

For an employer providing supplementary employment, the right to work check must include verification that the proposed work falls within the definition of supplementary employment and that the individual is able to carry it out. The guidance also explains that overtime with the individual’s sponsor does not count towards supplementary employment, and there is no maximum number of overtime hours that may be worked per week. The sponsor must however ensure the Skilled Worker is paid overtime at least in line with the salary stated on their Certificate of Sponsorship.

Students

Clarification is added to state that students may fill a permanent full-time vacancy if they have applied to switch to the Graduate route following successful completion of their studies.

An observation is included that notes that full-time work outside of academic term times is allowed from the day after the academic term ends. Students should confirm with their sponsor what the exact term end date is and verify this with the employer as part of the right to work check process before considering working full-time hours during term breaks.

The guidance also now states that the employer must determine the sufficiency of academic term and vacation information provided by the sponsoring education provider, e.g. by clarifying any discrepancies between information published on the education provider’s website and information contained in a letter or email provided by the education provider directly to the student.

Information on phasing out biometric residence permits

An employer must carry out an online right to work check where a person holds a biometric residence permit (BRP). They should schedule a follow-up check if the online service notes the person’s immigration permission has an expiry date.

Additional text has been inserted into the guidance noting that BRP may expire on 31 December 2024, despite the individual’s immigration permission expiring after that date, and that the employer should use the expiry date from the online system in that circumstance.

The Government’s aim is to phase out biometric residence permits (BRPs) before the end of 2024. GOV.UK will be updated in early 2024 to explain how BRP holders can evidence their rights beyond the expiry of their BRP.

The results of our recent IDSP survey confirm that employers’ highest priority for engaging an IDSP for right to work checks is obtaining an effective statutory excuse. If you would like us to provide you with further information on this, please register your interest here.

If you have questions about these updates or carrying out compliant right to work checks more generally, please get in touch with a member of our Immigration Team.

Related Item(s): Immigration

Author(s)/Speaker(s): Supinder Singh Sian, Naomi Hanrahan-Soar, Tom McEvoy, Kathryn Denyer,

The Immigration Rules and guidance for the EU Settlement Scheme (EUSS) will need to be amended in line with a significant recent High Court judgment. Among other things, employers should expect revised guidance on right to work in the UK for individuals with pre-settled status who fail to make a further application under the EUSS.

Text:

Campaign group, the3million has confirmed the Home Office is not intending to challenge recent findings of the High Court that certain elements of the EU Settlement Scheme (EUSS) are not in line with citizens’ rights under the UK-EU Withdrawal Agreement (the WA).

The EUSS is the means chosen by the UK to discharge its obligations under the WA to protect the residence rights of EEA and Swiss citizens living in the UK by 31 December 2020, and their family members. The legality of the Scheme was questioned because those with pre-settled status must make a further application under the Scheme before the expiry of their five-year permission, otherwise they lose their right to live, work, rent and access free healthcare in the UK.

In a successful case brought by the Independent Monitoring Authority for the Citizens’ Rights Agreement, the High Court held that:

• A person with pre-settled status under the EUSS does not lose their residence rights under the WA if they fail to make a second application before the five-year expiry date of that permission; and

• A person with pre-settled status who acquires a right of permanent residence under the WA after five years of lawful residence in the UK does not lose this if they fail to apply for and obtain settled status under the EUSS.

To avoid practical disruption to EUSS participants, amendments to the Immigration Rules and Home Office guidance will need to be in place before August 2023, which is when the earliest grants of pre-settled status are due to expire.

Along with other guidance, it is anticipated that updates to the Home Office’s right to work check guidance for employers will need to be made to cover the situation where a person’s pre-settled status has expired.

Until the Rules and guidance are updated, individuals who become eligible for settled status after five years’ lawful residence in the UK are encouraged to apply for it as this is the most straightforward way of evidencing their rights.

If you have questions about this development, please get in touch with a member of our Immigration Team.

Related Item(s): Immigration

Author(s)/Speaker(s): Andrew Osborne, Clara Le Chevallier, Pip Hague,

Applicants applying to come to the UK to join British or ‘settled’ family members can now use the priority service to reduce the processing time for their applications. This is a huge relief for those seeking family reunion in the UK.

Text:

The government website has not yet been updated at the time of writing, but its overseas third party visa application centre providers, VFS Global and TLS Contact, both made announcements on their respective websites on 20 February 2023.

Who can now use the priority service?

Priority service has been reintroduced for new visa applications made outside the UK from 20 February 2023. The processing standard is 30 working days from the date of biometric enrolment.

What if I have an existing family visa application pending?

The Home Office previously suspended priority services while they dedicated staff and resources to process applications made under the Ukraine schemes. A range of visa routes were impacted by this. For family visa applications made outside the UK, the standard processing time increased from 12 weeks to 24 weeks.

In January 2023, the Home Office started to contact those with pending visa applications in date order, with an offer to pay an additional fee to upgrade to the priority service. They are continuing with this effort and applicants can expect to be contacted in the weeks to come. To acknowledge that applications may have been pending for a substantial amount of time already, the priority processing service for those with applications pending before 20 February 2023 is reduced further to 15 working days.

While the Home Office aims to deliver a decision within the timeframe, applicants will not receive a refund if it is not met.

What is the cost for using the priority service?

The additional fee for the priority service is £573 per applicant. If a family of four is applying together, the additional fee is £2,292 on top of the usual application fee and Immigration Health Surcharge. It’s not to be considered lightly, especially when processing times are not guaranteed.

And what if you choose not to use the priority service?

If the priority service is not purchased, visa applications should be processed within the standard 24-week timeframe. The Home Office is working to reduce this standard back towards the previous 12-week timeframe, and intending applicants should check Visa decision waiting times: applications outside the UK for updates.

If you require assistance or have an immigration query, please get in touch with a member of our Immigration Team.

Related Item(s): Immigration, Supporting Individuals with Immigration & Nationality

Author(s)/Speaker(s): Stephen OFlaherty, Parvin Iman, Pip Hague,

Applicants applying to come to the UK to join British or ‘settled’ family members can now use the priority service to reduce the processing time for their applications. This is a huge relief for those seeking family reunion in the UK.

Text:

The government website has not yet been updated at the time of writing, but its overseas third party visa application centre providers, VFS Global and TLS Contact, both made announcements on their respective websites on 20 February 2023.

Who can now use the priority service?

Priority service has been reintroduced for new visa applications made outside the UK from 20 February 2023. The processing standard is 30 working days from the date of biometric enrolment.

What if I have an existing family visa application pending?

The Home Office previously suspended priority services while they dedicated staff and resources to process applications made under the Ukraine schemes. A range of visa routes were impacted by this. For family visa applications made outside the UK, the standard processing time increased from 12 weeks to 24 weeks.

In January 2023, the Home Office started to contact those with pending visa applications in date order, with an offer to pay an additional fee to upgrade to the priority service. They are continuing with this effort and applicants can expect to be contacted in the weeks to come. To acknowledge that applications may have been pending for a substantial amount of time already, the priority processing service for those with applications pending before 20 February 2023 is reduced further to 15 working days.

While the Home Office aims to deliver a decision within the timeframe, applicants will not receive a refund if it is not met.

What is the cost for using the priority service?

The additional fee for the priority service is £573 per applicant. If a family of four is applying together, the additional fee is £2,292 on top of the usual application fee and Immigration Health Surcharge. It’s not to be considered lightly, especially when processing times are not guaranteed.

And what if you choose not to use the priority service?

If the priority service is not purchased, visa applications should be processed within the standard 24-week timeframe. The Home Office is working to reduce this standard back towards the previous 12-week timeframe, and intending applicants should check Visa decision waiting times: applications outside the UK for updates.

If you require assistance or have an immigration query, please get in touch with a member of our Immigration Team.

Related Item(s): Immigration, Supporting Individuals with Immigration & Nationality

Author(s)/Speaker(s): Stephen OFlaherty, Parvin Iman, Pip Hague,

The Immigration Rules and guidance for the EU Settlement Scheme (EUSS) will need to be amended in line with a significant recent High Court judgment. Among other things, employers should expect revised guidance on right to work in the UK for individuals with pre-settled status who fail to make a further application under the EUSS.

Text:

Campaign group, the3million has confirmed the Home Office is not intending to challenge recent findings of the High Court that certain elements of the EU Settlement Scheme (EUSS) are not in line with citizens’ rights under the UK-EU Withdrawal Agreement (the WA).

The EUSS is the means chosen by the UK to discharge its obligations under the WA to protect the residence rights of EEA and Swiss citizens living in the UK by 31 December 2020, and their family members. The legality of the Scheme was questioned because those with pre-settled status must make a further application under the Scheme before the expiry of their five-year permission, otherwise they lose their right to live, work, rent and access free healthcare in the UK.

In a successful case brought by the Independent Monitoring Authority for the Citizens’ Rights Agreement, the High Court held that:

• A person with pre-settled status under the EUSS does not lose their residence rights under the WA if they fail to make a second application before the five-year expiry date of that permission; and

• A person with pre-settled status who acquires a right of permanent residence under the WA after five years of lawful residence in the UK does not lose this if they fail to apply for and obtain settled status under the EUSS.

To avoid practical disruption to EUSS participants, amendments to the Immigration Rules and Home Office guidance will need to be in place before August 2023, which is when the earliest grants of pre-settled status are due to expire.

Along with other guidance, it is anticipated that updates to the Home Office’s right to work check guidance for employers will need to be made to cover the situation where a person’s pre-settled status has expired.

Until the Rules and guidance are updated, individuals who become eligible for settled status after five years’ lawful residence in the UK are encouraged to apply for it as this is the most straightforward way of evidencing their rights.

If you have questions about this development, please get in touch with a member of our Immigration Team.

Related Item(s): Immigration

Author(s)/Speaker(s): Andrew Osborne, Clara Le Chevallier, Pip Hague,

This is the third article in our “AI 101” series, where the team at Lewis Silkin unravel the legal issues involved in the development and use of AI text and image generation tools. In the previous article of the series, we looked at the infringement risks of using AI-generated works. In this article, we consider the regulatory framework for AI being proposed by the European Commission and how the UK might follow suit.

Text:

The Draft European AI Regulation

Back in April 2021, the European Commission published its proposal for the Artificial Intelligence Regulation (“AI Regulation), which is currently making its way through the European legislative process. This draft AI Regulation seeks to harmonise rules on artificial intelligence by ensuring AI products are sufficiently safe and robust before they enter the EU market.

The AI Regulation is intended to apply to what the EU terms “AI systems”. The most recent iteration of this concept is defined (in summary) as all systems developed through machine learning approaches and logic, and knowledge-based approaches. This is a wide definition aimed to accommodate future developments in AI technology but extends to much of modern AI software.

The broad scope of this definition is narrowed by the operational impact of the draft legislation, as the AI Regulation takes a ‘risk-based approach’ to governing AI systems. Not all AI systems will be subject to the obligations under the AI Regulation. The AI Regulation divides AI systems into different strands of risk, based on the intended use of the system:

• Prohibited Practices: AI systems that use social scoring (i.e. creating a social score for a person that leads to unfavourable treatment), facial recognition, manipulation (by exploiting any vulnerabilities of specific groups of people, e.g. due to their age, to distort their behaviours) and dark pattern AI.

• High-Risk AI Systems: AI systems with use cases in education, employment, justice, and immigration law among others use cases.

• Limited Risk AI Systems: this includes, at the time of writing, chatbots, emotion recognition and biometric categorisation and systems generating ‘deep fake’ or synthetic content.

• Minimal Risk AI Systems: this includes spam filters or AI-enabled video games.

Providers of such an AI system will be under an obligation to ensure that the AI system complies with the requirements under the risk level that corresponds to its risk allocation. For example, a provider of a “High-Risk AI System” will become subject to a whole host of requirements relating to risk management; the quality of data sets used to train the AI; performance-testing; record keeping; cybersecurity; and a requirement for effective human oversight of the AI.

Equally, users of “High-Risk AI systems” will be required to use the AI system in accordance with the provider’s instructions (including with regards to the implementation of human oversight measures); ensure that the input data is relevant for the intended purpose; monitor the operation for incidents or risks; “interrupt” the system in the case of serious incidents (or suspend its use if they consider that use may result in such a risk); and keep logs generated by the AI system. They will also be required to carry out a data protection impact assessment (DPIA) under the GDPR before using a high-risk AI system (although it feels the horse may have bolted on this front given the widespread public use of ChatGPT and other “GPAIS” tools already – see below).

The AI Regulation provides for substantial fines in the event of non-compliance as well as other remedies, which can scale up to the higher of EUR 30 million and 6% of the total worldwide annual turnover in the most serious cases.

The draft AI Regulation is intended to have broad territorial scope reaching far beyond the borders of just the EU – it is envisaged to apply to:

• providers that first supply commercially or put an AI system into service in the EU, regardless of whether the providers are located inside or outside the EU;

• users of AI located within the EU; and

• providers and users located outside the EU, if the output produced by the system is used within the EU.

Will the draft AI Regulation impact “generative AI” tools (like ChatGPT)?

Particularly relevant to the AI tools we have discussed so far in this blog (i.e. text and image-generating AI) are the recent amendments to the AI Regulation in 2022 – which introduced the concept of General Purpose AI System (“GPAIS“) and includes any AI system that can be used for many different purposes and tasks.

Again, this wide definition captures a variety of AI tools, including AI models for image and speech recognition, pattern detection, translation and also Text and Image Generating AI (like OpenAI’s ChatGPT and Dall-E). It is difficult to predict the potential applications for a GPAIS because these systems are versatile and can complete a variety of tasks when compared to ‘narrow-based’ AI systems, which have specific intended use cases. For example, a text-generating AI tool might be used to draft patient letters for medical professionals, utilising sensitive patient data, even if this was not its original intention. Whilst a GPAIS might be considered as a great technological development by AI enthusiasts, from the EU law-making perspective, such unpredictable applications are considered “high-risk”.

The AI Regulation previously designated an AI system as “high-risk” where its intended purpose was high-risk. However, bringing GPAIS within scope of the “high-risk” classification due to the (however unlikely) chance of a “high-risk application” means such systems are likely to become subject to tough compliance requirements and the associated cost consequences.

The concern with this amendment is that providers will be given impractical requirements, such as listing all possible applications of a tool and the requirement to develop mitigation strategies to deal with such applications. Some commentators have suggested that the full force of the high-risk section of the AI Regulation should apply only if a GPAIS is indeed used for high-risk purposes, rather than having a possible application.

What about in the UK?

As mentioned above, the EU’s draft AI Regulation will likely extend beyond the borders of the EU and may apply to providers and users based within the UK. Therefore, Brexit won’t allow UK-based developers to avoid its effect completely.

Domestically, by way of its National AI Strategy, the UK government set out an ambitious ten-year plan for the UK to remain a global AI superpower – seeking to harness the enormous economic and societal benefits of AI while also addressing the complex challenges it presents.

Even though the UK has not outlined its regulatory framework for AI just yet, the Government’s AI Policy paper published last year (“Establishing a pro-innovation approach to regulating AI”) does provide cause for optimism (if you are a developer) as it sets out a new pro-innovation approach that is “context-specific, risk-based, coherent, proportionate and adaptable” – all buzzwords that imply a different approach to regulation when compared to the staunch regulatory rhetoric of the EU.

Content moderation

Content moderation has been a hot topic given the recently adopted EU Digital Services Act (“DSA”), which has redesigned the rules for offering online content, services and products to consumers in the EU, and the UK’s parallel but contrasting key domestic proposals in the form of the Online Safety Bill (“OSB”), which touches on many of the same aspects as the EU’s DSA.

The DSA has been created with the intention of setting a new standard for greater accountability of online platforms regarding illegal or potentially harmful online content and is due to take effect in 2024.

However, the DSA primarily applies to intermediary services (defined as internet access providers, caching services or hosting services) that store information provided by, and at the request of, a user. In the case of generative AI tools, which themselves generate harmful content, the software is not hosting content created by users and the DSA provisions on intermediary liability are ill-suited to deal with the harms. This may leave room for the EU to legislate (or adapt legislation) to capture the generation of harmful content using AI tools.

Data Protection

The draft EU AI Regulation will also overlap with the protections offered by the General Data Protection Regulation (“GDPR”). Our next blog will delve further into the applicability of the GDPR and privacy regulation to AI tools.

Related Item(s): Technology & Communications, Intellectual Property, Metaverse and web 3.0, AI 101: What are the infringement risks of using AI-generated works?, AI 101: Who owns the output of generative AI?, AI 101: How do AI tools work and why are lawsuits being raised?

Author(s)/Speaker(s): JJ Shaw, Jordan Quartey,

This is the fourth article in our “AI 101” series, where the team at Lewis Silkin unravel the legal issues involved in the development and use of AI text and image generation tools. In the previous article of the series, we looked at the infringement risks of using AI-generated works. In this article, we consider the regulatory framework for AI being proposed by the European Commission and how the UK might follow suit.

Text:

The Draft European AI Regulation

Back in April 2021, the European Commission published its proposal for the Artificial Intelligence Regulation (“AI Regulation), which is currently making its way through the European legislative process. This draft AI Regulation seeks to harmonise rules on artificial intelligence by ensuring AI products are sufficiently safe and robust before they enter the EU market.

The AI Regulation is intended to apply to what the EU terms “AI systems”. The most recent iteration of this concept is defined (in summary) as all systems developed through machine learning approaches and logic, and knowledge-based approaches. This is a wide definition aimed to accommodate future developments in AI technology but extends to much of modern AI software.

The broad scope of this definition is narrowed by the operational impact of the draft legislation, as the AI Regulation takes a ‘risk-based approach’ to governing AI systems. Not all AI systems will be subject to the obligations under the AI Regulation. The AI Regulation divides AI systems into different strands of risk, based on the intended use of the system:

• Prohibited Practices: AI systems that use social scoring (i.e. creating a social score for a person that leads to unfavourable treatment), facial recognition, manipulation (by exploiting any vulnerabilities of specific groups of people, e.g. due to their age, to distort their behaviours) and dark pattern AI.

• High-Risk AI Systems: AI systems with use cases in education, employment, justice, and immigration law among others use cases.

• Limited Risk AI Systems: this includes, at the time of writing, chatbots, emotion recognition and biometric categorisation and systems generating ‘deep fake’ or synthetic content.

• Minimal Risk AI Systems: this includes spam filters or AI-enabled video games.

Providers of such an AI system will be under an obligation to ensure that the AI system complies with the requirements under the risk level that corresponds to its risk allocation. For example, a provider of a “High-Risk AI System” will become subject to a whole host of requirements relating to risk management; the quality of data sets used to train the AI; performance-testing; record keeping; cybersecurity; and a requirement for effective human oversight of the AI.

Equally, users of “High-Risk AI systems” will be required to use the AI system in accordance with the provider’s instructions (including with regards to the implementation of human oversight measures); ensure that the input data is relevant for the intended purpose; monitor the operation for incidents or risks; “interrupt” the system in the case of serious incidents (or suspend its use if they consider that use may result in such a risk); and keep logs generated by the AI system. They will also be required to carry out a data protection impact assessment (DPIA) under the GDPR before using a high-risk AI system (although it feels the horse may have bolted on this front given the widespread public use of ChatGPT and other “GPAIS” tools already – see below).

The AI Regulation provides for substantial fines in the event of non-compliance as well as other remedies, which can scale up to the higher of EUR 30 million and 6% of the total worldwide annual turnover in the most serious cases.

The draft AI Regulation is intended to have broad territorial scope reaching far beyond the borders of just the EU – it is envisaged to apply to:

• providers that first supply commercially or put an AI system into service in the EU, regardless of whether the providers are located inside or outside the EU;

• users of AI located within the EU; and

• providers and users located outside the EU, if the output produced by the system is used within the EU.

Will the draft AI Regulation impact “generative AI” tools (like ChatGPT)?

Particularly relevant to the AI tools we have discussed so far in this blog (i.e. text and image-generating AI) are the recent amendments to the AI Regulation in 2022 – which introduced the concept of General Purpose AI System (“GPAIS“) and includes any AI system that can be used for many different purposes and tasks.

Again, this wide definition captures a variety of AI tools, including AI models for image and speech recognition, pattern detection, translation and also Text and Image Generating AI (like OpenAI’s ChatGPT and Dall-E). It is difficult to predict the potential applications for a GPAIS because these systems are versatile and can complete a variety of tasks when compared to ‘narrow-based’ AI systems, which have specific intended use cases. For example, a text-generating AI tool might be used to draft patient letters for medical professionals, utilising sensitive patient data, even if this was not its original intention. Whilst a GPAIS might be considered as a great technological development by AI enthusiasts, from the EU law-making perspective, such unpredictable applications are considered “high-risk”.

The AI Regulation previously designated an AI system as “high-risk” where its intended purpose was high-risk. However, bringing GPAIS within scope of the “high-risk” classification due to the (however unlikely) chance of a “high-risk application” means such systems are likely to become subject to tough compliance requirements and the associated cost consequences.

The concern with this amendment is that providers will be given impractical requirements, such as listing all possible applications of a tool and the requirement to develop mitigation strategies to deal with such applications. Some commentators have suggested that the full force of the high-risk section of the AI Regulation should apply only if a GPAIS is indeed used for high-risk purposes, rather than having a possible application.

What about in the UK?

As mentioned above, the EU’s draft AI Regulation will likely extend beyond the borders of the EU and may apply to providers and users based within the UK. Therefore, Brexit won’t allow UK-based developers to avoid its effect completely.

Domestically, by way of its National AI Strategy, the UK government set out an ambitious ten-year plan for the UK to remain a global AI superpower – seeking to harness the enormous economic and societal benefits of AI while also addressing the complex challenges it presents.

Even though the UK has not outlined its regulatory framework for AI just yet, the Government’s AI Policy paper published last year (“Establishing a pro-innovation approach to regulating AI”) does provide cause for optimism (if you are a developer) as it sets out a new pro-innovation approach that is “context-specific, risk-based, coherent, proportionate and adaptable” – all buzzwords that imply a different approach to regulation when compared to the staunch regulatory rhetoric of the EU.

Content moderation

Content moderation has been a hot topic given the recently adopted EU Digital Services Act (“DSA”), which has redesigned the rules for offering online content, services and products to consumers in the EU, and the UK’s parallel but contrasting key domestic proposals in the form of the Online Safety Bill (“OSB”), which touches on many of the same aspects as the EU’s DSA.

The DSA has been created with the intention of setting a new standard for greater accountability of online platforms regarding illegal or potentially harmful online content and is due to take effect in 2024.

However, the DSA primarily applies to intermediary services (defined as internet access providers, caching services or hosting services) that store information provided by, and at the request of, a user. In the case of generative AI tools, which themselves generate harmful content, the software is not hosting content created by users and the DSA provisions on intermediary liability are ill-suited to deal with the harms. This may leave room for the EU to legislate (or adapt legislation) to capture the generation of harmful content using AI tools.

Data Protection

The draft EU AI Regulation will also overlap with the protections offered by the General Data Protection Regulation (“GDPR”). Our next blog will delve further into the applicability of the GDPR and privacy regulation to AI tools.

Read the next article in our series ‘AI 101: What are the key data privacy risks and rewards for this new tech?‘.

Related Item(s): Technology & Communications, Intellectual Property, Metaverse and web 3.0, AI 101: What are the infringement risks of using AI-generated works?, AI 101: Who owns the output of generative AI?, AI 101: How do AI tools work and why are lawsuits being raised?

Author(s)/Speaker(s): JJ Shaw, Jordan Quartey,

Agile employers are currently taking strategic action to trade effectively in adverse market conditions. This includes corporate restructures and the movement of people within organisations. Against this backdrop, employers should take care to appropriately consider and monitor changes in employment to avoid illegal working, and in turn, risk to their sponsor licence.

Text:

There are a wide range of potential implications of corporate restructures for sponsorship. See our previous article, Implications of corporate restructures for a business’s sponsor licence for an overview of these. In this article, we highlight some changes to sponsored workers’ employment that can lead to illegal working and/or non-compliance with sponsor duties.

Sponsor compliance relating to right to work

All employers are responsible for ensuring that each employee has the right to work in the UK and this means completing a compliant right to work check before the employee starts work. Compliant follow-up checks must also be carried out where the employee does not have a permanent right to work in the UK.

Right to work compliance is also a key component of the set of duties placed on employers who hold a sponsor licence. Instances of suspected or proven illegal working can lead to a sponsor’s licence being downgraded, suspended and/or revoked.

Employers should also be aware that the issue of illegal working is currently high priority for the Government, with the Home Office recently launching a cross-government ministerial taskforce on immigration enforcement to crack down on illegal working and to coordinate other immigration enforcement activities.

Proposed changes to employment that can lead to illegal working

Sponsored workers have various restrictions on what work they are allowed to do in the UK. Below are some examples of changes to employment that can lead to illegal working for a Skilled Worker:

• A sponsored IT Analyst is asked to assist reception on an ad-hoc basis by logging visitors to the office onto an online system. This would lead to the worker carrying out activities outside of the job description stated on their Certificate of Sponsorship and would be non-compliance, even if they are trying to help out. As the additional task is at a lower skill level than the sponsored role, it could also potentially call into question whether the role continues to be eligible for sponsorship.

• After the pandemic, a sponsored chef in a busy London restaurant is in desperate need of additional chefs to share the workload. The chef is regularly working 60 hours a week, which is over and above the 40 hours a week stated on their Certificate of Sponsorship. The annual salary for a Skilled Worker must be pro-rated in line with their working pattern. If an employee works additional hours without receiving additional salary, it can result in them being paid a lower hourly rate. The sponsor must report a reduction in the hourly rate against the Certificate of Sponsorship within 10 working days of the change happening. If the salary level falls below the minimum hourly rate or the going rate for the role, the worker would be at risk of having their immigration permission cancelled, and the sponsor would be at risk of sponsor compliance action.

• An advertising agency has lost their main client, which unfortunately has gone out of business. The agency has good prospects to replace the work in the medium term due to pitches that are near award. They have a handful of sponsored employees and their Certificates of Sponsorship confirm their job code (known as a Standard Occupation Code) as ‘2473 Advertising accounts managers and creative directors’. They are paid £35,000 a year based on a 39-hour working week. Their salary level is over and above the general salary threshold of £25,600 and the going rate for the job code of £31,900. The agency wish to avoid making redundancies and are considering temporarily reducing their employee’s hours to 28 hours a week. Unfortunately reducing the number of hours will result in a reduction in salary that takes the sponsored employees below the salary threshold requirements. The agency must rethink their strategy if they wish to continue to sponsor the workers, for example by reducing employees’ hours to an extent that still meets the salary threshold requirements. They would then need to report the reduced hours and salary for sponsored workers on the Sponsor Management System within 10 working days.

• An employer is restructuring and has decided to downsize the marketing team. A marketing consultant is offered a new role as a sales consultant. The sales team sits next to the marketing team, so the change seems minor and seamless. The job code under which the employee is sponsored currently is 3543 Marketing associate professionals. The proposed move into sales would result in illegal working as the new role is more suitably aligned to code 3542 Business sales executives. If a sponsored worker’s job will change in such a way that it will fall under a different code (or in some cases a different job title within the same code), a fresh visa application (known as a ‘change of employment application’) must be made and approved before they start working in the new role.

A further point to note on the last scenario outlined above is that sponsors must carry out a repeat right to work check following an approved change of employment application and before the employee starts working in the new role. Failure to comply can result in revocation of the sponsor licence. This requirement has been made more explicit in the latest version of the Sponsor Guidance, which was last updated on 9 November 2022. This is a sponsor duty that currently goes over and above what is required for any other employer as set out in ‘An employer’s guide to right to work checks’ (under which a repeat check is only required before the expiry of the current statutory excuse).

We will be discussing practical compliance issues for sponsors of workers in more detail at our upcoming Mock sponsor audit webinar on 28 February 2023. Click here for more information and to book. If you require assistance with a specific sponsor compliance query, please get in touch with a member of our Immigration Team.

Related Item(s): Immigration, Sponsoring Migrant Workers, Mock sponsor licence audit

Author(s)/Speaker(s): Supinder Singh Sian, Naomi Hanrahan-Soar, Pip Hague,

Agile employers are currently taking strategic action to trade effectively in adverse market conditions. This includes corporate restructures and the movement of people within organisations. Against this backdrop, employers should take care to appropriately consider and monitor changes in employment to avoid illegal working, and in turn, risk to their sponsor licence.

Text:

There are a wide range of potential implications of corporate restructures for sponsorship. See our previous article, Implications of corporate restructures for a business’s sponsor licence for an overview of these. In this article, we highlight some changes to sponsored workers’ employment that can lead to illegal working and/or non-compliance with sponsor duties.

Sponsor compliance relating to right to work

All employers are responsible for ensuring that each employee has the right to work in the UK and this means completing a compliant right to work check before the employee starts work. Compliant follow-up checks must also be carried out where the employee does not have a permanent right to work in the UK.

Right to work compliance is also a key component of the set of duties placed on employers who hold a sponsor licence. Instances of suspected or proven illegal working can lead to a sponsor’s licence being downgraded, suspended and/or revoked.

Employers should also be aware that the issue of illegal working is currently high priority for the Government, with the Home Office recently launching a cross-government ministerial taskforce on immigration enforcement to crack down on illegal working and to coordinate other immigration enforcement activities.

Proposed changes to employment that can lead to illegal working

Sponsored workers have various restrictions on what work they are allowed to do in the UK. Below are some examples of changes to employment that can lead to illegal working for a Skilled Worker:

• A sponsored IT Analyst is asked to assist reception on an ad-hoc basis by logging visitors to the office onto an online system. This would lead to the worker carrying out activities outside of the job description stated on their Certificate of Sponsorship and would be non-compliance, even if they are trying to help out. As the additional task is at a lower skill level than the sponsored role, it could also potentially call into question whether the role continues to be eligible for sponsorship.

• After the pandemic, a sponsored chef in a busy London restaurant is in desperate need of additional chefs to share the workload. The chef is regularly working 60 hours a week, which is over and above the 40 hours a week stated on their Certificate of Sponsorship. The annual salary for a Skilled Worker must be pro-rated in line with their working pattern. If an employee works additional hours without receiving additional salary, it can result in them being paid a lower hourly rate. The sponsor must report a reduction in the hourly rate against the Certificate of Sponsorship within 10 working days of the change happening. If the salary level falls below the minimum hourly rate or the going rate for the role, the worker would be at risk of having their immigration permission cancelled, and the sponsor would be at risk of sponsor compliance action.

• An advertising agency has lost their main client, which unfortunately has gone out of business. The agency has good prospects to replace the work in the medium term due to pitches that are near award. They have a handful of sponsored employees and their Certificates of Sponsorship confirm their job code (known as a Standard Occupation Code) as ‘2473 Advertising accounts managers and creative directors’. They are paid £35,000 a year based on a 39-hour working week. Their salary level is over and above the general salary threshold of £25,600 and the going rate for the job code of £31,900. The agency wish to avoid making redundancies and decide to temporarily reduce their employee’s hours to 28 hours a week. Unfortunately reducing the number of hours will result in a reduction in salary that takes the employees below the minimum salary requirement. The agency must rethink their strategy to comply with their requirements as a sponsor.

• An employer is restructuring and has decided to downsize the marketing team. A marketing consultant is offered a new role as a sales consultant. The sales team sits next to the marketing team, so the change seems minor and seamless. The job code (known as a Standard Occupation Code) under which the employee is sponsored currently is 3543 Marketing associate professionals. The proposed move into sales would result in illegal working as the new role is more suitably aligned to code 3542 Business sales executives. If a sponsored worker’s job will change in such a way that it will fall under a different code (or in some cases a different job title within the same code), a fresh visa application (known as a ‘change of employment application’) must be made and approved before they start working in the new role.

A further point to note on the last scenario outlined above is that sponsors must carry out a repeat right to work check following an approved change of employment application and before the employee starts working in the new role. Failure to comply can result in revocation of the sponsor licence. This requirement has been made more explicit in the latest version of the Sponsor Guidance, which was last updated on 9 November 2022. This is a sponsor duty that currently goes over and above what is required for any other employer as set out in ‘An employer’s guide to right to work checks’ (under which a repeat check is only required before the expiry of the current statutory excuse).

We will be discussing practical compliance issues for sponsors of workers in more detail at our upcoming Mock sponsor audit webinar on 28 February 2023. Click here for more information and to book. If you require assistance with a specific sponsor compliance query, please get in touch with a member of our Immigration Team.

Related Item(s): Immigration, Sponsoring Migrant Workers, Mock sponsor licence audit

Author(s)/Speaker(s): Supinder Singh Sian, Naomi Hanrahan-Soar, Pip Hague,

The Online Safety Bill will introduce a new regulatory regime to address illegal and harmful content online. We are seeing more and more scrutiny in this area, with Australia, Ireland and the EU already passing new legislation, including the EU’s Digital Services Act, and Singapore proposing similar legislation.

Text:

Under the Bill, companies in scope will have to put in place systems and processes to improve user safety. Ofcom will be the appointed regulator in the UK to enforce the Bill. The focus of the Bill is not on Ofcom moderating individual pieces of content, but on tech companies pro-actively assessing risks of harm to their users and putting in place systems and processes to keep them safer online. The Bill extends and applies to the whole of the UK, except for some of the criminal offences which apply differently within the home nations.

Inside

• What companies are in scope?

• Does the Bill affect my business?

• What does the legislation require?

• Criminal offences

• What happens if companies do not comply?

• How should my organisation prepare for the new regime coming into force?

What companies are in scope?

The Bill imposes legal requirements on:

• providers of internet services which allow users to encounter content generated, uploaded or shared by other users;

• providers of search engines which enable users to search multiple websites and databases; and

• providers of internet services which publish or display pornographic content (meaning pornographic content published by a provider).

As well as UK service providers, the Bill applies to providers of regulated services based outside the UK where they fall within scope of the Bill, for example, because such services target the UK or they have a significant number of UK users.

Companies in scope will either be categorised either as “Category 1” services or “Category 2” services where Category 1 services will include the largest platforms with the most users and will be subject to more onerous obligations.

Does the Bill affect my business?

Its scope goes well beyond the obvious ‘Big Tech’ social media platforms and search engines, and it is likely to encompass thousands of smaller platforms, including messaging services, websites, platforms and online forums where information can be shared, where advertising is served, or where users might interact with other users.

What does the legislation require?

Platforms will be required to:

• remove illegal content quickly or prevent it from appearing in the first place. This includes content under offences designated as priority offences in the Bill and includes new additions at the Lords stage about immigration and modern slavery;

• prevent children from accessing harmful and age-inappropriate content (such as, pornographic content, online abuse, cyberbullying or online harassment, or content which promotes or glorifies suicide, self-harm or eating disorders);

• enforce age limits and implement age-checking measures;

• ensure the risks and dangers posed to children on the largest social media platforms are more transparent, including by publishing risk assessments; and

• provide parents and children with clear and accessible ways to report problems online when they do arise.

In relation to adult protections, Category 1 services will be required to facilitate a so-called “triple shield”. The controversial provisions about “legal but harmful content” has been removed. Platforms will need to remove all illegal content, remove content that is banned by their own terms and conditions, and empower adult internet users with tools so that they can tailor the type of content they see and can avoid potentially harmful content if they do not want to see it on their feeds. Children will be automatically prevented from seeing this content without having to change any settings.

Category 1 services will also be required to prevent paid-for fraudulent adverts appearing on their services. They will also have a duty to protect journalistic content, news publisher content and content of democratic importance.

Criminal offences

The Bill also creates new offences, such as:

• The false communications offence, aimed at protecting individuals from any communications where the sender intended to cause harm by sending something knowingly false.

• The threatening communications offence, to capture communications which convey a threat of serious harm, such as grievous bodily harm or rape.

• Flashing offence, aimed at stopping epilepsy trolling.

• Criminalising assisting or encouraging self-harm online.

What happens if companies do not comply?

Ofcom will:

• be able to require companies not meeting their obligations to put things right, impose fines of up to £18 million or 10% of global annual turnover (whichever is higher) or apply to court for business disruption measures (including blocking non-compliant services);

• be able to bring criminal sanctions against senior managers who fail to ensure their company complies with Ofcom’s information requests, or who deliberately destroy or withhold information. The government has promised to introduce an amendment which will also provide for jail terms of up to two years for executives whose companies do not comply with child protection rules under the Bill;

• have a range of powers to gather the information it needs to support its oversight and enforcement activity;

• be able to make companies change their behaviour, by taking measures to improve compliance, including to use proactive technologies to identify illegal content and ensure children aren’t encountering harmful material; and

• help companies to comply with the new laws by publishing codes of practice, setting out the steps companies should take to comply with their new duties. Companies will either need to follow these steps or show that their approach is equally effective (the government says that it expects Ofcom to work collaboratively with companies to help them understand their new obligations and what steps they need to take to protect their users from harm).

How should my organisation prepare for the new regime coming into force?

Organisations should carefully consider if they come within the scope of the Bill, bearing in mind its wide scope of application. Indeed, most companies that provide online content are likely to be caught by its provisions. If that’s the case, here are some practical steps your organisation should take;

• carry out a risk assessment of your operations and websites, and review complaints procedures and terms of service;

• set up and consider improvements to your systems for monitoring all content, and how to balance freedom of expression with the need to protect users from harm

• consider internal systems for spotting and reporting potential harm to children to the National Crime Agency;

• assess if you might be classified as a Category 1 service and therefore be required to comply with the extra obligations imposed;

• keep an eye on Ofcom’s activities, as it prepares to regulate the Bill and consults on various aspects;

• keep a watching brief on the passage of the Bill through Parliament.

Although the Bill is expected to receive Royal Assent during 2023, the timeline as to when the provisions will come into force is still unclear. This is because the Secretary of State will need to make secondary legislation to implement the Bill, and Ofcom will need to publish codes of practice before the Bill takes effect.

Type: Inbrief

Related Item(s): Regulatory Advice, Advertising & Marketing

Author(s)/Speaker(s): Geraint LLoyd-Taylor, Giles Crown,

Attachment: Client Guide – The Online Safety Bill