Insights from the ICO’s Snap decision on genAI enforcement

Last month, the ICO announced that it would not take enforcement action against Snap for its ChatGPT powered “MyAI” chat-bot - despite its Preliminary Enforcement Notice (PEN) of October 2023, which suggested it may do so to prevent Snap processing personal data in connection with MyAI (discussed in this blog). The ICO has now published the 62 page decision underpinning its conclusion not to bring such enforcement action. So what can we learn?

The ICO is following through on its promise to be a pro-innovation regulator (for now)

The ICO worked collaboratively with the company on the mitigation of data protection risks of MyAI. The ICO found that the first four versions of Snap’s Data Protection Impact Assessment (DPIA) failed to adequately address MyAI’s privacy risks, which resulted in the PEN. This effectively gave Snap a ‘to do’ list to bring its DPIA into compliance. In summary, the PEN listed that Snap had failed to: 

• systematically describe the “nature, scope and context” of the processing carried out in connection with MyAI; 
• assess the necessity and proportionality of the processing, particularly on how genAI’s use “changed the nature” of the data being processed and the processing operations performed; 
• assess the risks to the rights and freedoms of users, including the impact of targeted marketing on users aged 13-17; and 
• identify measures to mitigate the risks, including the “compounded" risks to users aged 13-17. 

The ICO’s final decision outlines how each of these were subsequently addressed by Snap in their fifth DPIA, which was found to comply with the GDPR. The PEN had also identified a connected breach that Snap didn’t consult the ICO despite its DPIAs identifying a residual high-risk to data subjects. However, the ICO ultimately accepted that Snap had erred in this finding of high-risk, so no notification had been required. 

Impact of the ICO’s approach?

Some might see the ICO’s decision to issue a PEN as a win-win solution. From the regulator’s perspective, it resulted in a mitigation of privacy risks whilst avoiding stymieing innovation and the potential for lengthy (and costly) appeals. For Snap, the ICO’s approach avoided a fine or abrupt disruption of its commercial operations and any accompanying negative publicity. This ignores however the risk that the ICO’s approach will encourage companies to see compliance as only necessary if, and only if, the ICO intervenes, going back to the approach in the days before the ICO could impose fines. It should be noted, though, that it was Snap that first raised MyAI with the ICO by requesting a meeting in March 2023, so its favourable treatment perhaps can be better seen as an endorsement of a proactive approach. Only time will tell whether the ICO’s approach in this case is a step forward or back for privacy compliance. 

Given this investigation was started relatively early in the genAI explosion as the ICO was developing its own thinking in this area, there is no guarantee the ICO would take the same approach again as the industry and its guidance matures in this area.  Stephen Almond, the ICO Executive Director of Regulatory Risk described the Snap decision as a “warning shot” and confirmed that the ICO will continue to use its full range of enforcement powers, including fines, in this area.

Guidance by another name

The ICO’s detailed decision provides helpful worked analysis in several key areas, including on controllers and joint controllers and on the extraterritorial application of the GDPR. It also closely maps Snap’s compliance with the ICO guidance on DPIAs, outlining how Snap’s DPIA was brought into compliance. For example, Snap included more information on data sharing with other entities in the MyAI supply chain and on the internal teams given data access. 

The decision also describes some of the mitigations Snap put in place, including a new tool allowing parents to switch MyAI off on their child’s device and a “just in time” privacy notice tailored to their teenage audience.

Overall, the ICO’s explanation of its decision is helpful reading for any organisation looking to implement genAI or undertaking any other high-risk processing, which is likely why the ICO chose to publish it.