Who’s who in the genAI supply chain: ICO publishes draft guidance on controllership

In its fifth and final call for evidence on the topic of generative AI (genAI), the ICO has chosen to tackle a complex, but important, topic: controllership. In many ways, this is a crucial first step – without clarity on who is controller, processor or whether there are joint controllers involved, it will be impossible for each of the players in the complex genAI supply chain to understand the extent of their obligations under data protection law, nor how to interact at a contractual level with others in that supply chain. 

Why and when is controllership challenging to determine in genAI supply chains?

There can be a number of different entities in genAI supply chains, all carrying out various processing activities for a variety of different purposes. There is often greater interdependence between the entities involved and this, the ICO acknowledges, means the roles of ‘developers’ and ‘deployers’ don’t always neatly map onto the concepts of controllers and processors. The ICO also reminds us that those roles are not necessarily determined by a contract, nor are they influenced by other legal regimes such as intellectual property or competition law. Helpfully, the ICO includes several examples and options (and references to background information) to help organisations determine what role they may be performing in respect of different processing activities in the genAI supply chain. 

There will be instances where determining controllership is relatively simple. For example, organisations developing a base generative AI model to provide as a product or service will be controllers for a lot of the development-related processing where they have influence and control over the purposes and means. However, whether they will be a controller for other processing activities is often less clear. At the deployment stage, the developer could be a joint controller with the deployer, a processor on their behalf or have no role at all.  

The role of the deployer can also be quite straightforward to determine – for example, a law firm using an LLM to summarise legal documents would be a controller. But it can be more complicated with so-called ‘closed access’ models. Deployers of such models are often being labelled as controllers and developers as processors, despite deployers lacking the necessary expertise, agency or resources (including access to information) to be able to actually understand, control and influence the processing. 

What does this mean in practice? 

The ICO suggests that the distinction between open and closed access is a false dichotomy - rather, deployers need to consider where their model sits on the sliding scale of access. At the more ‘closed’ end of the spectrum, the ICO recommends that deployers should either request more information from the developer or recognise that they lack control over at least some of the processing and identify the party that does (i.e. the developer), who could be a controller or joint controller. 

More generally, the ICO considers that as there are often shared objectives and influence from developers and deployers in the context of genAI, there is likely to be a joint controllership instead of a processor-controller arrangement between them. This will not always be the case though. The ICO is also clear that different processing activities should not be “lumped together” when they serve different objectives or have distinct data protection risks. Hence the importance of clearly understanding the different processing activities as this will help all entities demarcate which processing they are controllers, joint controllers or processors for and justify why. 

Nonetheless, the ICO urges genAI developers to examine joint controllership when considering their relationship with third party deployers, as it can help with accountability and mitigate compliance and reputational risks that could undermine trust. Given that complex supply chains and transactions with multiple parties and processing activities exist beyond the sphere of genAI and AI, this is a useful reminder for organisations to ensure they have a clear and documented understanding of the roles they play in respect of their different processing activities more generally.