The UK Information Commissioner’s Office (ICO) has published its response to its data protection and genAI consultation. While there is plenty to digest in the ICO's 41-page response document, we have extracted five key takeaways.
The majority of the ICO's consultation positions are maintained
The policy positions in three of the ICO’s five chapters are not being altered, being purpose limitation (discussed in this blog), accuracy (discussed in this blog) and controllership (discussed in this blog). As such, these chapters provide useful guidance on the ICO’s approach to these issues in the context of genAI and in some cases more generally. For example, the controllership chapter has useful read-across to complex supply chains more generally.
Conversely, the ICO has revised its position in two areas, being the lawful bases for web-scraping and individuals' rights, having received significantly more responses in each of these areas.
Legitimate interests under scrutiny
The ICO's position on the use of legitimate interests as a legal basis for web-scraping training data has become more robust. Submissions on viable alternatives to web-scraping for genAI training, such as licensing data obtained directly from individuals, appear to have particularly influenced the ICO's views. To be able to satisfy the necessity requirement in the legitimate interest assessment, the ICO therefore expects developers to evidence why other available methods for data collection are not suitable.
The ICO received minimal evidence that the privacy risks of web-scraping without individuals’ knowledge could be mitigated. As such, it calls on developers to significantly improve their approach to transparency as, without better transparency, the ICO argues it will be hard for developers to rely on the legitimate interests ground. Since the ICO also sets out that legitimate interests is the only possible ground that could be relied up, this could therefore be a blocker.
Individuals’ rights are a focus
The ICO says it didn’t receive verifiable evidence on practical measures to enable people to exercise their rights. As a result, it is concerned that many developers and deployers do not have measures in place to effectively respond to such rights requests.
The ICO states that developers should at the outset adopt appropriate measures to enable them to fulfil information rights by adopting a privacy by design approach for both the training data and trained models.
The ICO reminds us that not all information rights are absolute, but notes that information requests must be considered on a case-by -case basis, as there may be some cases where the developer / deployer doesn't have a “compelling legitimate interest” which overrides the individual’s rights.
The ICO received a number of submissions about reliance on article 11 of the UK General Data Protection Act. The ICO is clear that, to rely on this, controllers have to assess on a case by case basis their ability to identify a person. If they can’t, they then need to tell the individual, offering easy ways for them to provide additional information to help the controller identify their personal data. This does not therefore appear to be the panacea, at least in the ICO's view, that some had asserted it could be.
Robust views on controllership
While not updating its position on controllership, the ICO reinforces its position in a couple of areas in light of the consultation:
- developers’ overarching decisions can impact how a model operates in the deployment phase, so deployers of 'closed access' models can lack meaningful control or influence over the processing. The ICO sees joint controllership between the players as addressing this potential responsibility gap; and
- where developers are using deployer data for their own product improvement, they will be controllers for that processing, even if the improved product benefits the deployer.
Further guidance and enforcement
The ICO will update its core guidance on AI to include genAI as well as to reflect the Data (Use and Access) Bill's changes and will carry out further consultation, but the ICO directs us to that core guidance plus its consultation responses in the meantime.
The ICO’s final positions, as set out in its response to this consultation, will be reflected in its upcoming joint statement with the UK Competition and Markets Authority on the interplay of data privacy and competition and consumer law in the AI arena, so that is something to look out for.
The ICO’s position of course only applies directly to the UK, whilst AI use cases often have pan-European or global application. The extent of divergence between the differing regimes and regulators is again one to watch. On that note, the European Data Protection Board has this week published its Opinion on the use of personal data for the development and deployment of AI models, so look out for our upcoming blog on that.
On the enforcement front, Stephen Almond has warned that the ICO will now be focussing attention on “organisations that are not doing enough”. With the ICO expecting organisations to be aware of and to reflect its published guidance, developers and deployers are now on notice of the ICO’s expectations.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-11-21-16-52-28-218-673f654ca814f702392a222f.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-11-18-10-35-44-542-673b1880983090b59d1562ae.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2024-11-13-10-02-07-675-6734791f635b40298fca2d46.jpg)