Decoding the ICO’s Generative AI guidelines: what you need to know
The Information Commissioner’s Office (ICO) recently concluded its consultation on generative artificial intelligence (GAI). GAI models can generate new content from inputs such as text, image, audio, video and code. With the growing adoption of AI technologies, businesses need to stay ahead of regulatory expectations. The ICO’s latest response offers essential guidance on navigating the intersection of AI and data protection law.
We break down the ICO’s 5 key focus areas, providing a clear roadmap for compliance.
- Web scraping and the lawful basis for data collection
The ICO maintains that “legitimate interest” is the only lawful basis on which a developer can rely for web scraping (automatic extraction of data from public websites) to train GAI models. To rely on this basis, businesses must meet the purpose, necessity, and balancing tests.
Key considerations include:
- Specificity of interests: Developers must clearly define the specific interests being pursued by data collection, even if the data will be used for multiple downstream applications.
- Alternatives to web scraping: The ICO encourages exploring alternative data collection methods (e.g., direct consent or licensing) and expects developers to demonstrate the necessity of web scraping.
- Transparency: Developers must provide clear, accessible information to data subjects on what data is being collected and how it is used, ensuring that individuals can exercise their rights effectively.
- Purpose limitation across the AI lifecycle
The ICO stresses personal data must be collected for specific, defined purposes and cannot be repurposed for other uses without obtaining a new legal basis. This is to prevent "function creep" – where data initially collected for one purpose (e.g., training a GAI model) is later used for unrelated purposes (e.g. marketing).
Businesses must ensure their AI models are only used for the purposes originally stated when data was collected, revisiting legal grounds or obtaining fresh consent where necessary.
- Ensuring accuracy in training data and model outputs
Accuracy is critical. The ICO highlights the importance of ensuring both the accuracy of training data and the outputs of AI models to prevent biased or flawed AI decisions which could lead to privacy and fairness concerns.
Businesses should:
- Regularly audit training datasets.
- Test AI outputs for accuracy and fairness.
- Maintain transparency on data use to foster trust and compliance with data protection laws.
- Engineering individual rights into GAI Models
The ICO emphasises the integration of data protection by design into AI systems. However, many developers are not facilitating individuals’ ability to exercise their rights, particularly in relation to web-scraped data.
Key points include:
- Transparency: The ICO will act against organisations that fail to meet transparency standards.
- Article 11 UK GDPR: Businesses must avoid over-relying on this provision (which applies when individuals cannot be identified). They must prove they cannot identify individuals and allow data subjects to provide information for identification if desired.
- Exercising rights: Businesses must build mechanisms that allow individuals to request data deletion or modification if their personal information was used to train an AI model.
- Controllership in the AI supply chain
The ICO clarifies controllership in the AI space is not always straightforward. Developers and deployers of AI models may share responsibility, and roles should be clearly defined based on the specifics of the processing activities.
For businesses, this means:
- Joint Controllership: Developers and deployers may share responsibility, and contracts must clearly outline who is accountable for what. Joint controllership does not mean shared responsibility for everything but should clearly allocate specific roles and responsibilities.
ICO addresses misconceptions
The ICO also cleared up several misconceptions:
- AI exemption: There’s no such thing as an “AI exemption” to data protection law. AI models can have significant data protection implications and must comply with the law.
- PII vs. Personal Data: "Personally identifiable information (PII)" is different from "personal data”.
- Incidental processing: Even “incidental” processing of personal data counts as data processing under the law.
- Reasonable expectations: Industry practices do not automatically align with individuals’ expectations about their data.
Practical steps for compliance
There are practical steps which business can adopt to address compliance with the ICO’s guidance, including:
- Designing AI systems applying data protection by design.
- Clearly defining roles and responsibilities in the AI supply chain.
- Providing clear, accessible information about personal data collection and use.
- Using exemptions cautiously and avoid over-reliance.
- Ensuring accountability in joint controllership by formalising roles in contractual agreements.
Conclusion
While the ICO’s report clarifies several key issues, it acknowledges it is not an exhaustive review of all data protection challenges associated with GAI. The ICO notes that upcoming legislation, such as the Data (Use and Access) Bill, may further impact its approach. In the meantime, it will continue to engage with stakeholders and update its guidance to reflect changes in the law.
This report marks an important step in shaping how GAI development and deployment will intersect with data protection law in the coming years. The ICO’s continued focus on transparency, the lawful basis for data processing, and individual rights will undoubtedly play a crucial role in how businesses and organisations navigate the evolving landscape of AI and data privacy.
Our Commercial and Tech team supports clients across multiple industries to deliver commercial, IP, regulatory and structuring, data and data protection expertise. We advise our clients on how to keep pace to remain regulatory compliant with AI and data privacy legislation. If you would like a conversation about how we can assist you, please get in touch.