UK Trends and Developments Contributed by: Janine Regan and Victor Mound, Charles Russell Speechlys
its approach will be pragmatic and risk-based, and highlighted key focus areas: • foundation models; • high-risk AI applications (such as in educa - tion, healthcare, financial services and recruit - ment); • facial recognition technology; • biometrics; and • protecting children. During 2024, the ICO published five chapters on generative AI for consultation. This covered: • the lawful basis for web scraping to train gen - erative AI models; • purpose limitation in the generative AI life cycle; • accuracy of training data and model outputs; • engineering individual rights into generative AI models; and • allocating controllership across the generative AI supply chain. On 12 December 2024, the ICO published its response to the series, summarising the key results of the consultation. In a similar vein to the European Data Protection Board, the ICO also took the view that web scraping for genera - tive AI training is a high-risk, invisible processing activity. This means that the use of personal data to train generative AI models is unlikely to pass the balancing test required for developers to rely on legitimate interests as a lawful basis. The ICO also raised concerns about a lack of practical measures enabling individuals to exercise their rights in respect of their personal data. On 1 May 2024, the ICO completed its first enforcement action against Snap, Inc in rela - tion to its ChatGPT-powered “My AI” chatbot. The ICO expressed concerns that the original
data protection impact assessments provided by Snap had not adequately assessed the risks of targeting users aged 13 to 17 for advertis - ing, of processing special category data on a large scale, and of users not understanding how the chatbot processed their personal data. The investigation resulted in Snap taking significant steps to provide more detailed risk assessments and adopting mitigation measures, including protections specifically designed for users aged 13 to 17, in the form of: • a “Family Centre” allowing for parental super - vision; • just-in-time privacy notices for younger audi - ences; • content filtering by age bucket; and • dedicated controls to limit the chatbot when being used to complete homework. The ICO did not issue a monetary penalty or reprimand, and was satisfied with the remedial steps Snap had taken. However, the ICO used this as an opportunity to remind organisations to consider data protection from the outset before bringing products to market. The ICO has taken a proactive approach to working on high-risk AI applications. In Novem - ber 2024, it published an audit report analysing the use of AI tools in recruitment. One of the rec - ommendations included using pseudonymised personal information, or aggregated informa - tion, where possible, noting that where pseu - donymised information is used any secondary use must still be compatible with the purpose for which that information was originally collected. In 2025, the authors expect the ICO to carry out audits looking at technology in education and youth prison services as part of its strategic approach to AI.
518 CHAMBERS.COM
Powered by FlippingBook