The Information Commissioner's Office has published a response to the recent UK Government White Paper “A pro-innovation approach to AI regulation” (see our article on the White Paper).

The ICO supports the White Paper’s ambitions to empower responsible innovation and sustainable economic growth, which align with their own strategic ambitions (set out in ICO25).  They highlighted that the uses of AI are often powered by personal data, the processing of which will need to be regulated by the ICO, placing them in a “central role in the governance of AI”. However, the ICO also recognised the key role other UK regulators play in governing the use and development of AI and the importance of fostering greater regulatory coherence and certainty.

Here we highlight the key points from the ICO's response.

The ICO’s views on the White Paper

The Role of Regulators 

The White Paper proposes the creation of a central function to coordinate, monitor and adapt the AI regulatory framework, but no AI-specific regulator.

Though the ICO welcomes the intention to assemble regulators to deliver work such as joint regulatory guidance, they note it is the regulators themselves that must produce the guidance.  Industry requires certainty including from when and how that guidance will be published.  The ICO would welcome clarification on the respective roles of government and regulators in the issuing of guidance and advice. The ICO encourages the Government to work through regulators, in particular through the Digital Regulation Cooperation Forum, which already promotes joined-up regulator positions in relation to AI.

Statutory duties and AI Principles

The AI White Paper proposes principles for the regulation of AI and the eventual introduction of a statutory duty for regulators to have due regard to these principles. The ICO considers that these principles map closely to those found in the UK data protection framework.

Due to this overlap the ICO is keen to ensure the principles are interpreted in a way that is compatible with the existing data protection principles to avoid creating confusion. The ICO also highlights the importance of regulators interpreting the principles in line with UK data protection law, given how closely they map onto the UK data protection principles and the fact many AI systems will process personal data. The ICO states “maintaining compatibility between the principles will help minimise unnecessary complexity and burden for businesses”.

The ICO has set out their detailed comments on the White Paper principles to help produce consistency in approach. In summary:

  • Fairness – The ICO believe this principle should cover the stages of developing an AI system as well as when it is in use (like the ICO fairness principle). Therefore, amendments are suggested to the wording of the principle to include development.
  • Contestability and redress – The White Paper expects regulators to clarify existing routes for users and others to contest outputs or decisions of AI and gain redress when things go wrong. However, the ICO notes it is typically the organisations using the AI that should clarify routes to, and implement, contestability of their own systems. The ICO therefore asks for clarity on this principle, stating the scope for regulators may instead be described as “making people more aware of their rights in the context of AI”.
  • Interactions with UK GDPR Article 22 – The White Paper states where an AI system has a legal (or similarly significant) effect on an individual, regulators should consider requiring AI system operators to provide an appropriate justification for the decision. The ICO points out that where personal data is used for automated decision-making (i.e. where article 22 is engaged) it will be a requirement to provide justification, not a consideration to do so. Clarification is suggested for this principle to avoid confusion in the industry about what is required.

The Format of the Guidance

The White Paper proposes regulators work together to produce joint guidance for businesses to encourage clarity and make it easier for businesses to comply whilst still developing new ideas/innovative products. 

The ICO recommends the Government prioritises research into the type of guidance that would be most valued by relevant businesses because sector/use case specific guidance is likely to be more beneficial than high-level joint guidance.

The Sandbox

The White Paper proposes the establishment of a joint regulator sandbox to bring together regulatory advice from different sectors. The ICO points to their experience in operating their own sandbox, the “Innovation Advice and Innovation Hub”, to make some recommendations on the design:

  • the scope of the sandbox should be extended to include all digital innovation;
  • the sandbox should provide timely advice aligning with AI development lifecycles (to help clarify the law);
  • a different slower and more-intensive testing and trialling environment would be of value to sectors where specific regulatory authorisation is needed before launch (e.g. finance or medicine), and
  • to ensure resources are targeted to projects with the biggest impact support should be prioritised in accordance with international best practice. Focusing on the degree of innovation, the level of regulatory barriers, and the potential for wider economic, social or environmental benefit.

The ICO recommends the Government works closely with the Digital Regulation Cooperation Forum to further develop its ideas.

Cost Implications

The ICO acknowledges that this process will result in additional costs for regulators like them. As such, the ICO would like to have further discussions with the Government on the funding of the proposals.

If you would like to discuss how current or future regulations impact what you do with AI, please contact Tom Whittaker or David Varney.

This article was written by Alice Willoughby.