The Information Commissioner’s Office (ICO) has published an update on its strategic approach to AI regulation in response to a letter from the Secretary of State for Science, Innovation and Technology. The update summarises the various work undertaken by the ICO and gives an insight into what lies ahead. We summarise the key points below.
Data protection law
Part of the update is dedicated to explaining the role of data protection law in regulating AI.
The ICO provides an overview of each of the principles set out in the White Paper on AI regulation (which we covered here) drawing parallels with established data protection principles. For example, the ICO highlights how security is a current statutory principle with organisations already required to ensure appropriate levels of security against unauthorised or unlawful use of personal data. Similarly, organisations are required to be transparent on who organisations are, and how and why they use personal data. In essence, the ICO confirms its existing regulatory framework is flexible and in keeping with the adaptable approach to AI regulation envisaged by the UK government (which we covered here).
The ICO explains the work done in relation to each of the White Paper principles and includes helpful links to relevant guidance.
Publication of guidance
In its update, the ICO highlights that it has already published a range of guidance to assist organisations with applying data protection law to AI.
The update lists various guidance from the ICO including guidance on AI and data protection, automated decision-making and profiling, explaining decisions made with AI, its AI and data protection risk toolkit and its specific guidance on biometric recognition technologies and age assurance technologies.
Overall, the tone of the ICO’s update gives a clear message that the ICO is continuing to take proactive approach in ensuring that its advice and guidance stay relevant as AI develops. For example, the ICO states that it is currently consulting on how data protection law should apply to generative AI and the use of biometric classification technologies and expects to consult on updating its core guidance in Spring 2025.
The key message for organisations is to regularly review the ICO’s website for new guidance or updates.
Support for organisations developing AI technologies
The update also focusses on the ICO’s approach to supporting AI innovators.
As part of this support, the ICO makes various services available to assist organisations seeking to develop and deploy AI, including a Regulatory Sandbox, Innovation Advice and Innovation Hub services.
Additionally, the update notes the ICO’s programme of consensual audits of organisations to “drive best practice”.
Regulatory action
The update confirms the ICO will continue to use its regulatory powers to ensure compliance with the law.
The ICO has previously published its regulatory approach which confirms that whilst its approach is supportive of innovation there is a requirement for innovation to be balanced against the need to establish public trust and economy in how information is used by organisations, including AI innovators, in a way that is transparent and accountable. It includes a useful summary of the regulatory action that the ICO can take and its approach to communicating its regulatory activities.
Collaboration
Concluding its update, the ICO confirms it will continue its work with other regulators across the public and private sector to protect people from the risks posed by AI and “ensure coherent regulation for organisations”.
This includes collaborating with the Competition and Markets Authority, Ofcom and the Financial Conduct Authority as part of the Digital Regulation Cooperation Forum. The forum has several activities planned in 2024 such as cross-sector research initiatives and hosting joint workshops.
The ICO makes clear its intention to work alongside the government, standards bodies, international partners and work closely with regulators on a bilateral basis. Highlighting this, the ICO sets out in the update that it will publish a joint statement with the Competition and Markets Authority regarding foundation models, later this year, to support “coherence for businesses” and promote “behaviours that benefit consumers” where the ICO’s and Competitions and Markets Authority’s remits interact.
If you have any questions or would otherwise like to discuss any of the issues raised in this article, please contact Lucy Pegler, Tom Whittaker or Liz Smith. For the latest updates on AI law, regulation, and governance, see our AI blog at: AI: Burges Salmon blog (burges-salmon.com)
Written by Liz Smith and Sam Efiong.
Data protection law is technology-neutral. It applies to any processing of personal data, no matter what technology is being utilised to undertake that processing. It is therefore adaptable and able to respond to new technologies, including advances in AI.