The ICO's fourth consultation on generative AI and data protection: engineering individual rights into generative AI

On 10 June 2024, the UK Information Commissioner’s Office (ICO) closed its fourth call for evidence in its consultation series on the application of data protection laws to generative AI. 

As a timely reminder of the relevance of this ICO consultation, on 14 June, in response to the ICO raising concerns about UK users’ privacy rights, Meta decided to pause and review its plan to use Facebook and Instagram user data to train generative AI models. 

The fourth stage of the ICO’s consultation focused on the critical aspect of individual rights over personal data, particularly in relation to the training and fine-tuning of generative AI models. This article summarises the ICO's consultation, its implications, and what organisations need to do to ensure compliance with data protection laws. 

Background on the ICO's consultation series

The ICO's series of consultations has previously tackled:

1. Lawful basis for web scraping to train generative AI models.
2. Purpose limitation in the generative AI lifecycle.
3. Accuracy of training data and model outputs.

The fourth consultation delved into how developers and deployers of generative AI can engineer data protection rights of individuals into generative AI models. The insights gathered will inform the ICO's future guidance and regulatory approach to generative AI.

Key individual rights under UK data protection law

Individuals have a number of rights concerning their personal data under UK data protection law. These include the rights of individuals:

• To be informed about how their personal data is being processed.
• To access their personal data.
• To have inaccurate information rectified.
• To not be subjected to solely automated decisions with legal or similarly significant effects.
• To request the deletion or restriction of their personal data, in certain circumstances.

These rights will apply where personal data is processed using generative AI, including as part of training data, fine-tuning data which may include human feedback and benchmarking data, model outputs and user prompts. This ensures the protection of personal data across the entire AI lifecycle.

The ICO’s analysis and focus areas

The ICO's fourth call for evidence sought to address several challenges and best practices to ensure these data subject rights are prioritised in the context of generative AI:

1. The right to be informed:
   
   • Developers must provide clear information on how personal data is used and how individuals can exercise their rights.
   • This applies even when data is collected indirectly, such as through web scraping, public datasets or even user-generated data. 
   • Even when exceptions to this obligation apply, such as in cases of disproportionate effort for web-scraped data, developers can still ensure protection by publishing specific and accessible information about the types of personal data used, the purposes of the data processing, and the lawful basis for processing.
   • The ICO will likely issue further guidance in due course with additional recommended measures that developers should take to safeguard individual’s rights and freedoms, such as privacy-enhancing technologies and pseudonymisation techniques.
2. The right of access:
   
   • Developers are expected to have clear, documented methods for responding to data access requests, regardless of the stage of the AI lifecycle.
   • If developers cannot identify individuals in the data, they must explain and demonstrate this to the individual making the request.
3. Rights in respect of erasure, rectification, restriction and objection:
   
   • Generative AI models pose unique challenges due to their potential to ‘memorise’ data, which it can then be difficult to extract in order to rectify or erase. The ICO has sought evidence on how these rights are being respected in practice. 
   • One potential mitigation discussed as part of the consultation was the use of input and output filters to detect and amend user prompts and output data which may contain personal data. The ICO has also sought evidence on whether these input and output filters are a sufficient mechanism for enacting data subject’s rights.
4. Deployment stage:
   
   • The responsibility for fulfilling individual rights lies with each controller or joint controller of personal data, which can include various organisations involved in the AI lifecycle and supply chain.
   • This responsibility includes ensuring rights are respected for data used in training, as well as for data inputted into the model post-deployment.

Concluding comments

The ICO’s fourth consultation highlights the complexities and critical importance of respecting individual data rights in the era of generative AI. As organisations continue to innovate with AI technologies, it is essential to embed robust data protection measures from the outset. Ensuring transparency, accountability and the ability for data subjects to exercise their legal rights not only complies with legal obligations but also builds public trust in AI systems.

The fourth call for evidence concludes that organisations developing or deploying generative AI should:

• Develop clear, effective processes for enabling the exercise of data rights.
• Provide meaningful, concise, and accessible information about how personal data will be processed.
• Justify any use of exemptions and demonstrate measures to safeguard individual rights.

Next steps

The ICO will analyse the consultation input received from the broad spectrum of stakeholders, including AI developers, legal advisors and consultants, to shape its future guidance on generative AI.

For more information, please contact the privacy and data team.