WIREDGOV

The Information Commissioner’s Office (ICO) has concluded its investigation into Snap, Inc’s launch of the ‘My AI’ chatbot.

• ICO concludes investigation into Snap’s approach to assessing the data protection risks of its ‘My AI’ chatbot
• Early ICO action highlights the importance of protecting privacy rights in the context of generative AI
• Regulator warns industry to engage with the data protection risks of generative AI before bringing products to market
• ICO continuing to monitor the development and deployment of generative AI models, and reminds industry it must innovate responsibly

In June 2023, the ICO opened an investigation into ‘My AI’ following concerns that Snap had not met its legal obligation to adequately assess the data protection risks posed by the new chatbot. Snap launched ‘My AI’ for its premium Snapchat+ subscribers on 27 February 2023, before it was subsequently made available to all Snapchat users on 19 April 2023. The investigation led to the ICO issuing a Preliminary Enforcement Notice to Snap on 6 October 2023.

The ICO’s investigation resulted in Snap taking significant steps to carry out a more thorough review of the risks posed by ‘My AI’ and demonstrate to the ICO that it had implemented appropriate mitigations. The ICO is satisfied that Snap has now undertaken a risk assessment relating to ‘My AI’ that is compliant with data protection law. The ICO will continue to monitor the rollout of ‘My AI’ and how emerging risks are addressed.

Stephen Almond, ICO Executive Director of Regulatory Risk, yesterday said:

“Our investigation into ‘My AI’ should act as a warning shot for industry.

Organisations developing or using generative AI must consider data protection from the outset, including rigorously assessing and mitigating risks to people’s rights and freedoms before bringing products to market.

We will continue to monitor organisations’ risk assessments and use the full range of our enforcement powers – including fines – to protect the public from harm.”

Generative AI remains a key priority for the ICO, and the regulator has launched a series of consultations on how aspects of data protection law should apply to the development and use of generative AI models, building on its extensive guidance on data protection and AI.

The final Commissioner’s decision in this case will be published in the coming weeks.

Notes to Editors

1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, civil enforcement and audit.
4. To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.