In the fast-evolving landscape of technological innovation, artificial intelligence (AI) has become pivotal for progress, presenting both opportunities and challenges. Despite gaps in the regulatory framework, the UK government and the regulatory members of the Digital Regulation Cooperation Forum have a keen focus on keeping pace with AI developments to safeguard consumers.
In a recent effort by the Information Commissioner's Office (ICO), the United Kingdom's communications regulator to clamp down on unsafe practices, Snapchat, the social media app with more than 21 million active users each month, is currently under scrutiny for privacy challenges to its generative chatbot, 'My AI'.
The ICO recently issued a preliminary enforcement notice against Snap Inc. (Snap), the parent company of Snapchat, commenting on its concerns that Snap's generative AI chatbot poses privacy risks to users, including children. As a result, Snap could face a fine of millions of pounds from the UK data watchdog.
My AI: A Brief Overview
Snapchat's 'My AI' is a chatbot feature designed to provide users with an AI companion that is capable of mimicking human-like conversations based on specific knowledge from the user. The chatbot runs on OpenAI's Generative Pre-trained Transformers (GPT) technology.
ICO's Concerns and Snapchat's Response
The ICO's preliminary findings suggest that Snap's risk assessment before the launch of 'My AI' inadequately addressed data protection risks, especially concerning children. The ICO may require Snap to suspend 'My AI' until a satisfactory risk assessment is conducted. If a final enforcement notice is issued, Snap will have to stop using personal data for 'My AI', meaning 'My AI' will be blocked for UK customers until Snap completes an adequate risk assessment. Snap claimed it had undergone a comprehensive legal and privacy review before incorporating 'My AI', and is collaborating with the ICO to address concerns.
Checklist to Prevent ICO Enforcement Notice
After having pursued specialist legal advice, consider whether you need to:
- conduct a thorough data protection impact assessment to identify potential privacy risks;
- implement specific systems, policies and procedures to mitigate any risks identified;
- implement mechanisms to obtain explicit and informed consent, particularly when handling special category personal data and children's personal data;
- ensure privacy policies are up to date, transparent, easily accessible and adapted according to the user;
- perform reviews regularly (at least annually) to ensure ongoing adherence to data protection laws and adapt where necessary; and
- communicate enquiries to the ICO according to advice received from specialist data privacy lawyers.
*Nicole Akinyemi, trainee in the Intellectual Property practice, contributed to this article.
London
