The ICO is consulting on generative AI development and use. It is part of the ICO’s consultation series on generative AI and data protection. It forms the fifth and final section and focuses on the allocation of accountability for data protection compliance across the generative AI supply chain.
The ICO says that the allocation of accountability is complicated because of the different ways in which generative AI models, applications and services are developed, used and disseminated. It is also complex due to the different levels of control and accountability that participating organisations may have. The call for evidence focuses on the allocation of roles and responsibilities in the generative AI supply chain. It does not cover the specific obligations in detail, but provides some indicative scenarios of processing activities. Generative AI is fast-moving, and different processing activities and organisations may be added into the supply chain.
Accountability is a principle of data protection law. There are two key elements:
- organisations are responsible for complying with the UK GDPR; and
- organisations must be able to demonstrate their compliance.
Demonstrating compliance with the accountability principle relies on the accurate allocation of responsibility between three roles an organisation can play when processing personal data. These roles are:
- a controller – controllers are the main decision makers. They exercise overall control over the purposes and means of the processing of personal data;
- a joint controller – if two or more controllers jointly determine the purposes and means of the processing of the personal data, they are joint controllers; or
- a processor – processors act on behalf of, and only on the instructions of, the relevant controller.
Which role an organisation plays will depend on:
- the specific processing of personal data taking place;
- the circumstances in which this happens; and
- who has genuine, real-life influence and control over the purposes and means of the processing.
Whether an organisation is a controller, joint controller or processor is not necessarily determined by a contract. In generative AI, the roles of ‘developers’ and ‘deployers’ don’t always neatly map onto the concepts of controllers and processors. Roles and responsibilities under data protection law are also not influenced by other areas of law such as intellectual property or competition law.
The allocation of controller, joint controller or processor roles must reflect the actual levels of control and influence for each different processing activity taking place. Organisations must have the appropriate expertise, resources and agency to undertake the processing in a way that ensures the protection of people’s rights and freedoms. The ICO understands that many players in the market have sought to frame their processing relationships as one of controller and processor, where in fact joint controllership may more accurately reflect the parties’ respective roles for particular processing activities.
The ICO calls on generative AI developers to examine joint controllership when considering their relationship with third parties that deploy their models. Joint controllership can be a useful approach for all parties (including data subjects) as it clarifies accountability and can mitigate compliance and reputational risks that could undermine trust in generative AI.
The consultation ends on 18 September 2024.
