UK data watchdog takes 'carrot and stick' approach, balancing advice, enforcement, regulator says

Biometric technologies, large language models and future mobility will be among a wide range of technologies fast-tracked for tailored advice from the UK’s data protection watchdog as part of its push to support early-stage novel products and applications, a senior UK regulator told MLex.

In a wide-ranging interview with MLex, the executive director for regulatory risk in the UK Information Commissioner’s Office, Stephen Almond, outlined the watchdog’s plans to use guidance to “solve problems before they become problems” and support investments in emerging technology.

But speaking on the sidelines in Washington, DC, at the world’s largest privacy conference,* Almond insisted the ICO is confident it can strike the right balance between this pro-innovation approach and asking tough questions to enforce strict privacy rules when required.

Business advice

The ICO this week launched an “open pilot” of its Innovation Advice Service, which promises to “set out a regulatory position in writing” within 10 to 15 days in a bid to support the early development of novel data-led products. The helpline is currently available in a “beta” version with plans to start full-scale operations this summer.

“We are deliberately untargeted, so it is literally any novel processing that an organization could be doing. It might be emerging biometric technologies, it might be about the use of large language models, it might be around the future of mobility. … We will be led by the market in terms of where they want us to focus” with this advice, Almond told MLex.

While the watchdog’s initial response isn't legally binding, it gives the companies some “regulatory certainty” when developing their products and seeking early investment, he said.

“It is about enabling organizations to say: 'Look, we have spoken to the regulator. We have the regulator’s view on this. We can give you that confidence before you invest,' ” he said.

Under the UK government’s plans to reform the country’s data protection framework, the ICO could soon controversially see a new statutory duty “to have regard to the desirability of promoting innovation and competition.” The ICO found that 62 percent of the organizations interviewed said they would be more likely to invest and innovate in the UK if they had access to such a service.

Most promising companies could then be further invited to the ICO’s regulatory sandbox, with a “longer-term commitment” to study emerging issues up close.

Separately, the ICO will also lead a new multi-agency trial, offering joined-up advice with multiple regulators, fulfilling a recommendation included in a recent tech regulation review.

The project, backed by £200,000 of UK government funding, brings together the Competitions and Markets Authority, the Financial Conduct Authority and Ofcom to specifically support innovations in areas such as fintech and safety tech, “where there are crossing regulatory boundaries.”

“[We] really want to make sure there is a joined-up approach to driving forward both privacy and competition issues, which in many respects are often in synergy. There are the same incentives that organizations may have to gather excessive personal data in a way that people do not have meaningful control over [as those] that drive firms to behave in ways which are perhaps not competitive,” Almond said.

In the EU, the European Data Protection Board, the umbrella body of EU privacy regulators, is set to publish its interactive online guidance for small and medium businesses this month.

Generative AI

Almond told MLex that the watchdog’s ambition is to “influence organizations who are at the cutting edge, doing things that will shape markets in the future, and set a really good privacy baseline that becomes the default in the market rather than having to take downstream enforcement action to remedy things we could have fixed earlier on.”

His language echoes the warning from the ICO’s head, John Edwards, who this week urged action on regulating AI while it still was “at that inflection point where regulation can make a difference.”

The warning comes as regulators worldwide scramble to respond to the growing popularity of AI chatbots, with multiple authorities — from Canada to South Korea — opening their probes into ChatGPT, and the Italian data protection watchdog even issuing a temporary ban, pending further inquiries.

The ICO set out its position this week. Almond, leading the regulator’s work in this area, insisted in a blog post that “while the technology is novel, the principles of data protection law remain the same and there is a clear roadmap for organizations to innovate in a way that respects people’s privacy." He listed eight key questions around lawful processing of data, transparency and managing risks.

Almond said developers should take note of the issues raised in his blog post.

“I have shared it with all of the firms and am expecting that we will continue to monitor very closely their performance … in terms of being able to uphold those principles,” he told MLex.

Future-scanning exercise

Late last year, the ICO published a Tech Horizons report that identified 11 areas of emerging interest, with four of them — consumer health tech, next-generation connected devices, immersive software, and decentralized finance — making it top of the regulator’s priority list.

This week, ICO head Edwards said the watchdog would soon take action in the first of these areas as it plans to “go after” femtech applications and look at their data-collection practices when it comes to women’s well-being issues, such as period monitoring, nutrition, parenthood and sexual health.

Almond told MLex that “in these areas we are not simply setting out our privacy expectations,” but “paying very close attention to high-risk use cases that we may be seeing, and organizations can expect that we should follow through on that.”

The ICO’s executive director for regulatory risk said that many of new and emerging technologies face broadly similar issues, with concerns about processing transparency, individuals having meaningful control of their data, accountability in complex ecosystems, sensitive data, and purpose-limitation and data-minimization.

For example, he said future mobility issues — linked with the rise of connected and automated vehicles — are similar to broader worries over the Internet of Things devices and smart cities.

“So [these are] questions around how bystander data will be used — what sort of meaningful consent you might have if you are a third party within a vehicle. These are all sorts of questions that you might see emerging in relation to other uses of ambient monitoring, whether that is devices in people’s homes or immersive technologies,” he said.

“And it's part of the UK’s regulatory philosophy and certainly of regulatory philosophy at the ICO to be looking to solve problems before they become problems,” he said.

* International Association of Privacy Professionals Global Privacy Summit 2023 - Washington, DC, April 3-5, 2023.