Category Archives: AI

April 8, 2025 · 7:11 am

Machine learning lawful basis on a case-by-case approach – really?

The Information Commissioner’s Office has published its response to the government’s consultation on Copyright and AI. There’s an interesting example in it of a “oh really?!” statement.

The government proposes that, when it comes to text and data-mining (TDM) of datasets that contain copyright works) a broad exception to copyright protection should apply, under which “AI developers would be able to train on material to which they have lawful access, but only to the extent that right holders had not expressly reserved their rights”. Effectively, rights holders would have to opt out of “allowing” their works to be mined.

This is highly controversial, and may be the reason that the Data (Use and Access) Bill has stalled slightly in its passage through Parliament. When the Bill was in the Lords, Baroness Kidron successfully introduced a number of amendments in relation to use of copyright info for training AI models, saying that she feared that the government’s proposals in its consultation “would transfer [rights holders’] hard-earned property from them to another sector without compensation, and with it their possibility of a creative life, or a creative life for the next generation”. Although the government managed to get the Baroness’s amendments removed in Commons’ committee stage, the debate rumbles on.

The ICO’s response to the consultation notes the government’s preferred option of a broad TDM exception, with opt-out, but says that, where personal data is contained in the training data, such an exception would not “in and of itself constitute a determination of the lawful basis for any personal data processing that may be involved under data protection law”. This must be correct: an Article 6(1) UK GDPR lawful basis will still be required. But it goes on to say “the lawfulness of processing would need to be evaluated on a case-by-case basis”. A straightforward reading of this is that for each instance of personal data processing when training a model on a dataset, a developer would have to identify a lawful basis. But this, inevitably, would negate the whole purpose of using machine learning on the data. What I imagine the ICO intended to mean was that a developer should identify a broad, general lawful basis for each dataset. But a) I don’t think that’s what the words used mean, and b) I struggle to reconcile that approach with the fact that a developer is very unlikely to know exactly what personal data is in a training dataset, before undertaking TDM – so how can they properly identify a lawful basis?

I should stress that these are complex and pressing issues. I don’t have answers. But opponents of the consultation will be likely to jump on anything they can.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under AI, Data Protection, datasets, DUAB, Information Commissioner, Lawful basis, parliament, Uncategorized

Tagged as , ,

December 7, 2024 · 9:04 am

Could the right to erasure in data protection law break AI?

[reposted from my LinkedIn account]

I ask this only partly in jest.

The story of how ChatGPT refused to acknowledge the existence of “David Mayer” and some others, perhaps (probably?) because people with those names had exercised their erasure rights (such as the right at Articles 17 of the GDPR and the UK GDPR), raises the interesting question: if a sufficient number of people made such requests, would the LLM begin to fail?

If so, a further question of rights arises. If I, Jon Baines, exercise my erasure right against ChatGPT (or another platform/LLM), and it suppresses any processing of the words “Jon Baines”, what effect might that have on my namesake Jon Baines, and his travel company? Or Jon the Ocean Specialist working on the Ocean Watch program?

Because the words “Jon Baines”, in isolation are not my personal data. In isolation, they do not relate to me. A crude response to an erasure request, just as with any of the other crude approaches which AI is capable of (for instance in relation to accuracy), runs the risk of interfering with others’ rights, including rights to operate a business, our rights to freedom of expression.

I don’t have an answer, but this is just one extra point and possible flaw in AI which will no doubt play out over the coming years.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under AI, Data Protection, erasure

Tagged as ,

May 10, 2023 · 8:55 pm

ICO “does not use AI” – really?

There’s an interesting Freedom of Information (FOI) response by the Information Commissioner’s Office (ICO) on the website WhatDoTheyKnow. In response to the question

have you examined the use of AI to help you in doing your work as an organisation?

their reply includes the statement that

For information, the ICO does not use any artificial intelligence (“AI”) technology.

However, if one uses most of the standard definitions of AI (such as the one from the government’s National AI Strategy: “machines that perform tasks normally requiring human intelligence, especially when the machines learn from data how to do those tasks”) one might find that hard to believe. What about spam filters on the ICO email network? Or the fact they recommend Google Maps for anyone needing directions to their offices? Or their corporate use of social media? All of those technologies use, or constitute, AI.

There is a wider point here: the task of regulating AI, or even of comprehending how it uses personal data, will fall increasingly on some key regulators in coming years (including the ICO). It is going to be crucial that there is understanding within those organisations of these issues, and if they don’t comprehend now how, within their own walls, the technology operates, they will be starting off on the back foot.

(One should also add that, if the ICO has missed some of its own more obvious uses of AI, then it has probably also failed to respond to the FOI request in accordance with the law.)

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under AI, Freedom of Information, Information Commissioner

Tagged as , ,