Snapchat case a blueprint for regulator engagement on AI

Malcolm Dowden of Pinsent Masons was commenting after Snap Inc (Snap) successfully persuaded the Information Commissioner’s Office (ICO) to alter views it had provisionally adopted about its ‘My AI’ chatbot and issues pertaining to the company’s compliance with the UK General Data Protection Regulation (GDPR).

While ‘My AI’ remains subject to the ICO’s scrutiny in respect of its compliance with some parts of the UK GDPR, Dowden highlighted how Snap’s engagement had enabled it to satisfy the ICO that it had adequately addressed concerns it had raised about the adequacy of its data protection impact assessment (DPIA) for ‘My AI’ and its consultation with the authority over measures to address risks from the chatbot’s operation.

“An ICO finding that there has been no infringement requiring enforcement action might easily be dismissed as ‘nothing to see here’, but the ICO’s final decision notice in relation to its investigation of Snapchat’s ‘My AI’ chatbot feature demonstrates how proactive and constructive engagement with the ICO can strengthen protections for data subjects and facilitate deployment of innovative technologies and services without the need for sanctions,” Dowden said.

Snap launched the ‘My AI’ feature for UK users of Snapchat in 2023. Snap sought a meeting with the ICO in April 2023, following which the ICO issued an information notice formally requesting copies of the DPIA Snap carried out in relation to ‘My AI’. At that stage, Snap’s DPIA had gone through four iterations. The ICO issued a further information notice in June 2023 seeking specified documents relating to the DPIA.

On 23 June 2023, the ICO informed Snap that it was investigating potential infringements of Articles 35 and 36 of UK GDPR – in respect of the former, the ICO investigated whether Snap’s DPIA was inadequate, while with the latter it investigated whether Snap had failed to properly consult with it over the mitigation measures to be applied where processing had been identified in the DPIA as “high risk” – in this case, the processing of data relating to users aged between 13 and 17 years.

In October 2023, the ICO issued a preliminary enforcement notice (PEN), concluding that there had been infringements and stating its intention to issue an enforcement notice that would prevent the use of ‘My AI’. Snap was invited to respond to that PEN, which it did by means of written representation and continuing discussion and engagement with the ICO. Those interactions resulted, by the end of November 2023, in the provision of a revised and significantly improved DPIA which superseded and replaced all previous versions.

Concluding its investigation in May 2024, the ICO confirmed (62-page / 826KB PDF) that it was satisfied that the fifth DPIA complied with the requirements of Article 35, covering all required issues – including adequate consideration of the retention periods being applied to personal data. As a result, the ICO determined there was no need to press on with enforcement action.

“A striking feature of the process was that it was not simply a case of Snap adopting measures and requirements prescribed by the ICO,” Dowden said. “Through its written submissions and other engagement Snap successfully persuaded the ICO to alter its preliminary views and conclusions on some key points.”

According to Dowden, those points included consideration of which Snap entity was the relevant ‘controller’ for the purposes of assessing compliance with the UK GDPR. The ICO initially considered that Snap Inc in the US and the UK entity Snap Group Limited were both controllers in relation to the personal data processed in connection with ‘My AI’. Through discussion, the ICO accepted that Snap Inc was the sole controller, with Snap Group Limited acting merely as a reseller of Snapchat to end users in the UK. UK GDPR applied to Snap Inc by virtue of its “establishment” in the UK.

A further issue that Snap was able to persuade the ICO related to the authority’s concerns that there would be a “high risk” arising from the operation of ‘My AI’ in relation to users aged 13-17. The ICO was persuaded by witness statements and accompanying evidence that that view had been recorded in error. Given that there was no assessment of “high risk” processing, there was no requirement to consult the ICO and therefore no infringement of Article 36.

Dowden said that the ICO’s final decision notice “does not give an unequivocal ‘all clear’ to the deployment of Snap’s ‘My AI’ feature” in the UK.

“While finding that there is no infringement of Articles 35 or 36, the notice makes it clear that the ICO has not addressed and has made no finding in relation to other potential issues – for example, whether ‘My AI’ complies with the data storage limitation principle at Article 5(1)(e) of the UK GDPR,” he said. “However, positive engagement with the ICO has led to a satisfactory outcome in relation to the DPIA for ‘My AI’, notwithstanding that regulatory scrutiny remains live.”

Dowden added: “The fact that no sanctions were imposed should not minimise the significance or blunt the message of the final decision notice – the way to avoid sanctions and to deploy innovations that might be considered risky from a data subject perspective is to engage early, positively and proactively with data protection issues.”

In the ICO’s strategic plan ICO25, information commissioner John Edwards outlined the authority’s approach to UK data protection law enforcement.

Edwards said: “We enforce the laws we are responsible for through a variety of enabling and dissuasive regulatory interventions. These range from providing guidance and tools to signal clear expectations and to empower responsible information use, through to issuing enforcement notices and monetary penalties, where it is necessary to do so. We intervene proportionately, clearly and only where needed. Our interventions aim to create a fairer playing field for compliant organisations and to protect people.”