On 6th October 2023, the UK Information Commissioner Officer (ICO) issued a preliminary enforcement notice against Snap, SnapChat’s parent company. ICO issued the preliminary enforcement notice due to Snap’s potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’.

Who should take note?

  • Users of platforms using AI. My AI is the first of many messaging platforms to integrate generative AI. Users of these platforms must recognise that these platforms use and process their personal data. Users of generative AI on messaging platforms should stay informed about data privacy regulations and their rights.
  • Organisations developing or using generative AI.  The preliminary enforcement notice against Snap reminds organisations to consider their data privacy obligations from the outset. When implementing innovative technologies, organisations must conduct thorough risk assessments that analyse the benefits and risks involved.

What is My AI?

In February 2023, Snap introduced the ‘My AI‘ feature to UK Snapchat subscribers, followed by a full rollout to all users in April. The feature mimics human-like conversations and is powered by OpenAI’s GPT technology. The ‘My AI’ chatbot is the first example of the integration of generative AI into messaging platforms. The design of the chatbot enables it to answer questions, offer advice, and engage in conversation. As users interact more, the experience becomes more personalised, creating a sense of conversing with a friend.

Details of the preliminary enforcement notice

ICO’s provisional investigation found that the risk assessment carried out by Snap before the rollout of the ‘My AI’ feature was inadequate in evaluating the risks associated with the implementation of AI technology. This is especially important considering that the chatbot processes children’s personal data. ICO emphasised this in their preliminary enforcement notice.

The notice is provisional and outlines potential actions Snap can take to address ICO’s concerns. However, if Snap fails to comply,  ICO could prevent Snap from processing the personal data of UK users. UK customers might also lose access to the ‘My AI’ feature. ICO has not yet reached a conclusion, so it remains to be seen whether Snap has breached any data protection laws or if ICO will ultimately issue an enforcement notice.

Key takeaways from the preliminary enforcement notice against Snap

Organisations implementing generative AI must be prepared to comply with data protection laws and demonstrate compliance in any AI system processing personal data. Organisations that are processing children’s personal data whilst implementing innovative technologies like generative AI must be especially aware of their legal obligations under data protection legislation.

Actions to take

  1. Ensure your generative AI system complies with privacy laws and best practices by joining our Data Protection Programme.
  2. Understand the impact of data protection on your AI systems by filling in our quick and free Organisational Impact Assessment.
  3. Get an expert opinion on Privacy Impact Assessments (Risk Assessments) by asking us to do one for you.