AI Regulation – an update from the ICO

What happened

• In April 2024 the ICO published its strategic approach to AI regulation in response to the UK government’s White Paper and call for action to the regulator
• The White Paper sets out a principle led, sector based approach to AI regulation
• Other regulators have already set out their AI strategic action plans, including the FCA, Ofcom, CMA and the Digital Regulation Cooperation Forum
• The White Paper asks each regulator to provide a tailored framework to suit the needs of their sector
• It sets out 5 key principles that regulators need to use in their approach
• Data protection laws will apply at every stage of the machine learning model life cycle and each ‘actor’ in the supply chain where personal data is processed, must ensure individuals’ rights are protected
• For example, if facial recognition technology is going to be used, it must be proportionate and there must be a balance between privacy intrusion and the validity of the purpose being achieved
• The White Paper identifies a range of high level risks that the principles based AI framework looks to mitigate. These include (i) risks to human rights (ii) risks to internet safety (iii) risks to fairness (iv) risks to privacy and agency (v) risks to societal wellbeing and (vi) risks to information security

Why it matters

Further information

• It’s interesting that many of the principles set out in the White Paper are also integral principles of data protection law so they are already contained in the data protection framework under the ICO’s remit
• The ‘fairness’ principle, prohibits organisations from processing data which has unjustified and adverse effects on people
• The ICO has highlighted machine learning models as a particular risk area as they are trained on vast amounts of personal data
• The ICO is particularly concerned with potential harm to children as a result of AI products and services
• The ICO has already imposed a fine in this area. Clearview AI Inc (which provides facial recognition software) was fined £7.5m by the ICO for processing UK residents’ personal data without a lawful basis 
• AI is one of the ICO’s key focus areas for 2024-25, alongside children’s privacy, ad-tech and online tracking
• The UK’s general approach to AI remains pragmatic and risk focused

Further information

Further to the Clearview case, the ICO has provided guidance on biometric data at Biometric data guidance: Biometric recognition | ICO

Next steps

The ICO plans to keep abreast of developments in the AI sector

What happened

• Businesses involved in manufacturing, importing or distributing consumer facing IoT devices might need to implement mandatory cybersecurity controls or face penalties under the UK Product Security & Telecommunications Infrastructure (Product Security) Regime (PTSI Regime)
• This regime came into effect on 29 April 2024 and is made up of 2 pieces of legislation; the PTSI Act 2022 and PTSI (security Requirements for Relevant Connectable Products) Regulations 2023
• The regime is relevant to manufacturers (or their UK representatives), importers or distributors of certain consumer connectable products that can connect to the internet or other networks and can transmit and receive digital data
• The connectable products are usually referred to as IoT or ‘smart’ devices and include smartphones, smart TVs and connected alarm systems
• Charging points for electric vehicles, medical devices and smart meters and personal computers are likely to be exempt from the regime but this needs to be assessed carefully on a case by case basis
• Manufacturers of the products will need to ensure (i) security requirements are met (ii) statements of compliance are published showing applicable security requirements have been met (iii) cybersecurity issues are monitored and where needed, investigated and dealt with
• Importers, distributors and authorised representatives need to support compliance with the regime and reasonable steps need to be taken to prevent non-compliant products being supplied to consumers

Why it matters

• The PTSI regime means the Secretary of State for the Department for Science, Innovation &Technology (DSIT) has considerable enforcement powers, including the ability to withdraw products from the market and impose fines of up to £10m or 4% of global turnover in the last accounting year (whichever is greater)
• The Office for Product Safety and Standards (OPSS) will act as enforcement authority and it intends to be pragmatic and proportionate and will align its approach with its own enforcement policy

Further information

More information on the UK’s consumer connectable product security regime can be found at

The UK Product Security and Telecommunications Infrastructure (Product Security) regime – GOV.UK (www.gov.uk)

Next steps

Any business that is involved, directly or indirectly in the supply of IoT devices or other consumer facing connectable products, needs to understand whether they are in scope of the PTSI regime and any related obligations and take measures to ensure their cybersecurity governance is robust

What happened

• In May 2024 the National Cyber Security Centre (NCSC) and 3 major UK insurance organisations (ABI, BIBA and IUA) published joint guidance on how to handle ransom payments
• The guidance is intended for businesses experiencing ransomware attacks and it aims to reduce the overall impact of the incident on the businesses
• The guidance is intended to reduce the number of ransoms paid and the size of the ransoms paid – where victims do decide to pay
• There are a number of ‘things to consider’ when dealing with a ransomware attack including (i) looking at alternatives to paying (ii) documenting the incident including what decisions and actions were taken (iii) consulting with experts (iv)considering any legal and regulatory practices relating to payment and (v) reporting the incident where required by law

Why it matters

• It is important to be prepared for any cyber incident including a ransomware attack. This should lessen the impact if one happens
• The guidance provided here is general and does not override specific laws and regulations.
• The ultimate decision whether to pay or not, is still down to the victim

Further information

The NCSC press release can be found at;

ABI, BIBA, IUA with NCSC help reduce ransom harm – NCSC.GOV.UK

The guidance can be found at Guidance for organisations – NCSC.GOV.UK