Deepfakes & Data: The UK Privacy Reckoning for AI-Generated Imagery

The UK and EU diverge in their approach to AI regulation. In August 2024, the EU implemented the EU AI Act, creating the world’s first comprehensive, legally binding framework for AI development and use.

In contrast, the UK currently has no general statutory regulation of AI and instead relies on specific areas or pre-existing laws (in particular the General Data Protection Regulations (GDPR) which governs the collection and use of personal data and places some restrictions on automated decision making) and empowers existing regulatory bodies such as OFCOM, the ICO and the CMA to take action within their specific sectors.

The UK’s approach to regulating AI is focused on being ‘pro-innovation’, in comparison to the EU’s more active regulatory approach.

Businesses should be cautious when either procuring solutions which utilise AI or integrating AI into their own businesses and solutions, and should ensure that appropriate safeguards are in place prior to such implementation.

In light of the guidance provided by the ICO, there are a number of steps that businesses can employ when contracting with third parties to ensure that any risks of utilising AI are minimised, such as:  

• reviewing any contractual documentation to check whether the supplier has rights to use customer data for further AI development or training;
• imposing transparency obligations on the supplier that detail the capabilities and limitations of the specific model, including detail of protective privacy measures in place;
• including obligations on the supplier to implement safeguards preventing misuse and the generation of harmful content;
• imposing indemnities to hold supplier to account where harmful or unlawful outputs are generated independently of customer use; and
• including warranties as to the supplier having complied with relevant privacy laws and implemented appropriate safety mechanisms.