ICO Publishes First Tech Horizons Report
The Information Commissioner's Office ("ICO") has published the first of its annual Tech Horizons Reports (the "Report") which examines the implications of technological developments for privacy law in the next two to five years.
The Report focuses on the privacy implications of developments in four applied technologies:
- consumer healthtech: wearable devices and software applications that help people assess their health and wellbeing;
- next-generation Internet of Things ("IoT") devices: physical objects that connect and share information, with the ability to sense, respond to or interact with the external environment;
- immersive technology: augmented and virtual reality hardware that creates immersive software experiences for users; and
- decentralised finance: software that employs blockchain technology to support peer-to-peer financial transactions.
A separate "foresight" report will shortly be published in relation to neurotechnology. The four technologies considered in the Report were deemed to have the most tangible, and often novel, implications for data protection of the 65 technologies that were considered and analysed.
It is notable that the Report talks positively about these technologies, with the ICO emphasising its support for innovation (including by inviting organisations to work in its Regulatory Sandbox and through the development of further guidance). However, the Report also contains warnings for organisations and companies who do not consider the privacy implications of new technologies, with the ICO clarifying that it will "not allow businesses that are doing the right thing to be outcompeted by businesses that fail to comply with data protection law".
The Report identifies the following four common challenges created by these new technologies, namely:
- Lack of transparency, including as a result of information being captured about third-parties (i.e. not the intended user of the technology). There are also issues arising from the widespread use of Software Development Kits which can be used (for example) to allow people to log into accounts on platforms that people may already have exposing their personal data to other third parties.
- Difficulties in understanding how organisations are processing personal data – this is due to the growing complexity of data ecosystems which also presents challenges to how individuals can exercise their data rights. For example, greater interoperability in advanced IoT devices means data flows are becoming increasingly complex making it more difficult to describe data flows in a way that gives people meaningful control over their data.
- The collection of excessive amounts of personal data. For example, immersive technologies contain sensors and collect information frequently and may be "always on", creating challenges for companies seeking to comply with the data minimisation principle.
- The collection and processing of special category personal data without appropriate safeguards. For example, advanced health-tech is likely to process significant amounts of personal data about fitness, wellbeing and health for which a separate condition for processing is required under Article 9 of the UK GDPR.
Interestingly, the Report (which was released just weeks after the release of ChatGPT 3.5) does identify Generative AI as another technology worth examining and raises concerns about how data used in large language models has been "scraped" from the internet. The recent developments in AI have of course been the focus of a significant amount of interest and privacy action, including the decision by Italy's privacy regulator to ban the use of ChatGPT in March of this year. It is therefore likely that more detailed analysis of these advancements will be included in future Tech Horizons Reports.