CAIDP provides comments to UK Privacy Office on generative AI

CAIDP provided detailed comments to the UK Information Commissioner’s Office, voicing concerns over Generative AI models and the Purpose Specification Principle. The CAIDP’s statement comes at a time when the data protection adequacy of Large Language Models (LLMs) is under intense scrutiny.

“We urge the ICO to consider the challenges in the application of the legitimate purpose provision in the case of general-purpose AI models,” the CAIDP stated. These models’ broad range of applications creates “new privacy vulnerabilities.”

The CAIDP criticized the current framework, stating, “Without the proper boundaries, Gen AI developers are free to release pre-trained multipurpose AI models for which they may declare a legitimate purpose, but with no accountability for applications developed by third parties via APIs or cloud-based services.”

The Center highlighted the importance of fairness and purpose limitation, asserting that they are “core to the identification of an appropriate lawful basis for personal data processing.”

Addressing the risks, the CAIDP remarked, “The full scope of privacy risks associated with Generative AI is difficult to assess because of the absence of independent ex-ante privacy risk assessment.”

The statement concluded with a call for transparency: “Organizations developing AI models must be required to be fully transparent about the sources, kinds, and scope of personal data used to train the model.”