UK Information Office Focusing on Biometrics, Web Scraping

The ICO plans to unveil its strategy on AI and biometrics this spring, Almond added, including focusing on issues such as the use of automated decision-making. The office is also preparing a code of practice on AI and automated decision-making, and is monitoring emerging technologies such as emotional recognition, he said.

Last year, the ICO set out its first comprehensive guidance on the use of biometrics under the U.K. General Data Protection Regulation, including how to identify the correct legal basis for using the systems and ensuring data subjects get access to their data, Almond noted. But, he added, there's no substitute for organizations visiting the ICO to discuss their proposed biometric system: With all the available regulatory information, he said there's no excuse for not getting it right.

The use of biometrics has become a topic of extensive public debate in the U.K., Almond said. The ICO found that while people see value and convenience in using biometric technology, they worry about transparency, potential discrimination and whether systems are proportionate, he said. Young people are concerned about biometrics use in schools. One situation, where a school used biometrics to allow students to pay for meals, resulted in a legal challenge, he noted.

The Ada Lovelace Institute, a research society that aims to make AI safe for society, also engaged with the public on biometrics, said Michael Birtwhistle, associate director, law and policy. These consultations resulted in "quite nuanced" results, he said: People can dislike the police's use of biometrics while also agreeing that the technology helps law enforcement.

Birtwhistle noted that beyond biometrics, there's also a new wave of technologies that classify human emotions. They're used in places like schools, in Amazon delivery vans and the U.K. railway system, he said. The upcoming U.K. Data Use and Access Law may close some of the current gaps between existing rules and these new systems, he said.

Web scraping, where automated bots pull data from websites while trying to mimic genuine users, is another problematic area, speakers said. Scraping is the best way to get massive amounts of datasets for training AI models, but just because data is publicly available doesn't mean its use is unrestricted, noted privacy attorney David Patariu of The CISO Law Firm.

There's great legal uncertainty around scraping, Patariu said, and no exemption for publicly available data under the EU General Data Protection Regulation. Scraping is an abusive service that implicates copyright, cybersecurity, data protection and other areas, he said. The flip side is that companies say they must have the data to train their AI models, he noted.

The ICO has been trying to clarify rules around unlawful scraping, Almond said. It published a position paper last year setting out steps it would expect companies to take for lawful scraping. Among other things, companies should explain what safeguards and mitigation they're implementing, and who's responsible for the scraping activities.

Web scraping isn't illegal, said Ayesha Bhatti, Information Technology & Innovation Foundation's digital policy head, U.K. and EU. For example, people manually browse by accessing publicly available websites and can generally use the data for what they like. They also scrape when printing or taking screenshots. Web scraping levels the playing field by ensuring market competition and open innovation, she said.

Bhatti urged regulators to prioritize enforcing the U.K.and EU GDPR; promote ethical scraping as a second line of defense against unlawful data; and focus on the use of web-scraped data rather than the scraping itself.