UK: Data Protection And Artificial Intelligence In The UK

The use of robotics and Artificial Intelligence (AI) has been a matter of discussion by the European Parliament and the European Commission for the last four years, and part of the Digital Single Market Strategy. One of its consequences has been the creation of a high-level group of experts, whose functions include advising the Commission on the ethics involved in the use of AI systems.

The General Data Protection Regulation (GDPR) requirements and the path to ethical AI

In April 2019, the European Commission released its Communication Building Trust in Human-Centric Artificial Intelligence. In this Communication, the Commission made clear that AI should be a tool aimed to serve people and increase human well-being, an aim which requires ensuring the trustworthiness of AI and alignment with EU values and human rights.

It is noted that AI brings new challenges, since machines are able to learn and make automated decisions. There is a risk that some decisions are taken from non-reliable sources of data, causing harm or problematic outcomes. This is a concern due to the increasing implementation of AI in goods and services that people use daily, including smartphones, online applications and automated cars. Hence, the European Commission has stressed the importance of ensuring that applications integrating AI components are not only compliant with the law, but also follow an ethical journey.

The High-Level Expert Group on Artificial Intelligence set up by the European Commission ("AI HLEG": a group of 52 experts from academia, civil society and industry appointed by the Commission in 2018) also published Ethics Guidelines for Trustworthy AI in April 2019 (the Guidelines), following the release of its draft in December 2018, on which more than 500 opinions were considered. This is, again, part of the AI strategy adopted by the Commission.

The Guidelines aim to promote Trustworthy AI, which has three components: it should be lawful; ethical; and robust. The Guidelines focus on the latter two components and set out a list of fundamental rights, ethical principles, requirements and assessments that should be applied to AI systems.

Fundamental rights

According to the Guidelines, the relevant fundamental rights that should be considered in any case when testing, developing and deploying AI systems are:

  • respect for human dignity, to avoid treating humans as objects that are manipulated or conditioned;
  • freedom of the individual, so that individuals are able to take decisions by themselves;
  • respect for democracy, justice and the rule of law, to ensure that AI systems do not operate in a way that destabilises democratic processes;
  • equality, non-discrimination and solidarity, to mitigate any risks of applications which use AI components taking actions leading to unfair goals; and
  • safeguarding citizens' rights.

Ethical principles and the seven requirements:

The AI HLEG considers these four ethical principles as "ethical imperatives" which AI developers should observe, in light of the fact that they are based on the fundamental rights that might be the most impacted by the use of AI tools, namely:

  • respect for human autonomy;
  • prevention of harm;
  • fairness; and
  • explicability.

The above principles have inspired the seven requirements (a non-exhaustive list) that, ultimately, AI practitioners should meet by carrying out the assessments set out in the document, and by evaluating them on a regular basis during the AI system's life cycle. These requirements are:

  • Human agency and oversight: AI systems should (i) respect humans' fundamental rights (meaning that developers should carry out fundamental rights impact assessments), and (ii) allow humans to make informed decisions when interacting with the AI system and to guarantee a reasonable level of human control over the application. From a data protection point of view, this requirement enhances data subjects' right not to be subject to a decision based solely on automated processing (including profiling) if such processing will lead to a decision which produces legal effects or has a significant impact on the data subject, unless an exemption applies (Article 22 of the GDPR).
  • Technical robustness and safety: AI developers should ensure the resilience and security of the systems deployed. Where personal data is processed, this becomes a mandatory requirement placed on both data controllers and data processors under Article 32 of the GDPR. The aim is to ensure that unintentional harm is avoided, or the risk of this happening is minimised by the undertaking of regular risk assessments. In addition, the AI HLEG includes methods such as the evaluation and verification of behavioural patterns, implementation of fall-back plans, and assessment of the accuracy of the data and reliability of the actions taken by the AI system.
  • Privacy and data governance: Going beyond the general obligations set out in the data protection and privacy laws (e.g. the GDPR Article 25 obligation to privacy by design and by default, and the six data protection principles set out in Article 5 of the GDPR), AI developers should put in place mechanisms to ensure the quality and integrity of data and legitimate access to it.
  • Transparency Transparency is crucial in a trustworthy AI environment, and it represents one of the major challenges to developers due to a margin of uncertainty over the behaviour of the AI system, in which the system might create new personal data without human intervention, and, to some extent, their knowledge. Traceability mechanisms are essential to ensure that transparency is achieved, so that AI systems and their decisions are explained in a manner that is compliant with Articles 13 to 15 of the GDPR, by providing regular and meaningful information about the logic involved and the consequences for humans using the AI system.
  • Diversity, non-discrimination and fairness: To avoid discrimination, AI systems practitioners should establish a strategy to understand the meaning of fairness applied to the AI system, and to ensure that unfair biases are flagged and avoided. Regarding diversity, AI systems should be accessible to all, regardless of any disability, and involve relevant stakeholders throughout their entire life cycle.
  • Societal and environmental well-being: To meet this requirement, AI systems should be sustainable and environmentally friendly, and ensure a positive social impact on humans directly interacting with the AI system and on any other indirectly affected stakeholders.
  • Accountability: This is an essential requirement to comply with the data protection principles and becomes even more relevant when AI systems use personal data. This implies the implementation of mechanisms, such as auditing the system's processes and outcomes, the overseeing of ethics applied, documentation of updates, evaluations and any decisions taken by organisations, and implementation of mechanisms allowing redress if any harm or adverse impact is caused.

Supplemental legislation in the UK

In the UK, section 14 of the Data Protection Act 2018 (Chapter 2, Part 2 of the Act) has further legislated the GDPR Article 22 limitations on the use of automated processing and profiling which causes legal effects concerning individuals, or which significantly affects them.>

Article 22 of the GDPR states that such processing significantly affecting individuals will not take place unless:

  • the individual affected gives explicit consent;
  • it is necessary to enter into or perform a contract between the individual and a data controller; or
  • it is authorised by law (in this case, the Data Protection Act 2018) which lays down suitable safeguards.

These limitations are stronger when special categories of data are involved in the automated processing significantly affecting the individual; and, such processing is only allowed when the person concerned gives explicit consent, or if it is necessary to protect the vital interest of a person who is not able to provide consent at the moment the processing takes place.

If a data controller in the UK concludes that it has legal grounds to carry out automated processing or profiling on the basis set out above, then according to the Data Protection Act 2018, it must implement the additional measures set out in section 14 of the Act, namely:

  • notifying the individual in writing that a decision has been taken based solely on automated processing; and
  • putting in place an internal policy to deal with individuals' requests to reconsider the decision or involve human intervention on the automated processing-based decision. According to the Data Protection Act 2018, the data subject should exercise any of these requests within a month of receiving the data controllers' notification, and the data controller should respond according to the timescales and rules set out in Article 12(3) of the GDPR. The response must be in writing and provide information regarding the steps taken to comply with the request, as well as the outcome.

These additional safeguards and obligations are in line with the European ethical principles and requirements mentioned above.

The Information Commissioner's Office (ICO) approach on AI and its regulatory "Sandbox" (beta phase)

In the UK, the Information Commissioner has taken a similar approach and AI is in her list of priorities.

A consequence of this approach was the update on the "Big data, artificial intelligence, machine learning and data protection" guidance in 2017 (in view of the GDPR and the UK Data Protection Act 2018 coming into force). In this document, the ICO stressed the importance of ensuring fair, accurate and non-discriminatory use of personal data, and set out rules to ensure an ethical approach (an approach that was later confirmed by the European Commission, as mentioned above).

This guidance is a useful tool due to the fact that the ICO sets out its views on how to comply with the data protection principles of fairness and lawful processing, purpose limitation, data minimisation and retention, accuracy, integrity and confidentiality. It also provides relevant input on how to inform of unforeseen purposes, anonymise data, ensure privacy by design, and includes checklists that help organisations to carry out data protection impact assessments focused on projects.

Another consequence of the ICO caring about the use of innovative tools is the implementation of a regulatory Sandbox, which offers a service to support organisations that are using personal data to develop innovative products. It is therefore expected that a considerable number of AI systems practitioners join the Sandbox; although initially, it seems that the number of organisations admitted in this beta sample will be in the range of 10 organisations.

The Sandbox is currently in its beta phase, in which participants will assess (supported by the ICO's officers) the manner in which they use personal data and the paths to follow in order to ensure compliance with the data protection legislation.

This text first appeared in the UK chapter of Global Legal Insights - AI, Machine Learning & Big Data 2019, published by Global Legal Group, Ltd. Follow the link to the full chapter covering GDPR requirements and the path to ethical AI.

Read the original article on

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
19 Sep 2019, Seminar, Birmingham, UK

Providing GCs, Heads of Legal and senior in-house lawyers with timely, topical and practical legal advice on a variety of topics.

26 Sep 2019, Seminar, London, UK

Providing GCs, Heads of Legal and senior in-house lawyers with timely, topical and practical legal advice on a variety of topics.

8 Oct 2019, Seminar, Birmingham, UK

Supporting the development of paralegals, trainees and lawyers of up to five years' PQE by providing valuable knowledge and guidance together with practical tips.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions