Now in its 18th year, Sunday January 28th marks Data Protection Day (also known as Data Privacy Day) — raising awareness of the challenges of data protection and privacy and reinforcing people’s knowledge of their rights. It’s also a great opportunity for us to take a look at what we expect to see in the ever-changing regulatory data privacy landscape in the coming months.
In the past twelve months, we’ve seen the continuation of fast-paced regulatory change, ongoing tensions between privacy and online safety, and further discussion on the tensions between values and interests that regulators and businesses need to navigate. EU data protection fines reached a record €2bn, averaging €4.4m per violation — demonstrating that enforcement is just as much a priority as regulation. And, of course, the massive proliferation of AI technology has raised significant questions about fairness and data minimization.
AI and data protection
2023 was dominated by the question of how best to regulate AI, but until such regulation is forthcoming, its data protection rules holding the line. For example, we saw Italy’s data protection authority temporarily block ChatGPT due to concerns over (amongst other things) insufficient transparency, the apparent lack of a legal basis for model training, and insufficient age verification to stop under 13s from using the service. In the UK, the ICO issued a preliminary enforcement notice in respect of Snap’s ‘My AI’ feature due to concerns that Snap did not adequately assess the data protection risks posed by the generative AI technology, particularly to children.
As regulatory frameworks are developed, we welcome engagement with regulators. The ICO’s consultation on generative AI is opening the debate on lawful processing, purpose limitation principles, and expectations of compliance with data subjects rights — all essential components to consider in the interaction of data protection and AI regulation.
At Onfido, we’ve seen an increase in generative AI being used in an attempt to commit fraud. Onfido’s annual Identity Fraud Insights Report has shown a 31X increase in the number of deepfake attempts from generative AI and other sophisticated spoofing techniques. But we can also see the benefits of this technology. We launched our Fraud Lab to stay at the cutting edge of identity fraud detection. By generating our own fraud samples and creating synthetic documents and/or images, we can better test and train our own AI to effectively combat the sophisticated fraudulent attempts being used against our clients.
We therefore welcome and look forward to more of the ICO’s emerging thinking on how to ensure the use of generative AI, which clearly has a number of positive use cases, is privacy compliant. The ICO’s acceptance that legitimate interests can be a valid lawful basis for training generative AI models using publicly available data is welcomed, given the potential for this to facilitate the creation of more effective ID verification and fraud detection to protect businesses and consumers alike. Crucially, access to this data, properly processed, would enable us to train models from larger datasets, improving reliability and minimizing bias.
Our whitepaper covers best practices for defining, measuring, and mitigating biometric bias — and outlines our performance.
Privacy regulation in the UK
The UK Data Protection & Digital Information Bill has spent the last year passing through the UK Parliament and will complete by the end of the parliamentary session. The bill will clarify activities that may constitute legitimate interests for data processing, and attempt to make the obligations of controllers and processors less onerous overall, deviating from GDPR while maintaining critical data adequacy with the EU.
At Onfido, we take privacy extremely seriously and adopt a privacy-first mindset in all that we do. We also recognize the scope to improve GDPR — and with the rest of the industry, we are working to help the UK government strike a sensible balance between the changes needed to enable data-driven innovation (such as artificial intelligence, biometrics, and digital identity) while preserving crucial data protection rights. This approach will be at the forefront of our engagement in this general election year.
Privacy regulation in the US
As with the broader policy landscape, AI was the dominant vehicle for data protection propositions in the United States. The President’s Executive Order on AI called for bipartisan data privacy legislation to better protect the privacy of American citizens, balancing the need to train AI systems with preserving the privacy of the training data. Equity and civil rights were also at the forefront of the order, requiring algorithmic discrimination and bias mitigations, as well as protections for workers from discriminatory collection and use of data.
The absence of comprehensive federal data privacy regulation has left a void that continues to be addressed by the states. Colorado, Connecticut, Utah and Virginia followed California in producing GDPR-inspired data privacy statutes in 2023 with several more (including Florida, Oregon, Texas and Montana) enacting similar laws in 2024. At the federal level, we await progress on an omnibus privacy law despite the introduction of the American Data Privacy and Protection Act in 2022, and it remains to be seen whether AI regulation can be the catalyst to unblock it. With a divisive election campaign forthcoming, it feels unlikely that this will be the case.
Over 1000 businesses trust the Real Identity Platform to navigate global compliance requirements, stop fraud, and maximize customer acquisition.