The ICO exists to empower you through information.

The Information Commissioner’s Office (ICO) has launched the latest instalment in its consultation series examining how data protection law applies to the development and use of generative AI.

The third consultation in the series focuses on how data protection’s accuracy principle applies to the outputs of generative AI models, and the impact that accurate training data has on the output.

Where people wrongly rely on generative AI models to provide factually accurate information about people, this can lead to misinformation, reputational damage and other harms.

John Edwards

“In a world where misinformation is growing, we cannot allow misuse of generative AI to erode trust in the truth. Organisations developing and deploying generative AI must comply with data protection law – including our expectations on accuracy of personal information.”

- John Edwards, Information Commissioner

The third call comes as the UK Information Commissioner and his team are visiting leading tech firms in Silicon Valley to reinforce the ICO’s regulatory expectations around generative AI, as well as seeking progress from the industry on children’s privacy and online tracking.

The regulator has already considered the lawfulness of web scraping to train generative AI models and examined how the purpose limitation principle should apply to generative AI models. Further consultations on information rights and controllership in generative AI will follow in the summer.

The ICO is seeking views from a range of stakeholders, including developers and users of generative AI, legal advisors and consultants working in this area, civil society groups and other public bodies with an interest in generative AI. The consultation is open until 5pm on 10 May 2024.

Notes to editors
  1. The ICO is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. To aid industry improve compliance, it continues to add to its suite of AI resources.
  5. To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to