Recommendation 28

HM Government Rejected

Government response: Reject There are already a range of regulatory requirements that apply to relevant services. Generative AI services which have functionalities that bring them into scope of the Online Safety Act, e.g. meeting the definition of search or user-to-user services, are currently required to assess the risk of harm to users from illegal content, including NCII, on their services and implement measures to manage and mitigate this risk. The Government has strengthened provisions in the Online Safety Act that make the intimate image abuse offences priority offences, requiring in-scope services to prevent it appearing online in the first first place and swiftly remove it if it does. Government made a manifesto commitment to ban the non-consensual creation of sexually explicit deepfake images and we are legislating to do this in the Data (Use and Access) Bill, ensuring that offenders face the appropriate punishments for this atrocious harm. Additionally, the UK General Data Protection Regulation and the Data Protection Act 2018 require all organisations that process personal data to do so lawfully, fairly and transparently. This includes ensuring that personal data is sourced responsibly and with appropriate safeguards in place. NCII content shared without consent is highly unlikely to meet the lawful bases for processing under data protection law. In many cases, it will also constitute special category data, which is subject to additional protections. Organisations must therefore take steps to prevent the processing of NCII. This includes applying appropriate technical and organisational measures to detect and remove unlawful content and ensuring that data is only retained where it is lawful, necessary and proportionate to do so. Section 170 of the Data Protection Act 2018 makes it a criminal offence to knowingly or recklessly obtain, disclose or retain personal data without the consent of the data controller, where such actions are not otherwise permitted by law. This offence may apply in cases involving the unauthorised sharing or retention of NCII content. Where individuals believe their data is being processed unlawfully, they have the right to raise their concerns with the Information Commissioner’s Office, which is responsible for regulating and enforcing the UK’s data protection framework. The Government’s position is that the vast majority of AI systems should be regulated at the point of use, and our existing expert regulators are best placed to do this. In response to the AI Action Plan, the Government has also committed to working with regulators to support them to boost their capabilities. In addition, the Government is clear in our ambition to deliver on the manifesto commitment to bring forward targeted AI legislation. This will allow us to safely realise the enormous benefits and opportunities of the technology for years to come. The Central AI Risk Function continues to identify, assess and prepare for risks associated with AI, including the risks of AI contributing to illegal activity. We will continue to engage with the tech sector to support them in making their technology safer.