In this submission, the Center argues that the UK’s Information Commissioner’s Office should refine how it applies the purpose limitation principle to the development and deployment of generative AI models. The purpose limitation principle states that organizations should only collect and process data for specified, explicit, and legitimate purposes. However, the ICO should not attempt to apply this principle to general purpose generative AI models where, by definition, the various potential uses of these models are unknown. Instead, it should apply this principle to organisations that fine-tune models for deployment. Specifically, we make the following points:
- The ICO should clarify its generative AI model lifecycle;
- The ICO should clarify what is required of organisations in order to perform the compatibility assessment;
- The ICO should reframe the purpose limitation principle to reflect the nature of generative AI model development; and
- The ICO should only apply the purpose limitation principle at the deployment stage in the generative AI model lifecycle.