Hi, I'm Hannah. And I'm Megan. And we're tech and data specialists in Fieldfish's Silicon Valley

Office. In today's bite-sized legal update, we're going to look at the UK data protection

regulator's decision in relation to SNAP's My AI Chatbot, and specifically SNAP's approach to

assessing the data protection risks of the feature. Snap had carried out a data protection risk assessment,

but the UK regulator's preliminary finding was that the assessment fell short of the UK GDPR requirements.

The investigation resulted in SNAP carrying out revised EPAIA,

which led to a final decision that the UK

regulator was satisfied, did comply with the UK GDPR requirements and was consistent with its

guidance on DPI's.

Now, the decision comes from the UK data protection regulator, the ICO, but we think there are some

useful reminders and learning points here for businesses about the level of detail a regulator

generally would expect to see in a data protection impact assessment or DPI.

And particularly when that DPI relates to AI.

The decision doesn't consider how My AI complied with UK data protection law more broadly,

but it focuses on where SNAP fell short with respect to the DPIA that they had carried out.

So before we start looking at the decision in more detail,

Hannah, can you give us a quick overview of how the SNAP MyAI feature works?

Sure, so My AI is a chatbot which integrates OpenAI's GPT.

It was integrated into SNAP's services for premium users first on the 27th of February

2023 with full release to all users on the 19th of April 2023.

So SNAP we're rolling out this novel technology which triggered the Article 35DPA requirement, right?

Yeah, so as a quick recap, Article 351 of the UK GDPR requires that controllers carry out a data

...