Microsoft’s upcoming feature, Recall has raised concerns about users’ privacy and its compliance with GDPR. The Information Commissioner’s Office (ICO) says it is contacting Microsoft for more information about the product
Recall captures encrypted snapshots of users’ screen and stores them locally on their computer. It is part of the new Copilot+ PCs. Microsoft insists that Recall is an “optional experience” designed with privacy in mind. Users can control which snapshots are collected, and Microsoft claims that no external parties, including themselves, can access these images without physical access to the device.
Despite Microsoft’s reassurances, the ICO is investigating the safeguards in place to protect user privacy. An ICO spokesperson said firms must “rigorously assess and mitigate risks to peoples’ rights and freedoms” before bringing any new products to market. “We are making enquiries with Microsoft to understand the safeguards in place to protect user privacy,” they said.
With the potential exposure of sensitive information including passwords, financial details, and personal queries captured in screenshots, Microsoft, as well as corporate users of the new feature, are going to have to evidence how they intend to comply with GDPR’s security obligations as set out in Article 32.
AI remains a key priority for the ICO. It has launched a series of consultations on how aspects of data protection law should apply to the development and use of generative AI models, building on its extensive guidance on data protection and AI. The ICO’s proactive stance underscores the importance of stringent robust user control and data protection measures when it comes to implementing AI powered tools.
Join our Artificial Intelligence and Machine Learning, How to Implement Good Information Governance workshop for hands-on insights, key resource awareness, and best practices, ensuring you’re ready to navigate AI complexities fairly and lawfully.
