Is AI transcription a DSAR time-bomb?

The recent explosion of AI transcription is a hazard for organisations trying to cope with data subject access requests. Businesses should plan now to adopt new technologies without putting DSAR fulfilment – and other commercial processes – at risk.

Is AI transcription a DSAR time-bomb?

Recently there has been a revolution in the use of AI transcription tools which create written records of audio meetings.

This poses a real risk for managing data subject access requests (DSARs). It’s the latest in our series on cutting the DSAR task down to size which has already looked at data protection by design, when it’s possible to say no to a DSAR, problems linked to the use of private devices and private accounts by staff, and how to manage obligations beyond data.

Transcription may involve using a transcription feature such as those embedded in Teams or Zoom, or using AI note-taker software such as Notion or Fireflies. Some tools will create a transcript or recording of a meeting, others will offer meeting summaries or action points without capturing the meeting content in full.  Although modern office protocols require meeting hosts to ask the participants for permission to record, the new tools also enable transcription of meetings which have been covertly recorded via phone, allowing participants to document “off the record” calls or meetings. 

This has significant implications for companies and those advising them. 

Deletion

First, the sheer volume of data created is an issue from a DSAR perspective. Once a controller has received a DSAR, data cannot ordinarily be deleted. While deletion which occurs as part of routine procedures while handling the DSAR may be acceptable, a controller should exercise caution in view of the potential criminal offence associated with intentional destruction of DSAR material under section 173 of the Data Protection Act 2018 (DPA).

A question of control 

The DSAR obligation is to search for personal data in material of which the recipient of the request is the controller. Transcriptions and AI-enabled generation of material makes understanding who the controller is difficult when information is no longer neatly housed under the control of one person or in a particular video-calling tool. 
Information is constantly being generated by AI using already AI-generated information from summaries or circulars as its source. Although some protection may be granted by using transcription tools which claim to redact personal data, that may not be enough. “Personal data” is a broad concept which potentially includes any information “about” someone, as well as more obvious identifiers like names which will be picked up by a redaction tool. 

Rights and privileges

When it comes to meetings with lawyers, further risks arise. Broader circulation of call transcripts with staff beyond parties to a call with counsel risk waiving legal privilege, which can usually exempt material from a DSAR under Schedule 2 para 19 of the DPA. It could do this in various ways – including, at least in the UK, by threatening the “dominant purpose” requirement for legal advice privilege, which is already complex to navigate especially for in-house counsel. In addition, circulation could more broadly undermine the “quality of confidence” in information which underlies privilege rules in most jurisdictions. 

Accuracy

Data created through recycling of materials through generative AI can often be inaccurate, for example as a result of mistakes in source material, over-simplification and hallucinations. This is already causing problems in UK litigation, with several rulings such as this case from 2023 condemning the waste of time and money caused by invented cases in pleadings. Inaccurate data can still be personal data within the scope of a DSAR but it may complicate the analysis of whether it relates to an identifiable individual, making the controller’s work of scoping harder.

Open and closed cultures 

The AI-generated transcript may capture idle gossip, informal conversations, conjecture and off-the-cuff opinions. While increasing accountability can be a positive, there is a balance to be struck. It is important for individuals to discuss matters frankly in the interests of trust, co-operation and creativity. Creating a written record of things that a business would not want committed to written records creates a general “chilling effect” on openness in communications. This risks development of secretive and hyper-accountable cultures where blame is deflected at all costs. In turn, distrust in the workplace is only likely to encourage adversarial DSARs. 

Retention

Retention policies have not yet caught up with the implications of the technology. Generally, the operationalisation of data deletion is poor within many organisations. This means that more data than necessary or desirable will be available for DSAR requesters, and the task of packaging it will be difficult. Certainly in Europe - notably in Italy, Spain and France - a poorly handled DSAR is a trigger for wider regulatory investigation which will inevitably uncover other failings, and often punish them. Basic data management is an organisation’s first defence. 

Beyond DSARs

Over-sharing of legal discussions is not only problematic for DSARs; conversations concerning negotiations and strategy for corporate transactions could inadvertently be shared with the other side. Transcriptions may not capture nuance or context in legal discussions, and summaries can easily misstate legal advice. 

This is before considering the broader legal and commercial risks of breaching confidentiality. These include breaching NDA provisions by creating copies and circulating information belonging to others, as well as breaches of data protection and privacy laws, copyright issues, and so on. A platform may promise controls to limit recipients of transcripts or recordings but mistakes happen and damage can be impossible to reverse in practice. 

What should we do?

As a first step, transcription practices should be subject to an internal policy.

For meetings and calls with legal advisers:

• Policies should detail if, when and how transcripts with legal advisers are created. Organisations may consider identifying meetings and calls as legally privileged at the start, and will want bespoke controls on sharing and retaining potentially privileged material.

For all transcription: 

• Policies should cover internal controls on the creation of transcripts and summaries, access rights, sharing, ethical walls and other confidentiality controls, appropriate training, auto-deletion and retention periods for transcripts.
• Policies should mandate that contract terms with suppliers of transcription services (whether embedded or not) cover supplier confidentiality, data security, intellectual property (both ownership and licence grants), data ownership, data re-use, privacy and audit rights.

If you need assistance with this or any aspect of dealing with a DSAR, Shoosmiths has an end-to-end DSAR solution, SmartSAR, which can help streamline the DSAR process and offer robust advice on transcription risks.