Privacy & Information Security Law Blog

On February 20, 2025, the UK Information Commissioner’s Office (“ICO”) published its annual Tech Horizons Report (the “Report”), which explores four key technologies expected to play a significant role in society over the next two to seven years. These technologies include connected transport, quantum sensing and imaging, digital diagnostics and therapeutics, and synthetic media. The Report also discusses the ongoing work of the ICO in addressing data protection and privacy concerns related to the emerging technologies featured in their previous Tech Horizons reports.

The Report provides an overview of how key innovations are seeking to reshape industries and everyday life, the privacy and data protection implications of such innovations, and the ICO’s proposed recommendations and next steps. Below are examples of some of the potential privacy and data protection implications identified by the ICO, along with certain recommendations:

Connected Transport

• Connected vehicles collect extensive and wide-ranging personal data for various purposes in a “complex ecosystem” of controllers and processors. Those organizations with transparency obligations must ensure they provide clear, concise and accessible privacy notices to individuals (including passengers); however, the ICO acknowledges that providing privacy notices in the connected transport environment may be a challenge.
• Organizations should identify the correct lawful bases for processing personal data and remember that, in addition to the UK General Data Protection Regulation (“UK GDPR”), the Privacy and Electronic Communications Regulations also may apply in the context of connected transport and may require consent for certain activities.
• Biometric technology may be used in connected transport for purposes such as fingerprint scanners to unlock vehicles. This technology requires the processing of biometric data which must comply with the requirements to process special category data.
• When vehicles are shared, privacy concerns arise regarding access to data from previous users, such as location or smartphone pairings.

The ICO recommends embedding privacy by design into hardware and services related to connected vehicles to demonstrate compliance with the UK GDPR and other data protection legislation.

Quantum Sensing and Imaging

The ICO acknowledges that in the case of novel quantum sensing and imaging for medical or research purposes, a key benefit is the extra detail and insights provided by the technology. This could be deemed as conflicting with the principle of data minimization. The ICO states that the principle “does not prevent healthcare organisations processing more detailed information about people where necessary to support positive health outcomes,” but that organizations must have a justification for collecting and processing additional information, such as a clear research benefit.

The ICO states that it will continue to find opportunities to engage with industry in this area and to explore any potential data protection risks. The ICO also encourages embedding privacy by design and default when testing and deploying quantum technologies that involve processing personal information.

Digital Diagnostics and Therapeutics

• Organizations working in health care are a target for cyber attacks for a number of reasons, including the nature of data held by such organizations. The adoption of digital diagnostics and therapeutics will only increase this risk. Organizations engaged in this space must comply with all applicable security obligations, including the obligation to ensure the confidentiality, security and integrity of the personal information they process in accordance with the UK GDPR.
• According to the ICO, while the use of artificial intelligence (“AI”) and automated decision-making (“ADM”) “could improve productivity and patient outcomes,” there is a risk that their use to make decisions could “adversely affect some patients.” For example, bias is a key risk when considering AI and ADM. Organizations should use appropriate technical and organizational measures to prevent AI-driven discrimination. Another material risk is the lack of transparency regarding how AI tools process patient data. The ICO states that lack of transparency in a medical context could result in patient harm, and that the use of AI does not reduce an organization’s responsibility to comply with transparency obligations under the UK GDPR.  

The ICO recommends providers implement privacy by design and ensure that any third parties they are engaged with have in place appropriate privacy measures and safeguards. In addition, providers should also ensure they follow guidance regarding fairness, bias and unlawful discrimination.

Synthetic Media

• Data protection laws apply to personal data used in creating synthetic media, even if the final product does not contain identifiable information.
• If automated moderation is used, the ICO confirms that organizations must comply with the ADM requirements of the UK GDPR.

The ICO intends to develop its understanding of synthetic media, including how personal data is processed in the context. The ICO also will work with other regulators and continue to engage with other stakeholders such as the public and interest groups.