A "conversation with AI" loop is emerging in the data subject access request (DSAR) landscape, as organisations increasingly find themselves facing lengthy DSARs produced by generative AI tools. There is the prospect of their responses being fed back into those tools to generate further, similarly broad requests, queries or complaints. These developments risk the creation of an open-ended AI-driven cycle of correspondence, placing increasing pressure on already stretched compliance teams.
AI-generated DSARs often share certain characteristics: they tend to be broad in scope, lengthy in form, and dense with legal terminology intended to convey seriousness. The result is often a DSAR that appears comprehensive and serious, but is substantively vague and difficult to action in practice.
The growing use of AI tools by data subjects in connection with DSARs is mainly driven by the benefits the technologies offer. Generative AI can assist individuals in understanding their right of access under the UK data protection regime, and in articulating requests which seem more structured and legally informed, without the need to instruct a lawyer.
However, AI tools may get things wrong and hallucinate, including the production of inaccurate legal assertions or citing non-existent sources, simply to provide a response. In the DSAR context, imprecise legal language, combined with requests that are excessive in tone, length or scope, can make it more difficult for controllers to identify the underlying purpose or scope of the data subject’s request and comply with it effectively. Where a data subject is heavily reliant on AI, every response to the DSAR from the controller is potentially just shadowboxing the next prompt that will be fed into the AI tool by the data subject. The AI creates a refreshed DSAR or requests detailed explanation on a specific redaction, but there is no real substance.
Moreover, AI-generated DSARs may seek large volumes of data across every available system used by an organisation, ranging from day-to-day communications such as emails and instant messages to more technical records such as metadata, access logs and audit trails. This can significantly increase the burden on controllers, both in identifying and retrieving potentially relevant information and in reviewing that material for disclosure, redaction and applicable exemptions. Data subjects unfamiliar with data protection law may also believe they are allowed more information than they are legally entitled too, placing complete trust in the perceived truth and accuracy of the output from the AI tool.
Thematic Overlaps: read across the ICO's FOIA Guidance
This is not just a challenge associated with DSARs. It also affects other information rights requests, including requests under the Freedom of Information Act 2000 (FOIA). In recognition of this, the Information Commissioner's Office (the ICO) has published new guidance on dealing with AI-generated access requests under FOIA (the Guidance).
As most readers will be aware, FOIA and data protection legislation each grant access rights to different types of data. FOIA gives requesters a right of access to certain information held by public authorities, whereas the UK General Data Protection Regulation (UK GDPR) (and in some cases the Data Protection Act 2018) give data subjects a right of access to their own personal data held by controllers.
The following points made in the Guidance are noteworthy (and can be read across to the DSAR regime under data protection law):
- Validity: The Guidance clarifies that FOIA requests are not necessarily invalid simply because they are generated by AI. Though AI-generated requests may misstate the law or request information that the requestor is not entitled to, this alone does not invalidate the request. Where this is the case though, organisations should consider engaging with the requester, explaining where the request is incorrect, and perhaps refer them to the ICO's guidance for further information. In the Guidance, the ICO provides a template "warning sign" for requestors using AI to generate FOIA requests. This is designed to encourage requesters to improve their AI-generated requests.
- Clarification: Where AI-generated FOIA requests are unclear, the Guidance states that organisations should seek clarification in a timely manner.
- Abusive requests: The Guidance reminds organisations that vexatious AI-generated FOIA requests may be refused, as is the case with non-AI-generated FOIA requests.
In essence, the Guidance seeks to clarify that tools already exist under FOIA to enable public authorities to effectively handle AI-generated requests.
Practical tools in dealing with AI-generated DSARs
What does this mean for AI-generated DSARs? Applying the Guidance by analogy, and alongside the UK data protection legislation, organisations should consider the following tools and approaches when dealing with AI-generated DSARs:
Bottom Line – use of AI does not impact validity
Similar to the position with AI-generated FOIA requests, the fact that a DSAR has been generated using AI should not, of itself, be a basis for treating it as invalid. AI is merely a tool that affects how a DSAR is drafted, but it does not undermine the data subject's underlying right of access.
As noted above, the Guidance contains a "warning sign" designed to encourage requestors to critically review their AI generated FOIA requests before submission in order to improve them. Organisations may wish to consider deploying similar warning signs in their privacy notices and DSAR-related communications (e.g., in requests for clarification) to encourage better use of AI to generate DSARs
Seek Clarification
As with AI-generated FOIA requests, AI generated DSARs can be unclear and seek information that doesn't exist or which the requestor is not entitled to receive. Controllers are entitled to request clarification of the request if it is reasonably required (which is likely to be the case when faced with such requests). Organisations should also be mindful that the extent of their duty to search for personal data in response to a DSAR is to do what is reasonable and proportionate – even where requests for clarification yield equally broad requests.
When seeking clarification, organisations should consider whether it is appropriate to speak (as opposed to correspond) with the data subject. Doing so may help to break the AI-conversation loop and reintroduce a human into the equation.
Manifestly Unfounded or Excessive
Under the UK GDPR, a controller may refuse to comply with a DSAR, wholly or partly, if it is manifestly unfounded, excessive, or both. Alternatively, controllers may respond and charge a reasonable fee. The ICO emphasises that this exemption applies with high threshold and must be supported by strong justification and clear evidence. As with vexatious requests under FOIA, there is the potential for AI-generated DSARs to trip this threshold. This might be the case where a repeated AI-generated DSARs are submitted in short succession.
Substance Over Form
A key transferable message from the Guidance is that organisations should focus on the substance of an AI-generated DSAR rather than its drafting style. Controllers should use front-line triage as an opportunity to identify the genuine request for personal data beneath any template wording, irrelevant narrative or misstated legal assertions. This will also reduce the risk of both over-refusal and over-compliance.
Matter Closure – knowing when to disengage
Where an AI-generated DSAR results in prolonged, repetitive or unfocused correspondence, controllers should consider bringing the matter to a close, avoiding becoming drawn into the open‑ended, AI‑driven loop. On exhaustion of all of the tools and tactics above, it may be appropriate to close the matter and inform the data subject of their right to complain to the ICO (and, post-19 June 2026, the organisation itself), documenting the reasons that a legitimate case-management decision has been made.
Conclusion
Use of AI reshapes how data subjects exercise their right of access, but it does not change the underlying framework: controllers must continue to comply with the UK data protection legislation. Equally, controllers should feel empowered to use the existing legal tools at their disposal to manage AI-generated requests, whether that be through seeking clarification, limiting searches in response to DSARs to what is reasonable and proportionate, and relying on the manifestly unfounded or excessive regime to dismiss abusive AI-generated DSARs.
