LCQ10: Protecting personal data when developing and using artificial intelligence
*********************************************************************************
Question:
The Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) published in 2021 the Guidance on the Ethical Development and Use of Artificial Intelligence (the Guidance) to help organisations understand and comply with the requirements of the Personal Data (Privacy) Ordinance (Cap. 486) when developing and using artificial intelligence (AI). However, it is learnt that the State and quite a number of overseas regions are studying the further regulation of AI. For example, the Cyberspace Administration of China has earlier on published the Measures for the Administration of Generative Artificial Intelligence Services (Draft for comments), proposing that providers of AI products or services shall comply with the requirements of laws and regulations, respect social morality as well as public order and good morals, be prohibited from illegally disclosing personal information, and shall not retain input information from which the identities of users can be inferred.The United States and the European Union are also exploring relevant regulation or bills. In this connection, will the Government inform this Council:
(1) whether it knows, since the publication of the Guidance, the number of organisations (including business entities, government departments and public bodies) which have made reference to the Guidance when developing and using AI to formulate relevant policies or measures; if the authorities do not keep relevant data, how they ensure that such organisations abide by Cap. 486 and handle personal data properly;
(2) which provisions in Cap. 486 can deal with issues involving possible abuse of personal data or infringement of privacy when organisations develop and use AI; and
(3) whether the Government will study with the PCPD the amendment of Cap. 486 to cope with the rapid development of AI; whether relevant government departments will collaborate with the PCPD in jointly studying how to strike a balance between protecting personal data and promoting the healthy development of generative AI technology?
Reply:
President,
The daily advancement of technology in the current age has sped up the evolution of artificial intelligence (AI). At the same time, the development and use of AI often touch on personal data, and may entail technology that can identify, assess or monitor a user. The Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) published in 2021 the Guidance on the Ethical Development and Use of Artificial Intelligence (the AI Guidance) with an aim to help organisations understand and comply with the relevant personal data privacy protection requirements under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) when developing and using AI. The content of the AI Guidance includes data stewardship values and ethical principles for AI, and provides AI strategy governance practice guides to help organisations devise appropriate AI strategy and management models, conduct risk assessments and devise relevant oversight arrangements etc.
With regard to the Hon Chan's question, having consulted the Innovation, Technology and Industry Bureau (ITIB) and the PCPD, a consolidated reply is provided below:
(1) and (2) Since the PCPD published the AI Guidance in 2021, the relevant guidance has been distributed to over 450 organisations, including government departments, statutory bodies, trade associations, and different professional bodies and trade organisations, including information security, accounting and legal professional bodies, etc. Moreover, the PCPD has been advocating the principles and best practices in the AI Guidance through organising seminars and participating in forums hosted by the information technology sector. Those organisations reflected to the PCPD that the AI Guidance provides useful information which assist the organisations to comply with relevant personal data privacy regulations when developing and using AI systems. The PCPD would continue to publicise and promote the AI Guidance, and has already initiated contact with the innovation and technology sector with a view to strengthening promotion to them.
When developing and using AI, organisations must handle personal data properly in accordance with the requirements under the PDPO. The current PDPO lays down the regulations for the protection of the public's personal data privacy, e.g. before organisations use AI for direct marketing, section 35C of the PDPO requires them to inform data subjects about the target of direct marketing and the kinds of personal data to be used, and to seek the data subject's consent. If organisations do not take the above actions but proceed to use personal data during direct marketing, they will be liable on conviction to a fine of $500,000 and to imprisonment for 3 years. Moreover, organisations should also comply with the six Data Protection Principles under the PDPO, i.e. regulating the purpose and manner of collection of personal data; data accuracy and duration of retention; use of data; data security; transparency of data policies; and data access and correction. This ensures that the entire cycle of handling personal data is subject to adequate safeguards under the law. If organisations contravene the Data Protection Principles, the PCPD will issue an enforcement notice under section 50 of the PDPO requiring organistions to take remedial actions. Failure to comply with an enforcement notice could be subject to a fine at $50,000 and imprisonment for 2 years; if the offence continues after the conviction, a daily penalty of $1,000 could be imposed.
The PCPD has been monitoring and supervising compliance with the PDPO through handling complaints, initiating investigations, handling data breach notifications, and conducting compliance checks and inspections. When considering whether organisations comply with the requirements under the PDPO, the PCPD will take into account all relevant factors and the actual circumstances, including whether organisations are adhering to the AI Guidance issued by the PCPD, etc. Furthermore, the PCPD will also proactively investigate the use of AI by organisations, conduct compliance checks, and publish investigation reports on notable cases.
(3) The Office of the Government Chief Information Officer (OGCIO) has formulated the Ethical Artificial Intelligence Framework having consulted the PCPD and drawn reference to its AI Guidance. The aim of the OGCIO is to provide Government bureaux and departments with a set of practice guide when implementing projects that involve the use of AI technology, and to identify and manage the potential risk of the relevant project and other issues (such as privacy, data security and management, etc.).
The PCPD will closely monitor the development of AI and its associated personal data privacy risks. The PCPD will also periodically review the implementation of the AI Guidance and amend it as appropriate. Moreover, the PCPD will also continue to promote the best practices under the guidance, for example hosting joint seminars and forums with the innovation and technology sector, publishing articles in professional body and international privacy protection publications, etc. The PCPD will also from time to time review the existing PDPO to ensure the protection of privacy. Taking into account the ITIB's policies and development directions on AI and innovation and technology, the PCPD will also provide advice on issues related to personal data privacy protection to the ITIB as appropriate. At the same time, the PCPD will also proactively contact relevant departments such as the Hong Kong Police Force etc, and study together on how to suitably regulate the development and use of AI, to ensure such technologies will not be abused or used for unlawful purposes.
Ends/Wednesday, May 10, 2023
Issued at HKT 12:05
Issued at HKT 12:05
NNNN