Artificial intelligence (AI) has been developing rapidly, with new breakthroughs and innovations emerging constantly. As AI technology becomes more advanced and integrated into businesses and everyday life, it is crucial for Hong Kong’s data protection laws and regulations to keep pace. This article provides an overview of the current legal and regulatory framework of data protection and privacy in Hong Kong in the context of AI.
In Hong Kong, the primary law governing data protection is the Personal Data (Privacy) Ordinance (PDPO). Additionally, the Office of the Privacy Commissioner for Personal Data (PCPD) has provided guidance on the ethical development and use of AI and the model framework for organisations that procure, implement and use AI systems.
PDPO and DPPs
Partner
YYC Legal
The PDPO is technology-neutral and principle-based. Section 2 of the PDPO defines a “data user” as a person who controls the collection, holding, processing or use of personal data.
Accordingly, any individual, entity, organisation or business that develops and/or uses AI systems involving the handling of personal data is likely to be considered a data user and must adhere to the following six data protection principles (DPPs) in schedule 1 of the PDPO, among other requirements under the PDPO:
DPP 1 (Purpose and manner of collection). Personal data must be collected in a lawful and fair manner for a lawful purpose directly related to the data user’s function or activity. The data collected shall be necessary and adequate but not excessive for such purpose;
DPP 2 (Accuracy and duration of retention). The data user must take all practicable steps to ensure that personal data is accurate, up to date and not kept longer than necessary;
DPP 3 (Use). Personal data can only be used for the purposes for which it was collected, unless express and voluntary consent has been obtained from the data subjects for any other purposes;
DPP 4 (Security). Reasonable security measures must be taken to protect personal data from unauthorised or accidental access, processing, erasure, loss or use;
DPP 5 (Openness). The data user must be open about its policies and practices in relation to personal data, the kind of personal data it holds, how it is used and the main purposes for which personal data is held; and
DPP 6 (Access and correction). Data subjects shall have the right to request access to and correction of their own personal data if it is inaccurate.
AI guidance
In August 2021, the PCPD published the Guidance on the Ethical Development and Use of Artificial Intelligence to provide recommendations primarily for organisations that develop and use AI systems involving the use of personal data.
The AI guidance recommends that organisations embrace three core data stewardship values: being respectful, beneficial and fair. It also encourages organisations to adopt the seven internationally recognised ethical principles for AI: accountability; human oversight; transparency and interpretability; data privacy; fairness; beneficial AI; and reliability, robustness and security.
To ensure the values and the ethical principles are practicable, organisations should take into consideration the recommended practices in the following areas, as set out in the AI Guidance, when they develop and use AI and formulate appropriate policies, practices and procedures: establishing AI strategy and governance; conducting risk assessment and human oversight; executing development of AI models and management of AI systems; and fostering communication and engagement with stakeholders.
Model framework
On 11 June 2024, the PCPD published the Artificial Intelligence: Model Personal Data Protection Framework. The model framework provides recommendations on the best practices for organisations that procure, implement and use any type of AI systems or solutions involving the use of personal data, including predictive AI and generative AI.
Similar to the AI guidance, the model framework outlines recommended measures to ensure the implementation of the values and the ethical principles. Organisations should consider these recommended practices in the following areas when procuring, implementing and using AI solutions, as well as when formulating appropriate policies, practices and procedures: establishing AI strategy and governance; conducting risk assessment and human oversight; executing customisation of AI models and implementation and management of AI systems; and fostering communication and engagement with stakeholders.
An evolving landscape
While the AI guidance and the model framework do not impose mandatory requirements and their recommendations are not exhaustive, their publication is a significant step towards supporting the responsible and ethical development of AI in Hong Kong. Given the rapid development and groundbreaking advancement of AI, it is likely that the relevant legal and regulatory landscape in Hong Kong will continue to evolve to address new issues and challenges.
For the time being, data users must ensure they comply with the PDPO and the six DPPs, and follow the best practice recommendations in the AI guidance and the model framework, especially when it comes to the collection, use and retention of personal data during the development, operation and use of AI.
Sam Wu is a partner at YYC Legal
803 & 2803A, China Resources Building
26 Harbour Road, Wanchai, Hong Kong
Tel: +852 2816 6888
Fax: +852 3797 3835
E-mail: samwu@east-concord.com.hk
www.yyc-ec.com
