On 5 June 2018, the Personal Data Protection Commission (PDPC) in Singapore released a discussion paper on Artificial Intelligence (AI) and Personal Data. The PDPC is Singapore’s data protection regulator that covers how organizations collect, use and disclose personal data. The discussion paper takes a technology-neutral and sector-agnostic approach, and is intended to be applied to a wide cross-section of organizations and industry bodies.
The framework divides the AI ecosystem into three components: those who make AI (AI developers); those who use AI processes or sell AI-enabled devices (user companies); and consumers. The obligations of the framework primarily rest on AI developers and user companies.
The obligations set out by the framework broadly fall into the following categories:
- The ability to explain how your AI-enabled product works, or, where that is not possible, to supervise the AI system to ensure that the results are accurate and verifiable;
- Good data practices for organizations. This includes knowing the provenance of data and its movement (data lineage), keeping good records throughout the AI value chain, as well as minimizing the risk of inherent or latent biases in the dataset; and
- Open and transparent communication, both between AI developers and user companies as well as with consumers, with a view towards building trust in the AI ecosystem.
The discussion paper also outlines governance measures for organizations to consider that will allow them to be accountable to regulators for their AI decision-making processes. And it suggests measures for building trust and managing relationships with consumers who interact with AI decision-making.
While no binding requirements have been imposed to date, the discussion paper provides an insight into potential regulatory touchpoints and considerations. It may also serve as a basis for legal counsel and compliance officers to obtain resources to improve data practices in organizations that place significant investments in, or reliance on, AI.
By issuing a discussion paper, it is clear that the regulator has its eye on the increasing use of AI across various sectors. The regulator’s current opinion is that “governance frameworks around AI should be … ‘light touch’”. The industry’s response will determine how this view develops in future.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by emailing Danian Zhang at firstname.lastname@example.org.