On 11 June 2024, Hong Kong’s Office of Privacy Commissioner for Personal Data (PCPD) published its AI framework – more formally, the Artificial Intelligence: Model Personal Data Protection Framework.
The framework aims to provide practical recommendations for organisations to comply with the Personal Data (Privacy) Ordinance (PDPO) during their adoption of third-party AI systems. It builds upon the PCPD’s 2021 Guidance on the Ethical Development and Use of Artificial Intelligence, shifting focus from organisations that develop in-house AI models to those procuring and implementing AI solutions from third parties.
It is said to be the first comprehensive framework in the Asia-Pacific region about general AI procurement and implementation from a personal data privacy perspective, and represents a significant milestone in Hong Kong’s approach to regulating AI.
At the same time, the PCPD says the framework will facilitate Hong Kong’s development into an innovation and technology hub, and propel the expansion of the digital economy in the Greater Bay Area.
Key takeaways
It remains to be seen to what extent the PCPD will monitor or enforce compliance with the AI framework, and whether a data user’s non-compliance in relation to the procurement and implementation of AI solutions will give rise to a presumption against the data user in any compliance check or investigation by the PCPD. However, it is clear that the PCPD will continue to scrutinise the use of AI technology by organisations in Hong Kong.
The AI framework represents a significant step towards responsible AI governance, setting a clear expectation for organisations operating in Hong Kong when the procurement and implementation of AI systems involves the use of personal data.
It also provides a valuable roadmap for compliance with the PDPO in the context of AI. Organisations should consider taking the following actions in line with the recommendations of the AI Framework.
Conduct AI audits
Organisations should thoroughly assess their current and planned AI implementations, focusing on data flows, data security measures and potential privacy impacts, as well as reviewing and vetting AI solution providers for compliance.
Enhance data governance
Strengthen existing data protection frameworks to specifically address AI-related challenges including data minimisation, data quality, bias mitigation and algorithmic transparency.
Develop AI-specific policies
Create comprehensive policies governing AI procurement, implementation and ongoing management, ensuring an appropriate level of human oversight in the procurement and deployment of AI, and consider establishing an AI governance committee.
Prepare for AI system customisation
Develop a system and resources for preparing datasets carefully to ensure that they are appropriate and ready for use, and conduct rigorous testing and validation of AI models.
Invest in AI literacy
Prioritise AI-related training for employees, particularly those involved in data handling and AI system management.
Enhance stakeholder communication
Develop clear, accessible communication strategies to explain the use of AI and its implications to employees, customers, partners and regulators.
Implement robust monitoring
Establish continuous monitoring mechanisms for AI systems, including regular audits and performance assessments.
Prepare for incidents
Develop and regularly test AI-specific incident response plans, integrated with existing data breach protocols.
As AI technologies continue to evolve, organisations that proactively align with the recommendations in the AI framework will be better positioned to harness the benefits of AI while mitigating associated risks. Further global alignment on regulatory standards is likely, and Hong Kong regulators are expected to continue monitoring international AI regulatory developments.
For example, on 8 July 2024, the government launched a public consultation on the further enhancement of the Copyright Ordinance (CO) with respect to the issues arising from AI, especially generative AI. Among other things, the consultation paper discusses the possible introduction of a text and data mining exception to the CO that exists in some other jurisdictions .
In the meantime, the authors recommend that organisations also monitor international AI regulatory developments, and seek legal advice on how to align with regulations and standards when developing, procuring and deploying AI.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice.
You can contact Baker McKenzie by e-mailing Howard Wu (Shanghai) at howard.wu@bakermckenzie.com
