Global digital transformation has resulted in advancements in AI technology, alongside a keen cross-sector interest in utilizing it. However, this technology comes hand in hand with concerns around privacy, ethics, bias and discrimination. Our second session examined the implementation of AI's in the region, potential regulatory developments in the Asia Pacific region in view of the proposals in the EU seeking to govern AI systems more stringently, and key privacy considerations when deploying AI solutions.
AI has become a regular sight in consumer technology — from automated text messaging to computer-controlled video game enemies and many applications that are embedded into our daily lives. However, a number of AI applications come with an increased data privacy risk which must be taken into account, such as the use of AI in an employment context, machine learning and facial recognition. Such applications necessitate the collation and use of a large amount of user data, prompting questions surrounding data privacy, data minimization, storage, legitimate purpose and data subject's consent.
Session 2: Artificial Intelligence (AI) and privacy
Developments in the regulation of AI
- EU developments: The EU approach has thus far set the benchmark for regulation of AI technology, with Regulations expected in the latter half of 2022 poised to divide AI programs into categories based on their riskiness. High-risk AI, such as facial recognition and infrastructure-related AI will be subject to strict obligations, requiring risk assessments similar to the GDPR's Data Protection Impact Assessment (DPIA). The Regulations also propose requirements related to transparency, traceability and human oversight. Obligations for lower-risk AI, such as chatbots, primarily relate to transparency and security.
- Japan: There is currently limited regulation of AI in Japan. While the Ministry of Internal Affairs and Communications issued the Guidelines in 2018 warning those implementing AI to ensure privacy rights of users and data providers are not violated, these are quite high-level and do not address many of the issues raised by AI.
- Australia: While Australia does not have specific privacy laws governing AI, existing privacy legislation applies broadly and impacts upon AI compliance requirements. Australia's Privacy Act is technology-neutral, principle-based and largely limits the ways in which entities can use information for secondary purposes, requiring data controllers to disclose the purpose for which personal information is collected and to obtain consent for any further purposes. The Australian government is also examining AI regulation outside of the privacy-specific framework, issuing the AI Ethics Framework in 2019 which introduced the AI Ethics Principles. While these Principles are currently voluntary, a number of them touch on data privacy concerns when developing AI technology which mirrors the EU's "Privacy by Design" approach. Enforcement relating to AI has focused primarily on biometrics and facial recognition, as there were multiple enforcement actions on this front in 2021.
- Singapore: The Model AI Governance Framework, while not mandatory, highlights Singapore's current approach to AI regulation. The Framework provides a baseline for industry and technology, focusing on the introduction of AI and including a compendium of use cases and a checklist for safe implementation. The approach is similar to other jurisdictions in that the Framework focuses on the principles of transparency, explicability and fairness.
Emerging privacy considerations when using AI
AI systems can be subject to a number of cybersecurity concerns — if the system is not secure, information can be extracted which can constitute a data breach and potential violation of data protection laws. The absence of specific legislation does not mean absence of repercussions, as existing privacy frameworks can apply to the data that powers the AI. Companies using AI should also be aware of where the data comes from, to ensure that the data enabling the AI to make decisions has been gathered lawfully and with the data subjects' consent.
Access the session recording and other materials here.
Speakers: Divina Ilas-Panganiban, Kensaku Takase, Simone Blackadder and Alex Toh
International: Deciphering Data Webinar Series - Not ‘If’ But ‘When’: Cybersecurity Global Update - Session 1 (Webinar)
International: Deciphering Data Webinar Series - Not ‘If’ But ‘When’: Cybersecurity Global Update - Session 2 (Webinar)
International: Deciphering Data Webinar Series - Journey Around the World: Data Privacy Global Update - Session 1 (Webinar)
International: Deciphering Data Webinar Series - Journey Around the World - Data Privacy Global Update - Session 2 (Webinar)
Europe: Deciphering Data Webinar Series - Managing Workforce Data (Webinar)
Europe: Deciphering Data Webinar Series - When Data Goes Wrong - Enforcement and Litigation Trends Across Europe (Webinar)
Europe: Deciphering Data Webinar Series - Cookies and Online Advertising - Recent Trends in Europe (Webinar)
Europe: Deciphering Data Webinar Series - International Data Transfers - What’s Next? (Webinar)
Asia Pacific sessions
Asia Pacific: Deciphering Data Webinar Series - Spotlight on privacy developments (Webinar)
Asia Pacific: Deciphering Data Webinar Series - Artificial Intelligence (AI) and privacy (Webinar)
Asia Pacific: Deciphering Data Webinar Series - Effective and sustainable privacy compliance programs (Webinar)