人(ren)工(gong)智(zhi)能(neng)迅(xun)速(su)發(fa)展(zhan)�,不(bu)斷(duan)湧(yong)現(xian)新(xin)的(de)突(tu)破(po)和(he)創(chuang)新(xin)。隨(sui)著(zhe)人(ren)工(gong)智(zhi)能(neng)技(ji)術(shu)日(ri)益(yi)精(jing)進(jin)並(bing)逐(zhu)步(bu)融(rong)入(ru)商(shang)業(ye)和(he)日(ri)常(chang)生(sheng)活(huo)��,香(xiang)港(gang)的(de)數(shu)據(ju)保(bao)護(hu)法(fa)律(lv)和(he)法(fa)規(gui)必(bi)須(xu)與(yu)時(shi)俱(ju)進(jin)。本(ben)文(wen)概(gai)述(shu)了(le)香(xiang)港(gang)在(zai)人(ren)工(gong)智(zhi)能(neng)背(bei)景(jing)下(xia)的(de)數(shu)據(ju)保(bao)護(hu)和(he)隱(yin)私(si)的(de)法(fa)律(lv)和(he)監(jian)管(guan)框(kuang)架(jia)。
香港主要的數據保護法為《個人資料(私隱)條例》(下稱“私隱條例”)。除此之外�,個人資料私隱專員公署(下稱“私隱專員公署”)還為人工智能開發和使用製定了道德標準指引����,並為采購�、實施及使用人工智能係統的機構提供模範框架。
01���、私隱條例及六項保障資料原則
私隱條例是技術中立且基於原則的。根據私隱條例第2條規定����,“資料使用者”是指控製個人資料的收集����、持有����、處理或使用的人。
因此���,任何開發和/或使用涉及處理個人資料的人工智能係統的個人�����、實體�����、機構或企業�����,都可能會被視為資料使用者。而資料使用者除了私隱條例其他要求外��,還必須遵守私隱條例附表1中的六項保障資料原則(下稱“DPPs”):
1.DPP1(收集目的及方式):ziliaoshiyongzhebixuyihefahegongpingdefangshishoujigerenziliao����,qimudebixuhefaqieyuqizhinenghuohuodongzhijiexiangguan。shoujideziliaoyingshibixujizugoude����,danbudechaochumudesuoxufanchou�;
2.DPP2(準確性及保留期限):資料使用者必須采取切實可行的步驟確保個人資料準確和更新���,並且保留時間不會超過實際所需的時間�;
3.DPP3(使用):個人資料隻能用於收集時表明的目的����,若用以其他目的�,則必須取得資料當事人明確且自願的同意��;
4.DPP4(保安):必須采取合理的保安措施保障個人資料不會未經授權或意外地被查閱��、處理�����、刪除����、喪失或使用�;
5.DPP5(透明度):資料使用者必須公開其處理個人資料的政策和方式��,並交代其所持有個人資料的類別����、使用方式及主要用途��;以及
6.DPP6(查閱及更正):資料當事人有權要求查閱和更正其不準確的個人資料。
02����、人工智能指引
2021年8月����,私隱專員公署發布了《開發及使用人工智能道德標準指引》(下稱“人工智能指引”)��,主要為開發和使用人工智能係統時涉及使用個人資料的機構提供建議。
人工智能指引建議機構采納三項核心數據管理價值(下稱“價值”):
1.尊重�;
2.互惠����;和
3.公平。
同時鼓勵機構采用七項國際公認的人工智能道德原則(下稱“道德原則”):
1.問責��;
2.人為監督����;
3.透明度與可解釋性�����;
4.數據私隱����;
5.公平����;
6.有益的人工智能��;以及
7.可靠�、穩健及安全。
為確保這些價值和道德原則的切實可行�����,各機構在開發和使用人工智能並製定適當的政策�、措施和程序時�����,應考慮人工智能指引中就下述範疇提出的建議措施:
1.製定人工智能策略及管治�����;
2.進行風險評估及人為監督����;
3.實行人工智能模型的開發及人工智能係統的管理�����;以及
4.促進與持份者的溝通及交流。
03����、模範框架
2024年6月11日��,私隱專員公署發布了《人工智能:個人資料保障模範框架》(下稱“模範框架”)�����,為采購����、實施及使用任何涉及個人資料的人工智能係統或解決方案(包括預測式人工智能和生成式人工智能)的機構提供最佳行事常規建議。
與人工智能指引類似����,模範框架列出了確保落實該等價值和道德原則的建議措施。各機構在采購�、實施及使用人工智能解決方案以及製定適當的政策���、措施和程序時���,應考慮下述範疇的建議措施:
1.製定人工智能策略及管治�;
2.進行風險評估及人為監督��;
3.實行人工智能模型的定製及人工智能係統的實施和管理���;以及
4.促進與持份者的溝通及交流。
04�����、步履不停
jinguanrengongzhinengzhiyinhemofankuangjiabujuqiangzhixing��,qijianyiyebingfeixiangjinwuyi��,dantamendefabuwuyishizhichixianggangrengongzhinengfuzerenqiehehudaodedefazhandezhongyaoyibu。jianyurengongzhinengdekuaisufazhanhetupoxingjinzhan�����,xianggangxiangguandefalvhejianguanhuanjingjiangjixuyanbian�,yiyingduixindewentihetiaozhan。
目(mu)前(qian)�����,資(zi)料(liao)使(shi)用(yong)者(zhe)必(bi)須(xu)確(que)保(bao)遵(zun)守(shou)私(si)隱(yin)條(tiao)例(li)和(he)六(liu)項(xiang)保(bao)障(zhang)資(zi)料(liao)原(yuan)則(ze)�,並(bing)遵(zun)循(xun)人(ren)工(gong)智(zhi)能(neng)指(zhi)引(yin)和(he)模(mo)範(fan)框(kuang)架(jia)中(zhong)的(de)最(zui)佳(jia)行(xing)事(shi)常(chang)規(gui)建(jian)議(yi)�����,特(te)別(bie)是(shi)在(zai)人(ren)工(gong)智(zhi)能(neng)開(kai)發(fa)���、運營和使用過程中涉及個人資料收集�����、使用和保留時。
本篇文章僅是對有關題目提供的一般概述�����,並非旨在成為可依賴的專業意見。請聯係我們獲取進一步的具體法律意見。
(原文首發於公眾號 :商法CBLJ)
Key points of AI data protection and privacy regulations in Hong Kong
Artificial intelligence (AI) has been developing rapidly, with new breakthroughs and innovations emerging constantly. As AI technology becomes more advanced and integrated into businesses and everyday life, it is crucial for Hong Kong’s data protection laws and regulations to keep pace. This article provides an overview of the current legal and regulatory framework of data protection and privacy in Hong Kong in the context of AI.
In Hong Kong, the primary law governing data protection is the Personal Data (Privacy) Ordinance (PDPO). Additionally, the Office of the Privacy Commissioner for Personal Data (PCPD) has provided guidance on the ethical development and use of AI and the model framework for organisations that procure, implement and use AI systems.
01����、PDPO and DPPs
The PDPO is technology-neutral and principle-based. Section 2 of the PDPO defines a “data user” as a person who controls the collection, holding, processing or use of personal data.
Accordingly, any individual, entity, organisation or business that develops and/or uses AI systems involving the handling of personal data is likely to be considered a data user and must adhere to the following six data protection principles (DPPs) in schedule 1 of the PDPO, among other requirements under the PDPO:
1.DPP 1 (Purpose and manner of collection): Personal data must be collected in a lawful and fair manner for a lawful purpose directly related to the data user’s function or activity. The data collected shall be necessary and adequate but not excessive for such purpose;
2.DPP 2 (Accuracy and duration of retention): The data user must take all practicable steps to ensure that personal data is accurate, up to date and not kept longer than necessary;
3.DPP 3 (Use): Personal data can only be used for the purposes for which it was collected, unless express and voluntary consent has been obtained from the data subjects for any other purposes;
4.DPP 4 (Security): Reasonable security measures must be taken to protect personal data from unauthorised or accidental access, processing, erasure, loss or use;
5.DPP 5 (Openness): The data user must be open about its policies and practices in relation to personal data, the kind of personal data it holds, how it is used and the main purposes for which personal data is held; and
6.DPP 6 (Access and correction): Data subjects shall have the right to request access to and correction of their own personal data if it is inaccurate.
02���、AI guidance
In August 2021, the PCPD published the Guidance on the Ethical Development and Use of Artificial Intelligence (AI Guidance) to provide recommendations primarily for organisations that develop and use AI systems involving the use of personal data.
The AI Guidance recommends that organisations embrace three core data stewardship values (Values), being:
1.respectful;
2.beneficial; and
3.fair
It also encourages organisations to adopt the seven internationally recognised ethical principles (Ethical Principles) for AI:
1.accountability;
2.human oversight;
3.transparency and interpretability;
4.data privacy;
5.fairness;
6.beneficial AI, and
7.reliability, robustness and security.
To ensure the Values and the Ethical Principles are practicable, organisations should take into consideration the recommended practices in the following areas, as set out in the AI Guidance, when they develop and use AI and formulate appropriate policies, practices and procedures:
1.establishing AI strategy and governance;
2.conducting risk assessment and human oversight;
3.executing development of AI models and management of AI systems; and
4.fostering communication and engagement with stakeholders.
03�、Model framework
On 11 June 2024, the PCPD published the Artificial Intelligence: Model Personal Data Protection Framework (Model Framework). The Model Framework provides recommendations on the best practices for organisations that procure, implement and use any type of AI systems or solutions involving the use of personal data, including predictive AI and generative AI.
Similar to the AI Guidance, the Model Framework outlines recommended measures to ensure the implementation of the Values and the Ethical Principles. Organisations should consider these recommended practices in the following areas when procuring, implementing and using AI solutions, as well as when formulating appropriate policies, practices and procedures:
1.establishing AI strategy and governance;
2.conducting risk assessment and human oversight;
3.executing customisation of AI models and implementation and management of AI systems; and
4.fostering communication and engagement with stakeholders.
04����、An evolving landscape
While the AI Guidance and the Model Framework do not impose mandatory requirements and their recommendations are not exhaustive, their publication is a significant step towards supporting the responsible and ethical development of AI in Hong Kong. Given the rapid development and groundbreaking advancement of AI, it is likely that the relevant legal and regulatory landscape in Hong Kong will continue to evolve to address new issues and challenges.
For the time being, data users must ensure they comply with the PDPO and the six DPPs, and follow the best practice recommendations in the AI Guidance and the Model Framework, especially when it comes to the collection, use and retention of personal data during the development, operation and use of AI.
This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice. Please refer to your advisors for specific advice.
(Original source: 商法CBLJ)
