Key Points of Hong Kong’s AI Data Protection and Privacy Regulations

ANDArtificial intelligence (AI) is developing rapidly, with new breakthroughs and innovations constantly emerging. As AI technology becomes more advanced and integrated into businesses and everyday life, it is critical that data protection laws and regulations in Hong Kong keep pace. This article provides an overview of the current legal and regulatory framework for data protection and privacy in Hong Kong in the context of artificial intelligence.

In Hong Kong, the primary law governing data protection is the Personal Data (Privacy) Ordinance (PDPO). In addition, the Office of the Privacy Commissioner for Personal Data (PCPD) has provided guidance on the ethical development and use of AI and a model framework for organizations that acquire, deploy and use AI systems.

PDPO and DPP

PDPO is technology neutral and rules-based. Article 2 of the GDPR defines “data user” as a person who controls the collection, storage, processing or use of personal data.

Accordingly, any individual, entity, organisation or company that develops and/or uses AI systems that involve the processing of personal data will likely be considered a data user and must comply with the following six Data Protection Principles (DPPs) contained in Annex 1 of the PDPO, among other requirements under the PDPO:

DPP 1 (Purpose and method of data collection). Personal data must be collected lawfully and fairly for a lawful purpose directly related to the data user’s function or activity. The data collected must be necessary and relevant, but not excessive, in relation to such purpose;

DPP 2 (Accuracy and retention time). The data user must take all reasonable steps to ensure that personal data is accurate, up-to-date and not kept for longer than necessary;

DPP 3 (Use). Personal data may only be used for the purposes for which they were collected, unless the data subjects expressly and voluntarily consent to another purpose;

DPP 4 (Security). Appropriate security measures must be taken to protect personal data against unauthorised or accidental access, processing, deletion, loss or use;

DPP 5 (openness). The data user must openly inform about its personal data policies and practices, the type of personal data it stores, how it is used and the main purposes for which the personal data is stored;

DPP 6 (Access and correction). Data subjects have the right to request access to their personal data and to correct it if it is inaccurate.

Artificial intelligence tips

In August 2021, the PCPD published Guidelines for the Ethical Development and Use of Artificial Intelligence to provide recommendations primarily for organizations that develop and use artificial intelligence systems that involve the use of personal data.

The AI ​​Guidelines recommend that organizations adopt three core values ​​for data management: respect, usefulness and fairness. They also encourage organizations to adopt seven internationally recognized AI ethical principles: accountability; human supervision; transparency and interpretability; data privacy; honesty; useful AI; and reliability, solidity and safety.

To ensure that values ​​and ethical principles are enforceable, organizations should consider recommended practices in the following areas, as outlined in the AI ​​Playbook, when developing and applying AI and formulating appropriate policies, practices, and procedures: establishing AI strategy and governance; conducting risk assessment and human oversight; implementing AI model development and AI systems governance; and supporting stakeholder communication and engagement.

Frame model

On June 11, 2024, the PCPD published the Artificial Intelligence: Personal Data Protection Framework. The framework provides best practice recommendations for organizations that acquire, implement, and use any type of AI systems or solutions involving the use of personal data, including predictive AI and generative AI.

Similar to AI guidance, the framework outlines recommended measures to ensure that values ​​and ethical principles are implemented. Organizations should consider these recommended practices in the following areas when purchasing, implementing, and using AI solutions, as well as when formulating appropriate policies, practices, and procedures: establishing AI strategy and governance; conducting risk assessments and human oversight; performing AI model customization and implementing and managing AI systems; and supporting stakeholder communication and engagement.

An evolving landscape

While the AI ​​Guidelines and Model Framework do not impose mandatory requirements and the recommendations contained therein are not exhaustive, their publication represents a significant step towards supporting the responsible and ethical development of AI in Hong Kong. Given the rapid development and groundbreaking progress in AI, it is likely that the relevant legal and regulatory environment in Hong Kong will continue to evolve to address new issues and challenges.

For now, data users must ensure compliance with the PDPO and the six DPPs and follow the best practice recommendations in the AI ​​Guidelines and the Model Framework, especially with respect to the collection, use and retention of personal data when developing, operating and using AI.

Sam Wu is a partner at YYC Legal

803 and 2803A, China Resource Building
26 Harbour Road, Wanchai, Hong Kong
Phone: +852 2816 6888
Fax: +852 3797 3835
Email: [email protected]
www.yyc-ec.com