Clifford Chance

The Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) published its "Artificial Intelligence: Model Personal Data Protection Framework" (Model Framework). The Framework is a valuable guide for organisations in Hong Kong that seek to procure, implement and use AI systems that handles and processes personal data.

The Model Framework aims to assist organisations in complying with the requirements under the Personal Data (Privacy) Ordinance (PDPO) and adhering to the three Data Stewardship Values and seven Ethical Principles for AI advocated in the “Guidance on the Ethical Development and Use of Artificial Intelligence” published by the PCPD in 2021.

The Model Framework covers recommended measures in the four areas:

AI Strategy and Governance

Organisations should formulate an AI strategy to demonstrate the commitment of top management to the ethical and responsible procurement, implementation and use of AI.  Additionally, an internal AI governance structure should be established to steer the implementation of the AI strategy.

Conduct Risk Assessment and Human Oversight

Organisations should conduct comprehensive risk assessments, formulate a risk management system, adopt a “risk-based” management approach.  This is similar to "privacy impact assessments" under the data protection regimes in many jurisdictions. Organisations should also adopt proportionate risk mitigating measures, including deciding on the level of human oversight.

Customisation of AI Models and Implementation and Management of AI Systems

Organisations should prepare and manage data for customisation and/or use of AI systems; should test and validate AI models during customization and implementation; and should ensure system security and data security, and manage and continuously monitor AI systems.

Communication and Engagement with Stakeholders

Organisations should communicate and engage regularly and effectively with stakeholders in order to enhance transparency and build trust.

Key Takeaways

• The Model Framework is a guidance document which does not have legally binding effect. Nevertheless, compliance with the Model Framework that follows recommended and international best practices will be helpful to assist organisations to adhere to established data protection standards (e.g. data security) and demonstrate overall legal compliance with the PDPO in Hong Kong when deploying and operating any form of AI system.
• The recommendations in the Model Framework are non-exhaustive, and organisations should adopt other measures as appropriate depending on the nature of the AI systems and types of data that the AI systems seek to process.
• The regulation of AI is becoming more prevalent in many jurisdictions and whilst Hong Kong does not have AI-specific laws and regulations, the Model Framework represents a significant step forward in the direction towards AI governance in Hong Kong.