Hong Kong: New personal data privacy framework for the adoption of artificial intelligence (AI) published
香港:发布采用人工智能(AI)的新个人数据隐私框架
A model framework that focuses on the protection of personal data in the context of AI
以人工智能背景下的个人数据保护为重点的示范框架
以人工智能背景下的个人数据保护为重点的示范框架
In brief 简而言之
On 11 June 2024, the Office of Privacy Commissioner for Personal Data (PCPD) published the "Artificial Intelligence: Model Personal Data Protection Framework" ("AI Framework"). The AI Framework aims to provide practical recommendations for organisations in their adoption of third-party Al systems to comply with the Personal Data (Privacy) Ordinance (PDPO). It builds upon the PCPD's 2021 Guidance on the Ethical Development and Use of Artificial Intelligence, shifting focus from organisations that develop in-house AI models to organisations procuring and implementing AI solutions from third parties.
个 人 资 料 私 隐 专 员 公 署 ( 公 署 ) 于 2024 年 6 月 11 日 公 布 了 《 人 工 智 能 :個人資料保障框架範本》(《人工智能框架》)。人工智能框架旨在为机构采用第三方人工智能系统提供实用建议,以遵守《个人资料(私隐)条例》(《私隐条例》)。它以公署的《2021 年有關發 展及使用人工智能的道德指引》為基礎,把焦點從開發內部人工智能模 型的機構,轉移到從第三方採購及實施人工智能解決方案的機構。
个 人 资 料 私 隐 专 员 公 署 ( 公 署 ) 于 2024 年 6 月 11 日 公 布 了 《 人 工 智 能 :個人資料保障框架範本》(《人工智能框架》)。人工智能框架旨在为机构采用第三方人工智能系统提供实用建议,以遵守《个人资料(私隐)条例》(《私隐条例》)。它以公署的《2021 年有關發 展及使用人工智能的道德指引》為基礎,把焦點從開發內部人工智能模 型的機構,轉移到從第三方採購及實施人工智能解決方案的機構。
The AI Framework is said to be the first comprehensive framework in the Asia Pacific region on general Al procurement and implementation from a personal data privacy perspective,
In this article, we consider the content of the AI Framework in more detail and lay out some key takeaways for organisations seeking to ensure that their procurement and implementation of AI is compliant with the PDPO.
在本文中,我们将更详细地介绍人工智能框架的内容,并为寻求确保其人工智能采购和实施符合《私法条例》的组织提供一些重要启示。
在本文中,我们将更详细地介绍人工智能框架的内容,并为寻求确保其人工智能采购和实施符合《私法条例》的组织提供一些重要启示。
Key takeaways 主要收获
It remains to be seen to what extent the PCPD will monitor or enforce compliance with the AI Framework and whether noncompliance by a data user in relation to the procurement and implementation of Al solutions will give rise to a presumption against the data user in any compliance check or investigation by the PCPD. However, it is clear that the PCPD will continue to scrutinise the use of AI technology by organisations in Hong Kong. The AI Framework represents a significant step towards responsible AI governance, setting a clear expectation for organisations operating in Hong Kong when the procurement and implementation of AI systems involves the use of personal data, and provides a valuable roadmap for compliance with the PDPO in the context of Al. Organisations should consider taking the following actions in line with the recommendations of the AI Framework:
至 於 公 署 會 在 多 大 程 度 上 監 察 或 執 行 對 人 工 智 能 框 架 的 遵 從 , 以 及 資 料 使 用 者 在 採 購 及 實 施 Al 解 決 方 案 時 如 有 不 遵 從 情 況 , 會 否 導 致 公 署 在 進 行 循 規 審 查 或 調 查 時 作 出 對 資 料 使 用 者 不 利 的 推 定 , 則 仍 有 待 觀 察 。不 過 , 公 署 顯 然 會 繼 續 審 查 香 港 機 構 使 用 人 工 智 能 科 技 的 情 況 。人工智能框架是朝着负责任的人工智能管治迈出的重要一步,为在香港运营的机构在采购和实施人工智能系统涉及使用个人数据时设定了明确的期望,并为在人工智能方面遵守《私隐条例》提供了宝贵的路线图。各机构应考虑根据人工智能框架的建议采取以下行动:
至 於 公 署 會 在 多 大 程 度 上 監 察 或 執 行 對 人 工 智 能 框 架 的 遵 從 , 以 及 資 料 使 用 者 在 採 購 及 實 施 Al 解 決 方 案 時 如 有 不 遵 從 情 況 , 會 否 導 致 公 署 在 進 行 循 規 審 查 或 調 查 時 作 出 對 資 料 使 用 者 不 利 的 推 定 , 則 仍 有 待 觀 察 。不 過 , 公 署 顯 然 會 繼 續 審 查 香 港 機 構 使 用 人 工 智 能 科 技 的 情 況 。人工智能框架是朝着负责任的人工智能管治迈出的重要一步,为在香港运营的机构在采购和实施人工智能系统涉及使用个人数据时设定了明确的期望,并为在人工智能方面遵守《私隐条例》提供了宝贵的路线图。各机构应考虑根据人工智能框架的建议采取以下行动:
- Conduct AI audits: Organisations should thoroughly assess their current and planned Al implementations, focusing on data flows, data security measures and potential privacy impacts, as well as reviewing and vetting Al solution providers for compliance.
进行人工智能审计:企业应全面评估当前和计划中的人工智能实施情况,重点关注数据流、数据安全措施和潜在的隐私影响,并审查和审核人工智能解决方案提供商的合规性。 - Enhance data governance: Strengthen existing data protection frameworks to specifically address Al-related challenges, including data minimisation, data quality, bias mitigation, and algorithmic transparency.
加强数据管理:加强现有的数据保护框架,专门应对与 Al 有关的挑战,包括数据最小化、数据质量、减少偏差和算法透明度。 - Develop Al-specific policies: Create comprehensive policies governing Al procurement, implementation, and ongoing management, ensuring the appropriate level of human oversight in the procurement and deployment of AI , and consider establishing an Al governance committee.
制定针对人工智能的政策:制定有关人工智能采购、实施和持续管理的综合政策,确保在人工智能的采购和部署过程中进行适当程度的人为监督,并考虑成立人工智能治理委员会。 - Prepare for Al system customisation: Develop a system and resources for preparing datasets carefully to ensure that they are appropriate and ready for use, and conduct rigorous testing and validation of Al models.
为 Al 系统定制做好准备:开发系统和资源,认真准备数据集,确保数据集适合并可随时使用,并对 Al 模型进行严格的测试和验证。
5. Invest in AI literacy: Prioritise AI-related training for employees, particularly those involved in data handling and AI system management.
5.投资人工智能扫盲:优先对员工进行人工智能相关培训,特别是那些参与数据处理和人工智能系统管理的员工。
6. Enhance stakeholder communication: Develop clear, accessible communication strategies to explain the use of AI and its implications to employees, customers, partners, and regulators.
6.加强利益相关者的沟通:制定清晰易懂的沟通策略,向员工、客户、合作伙伴和监管机构解释人工智能的使用及其影响。
7. Implement robust monitoring: Establish continuous monitoring mechanisms for Al systems, including regular audits and performance assessments.
7.实施强有力的监测:为 Al 系统建立持续监测机制,包括定期审计和绩效评估。
8. Prepare for incidents: Develop and regularly test Al-specific incident response plans, integrated with existing data breach protocols.
8.为事件做好准备:制定并定期测试特定于 Al 的事件应对计划,并与现有的数据泄露协议相结合。
5.投资人工智能扫盲:优先对员工进行人工智能相关培训,特别是那些参与数据处理和人工智能系统管理的员工。
6. Enhance stakeholder communication: Develop clear, accessible communication strategies to explain the use of AI and its implications to employees, customers, partners, and regulators.
6.加强利益相关者的沟通:制定清晰易懂的沟通策略,向员工、客户、合作伙伴和监管机构解释人工智能的使用及其影响。
7. Implement robust monitoring: Establish continuous monitoring mechanisms for Al systems, including regular audits and performance assessments.
7.实施强有力的监测:为 Al 系统建立持续监测机制,包括定期审计和绩效评估。
8. Prepare for incidents: Develop and regularly test Al-specific incident response plans, integrated with existing data breach protocols.
8.为事件做好准备:制定并定期测试特定于 Al 的事件应对计划,并与现有的数据泄露协议相结合。
As AI technologies continue to evolve, organisations that proactively align with the recommendations in the AI Framework will be better positioned to harness the benefits of AI while mitigating associated risks. Further global alignment on regulatory standards is likely, and Hong Kong regulators are expected to continue to monitor international Al regulatory developments. For example, on 8 July 2024, the Government launched a public consultation on the further enhancement of the Copyright Ordinance (CO) with respect to the issues arising from Al, especially generative Al. Among other things, the possible introduction of a text and data mining (TDM) exception to the CO that exists in the regime of some jurisdictions is discussed in the consultation paper. We will continue to monitor the developments in this area and keep you updated.
随着人工智能技术的不断发展,主动与人工智能框架中的建议保持一致的组织将能更好地利用人工智能的优势,同时降低相关风险。全球有可能进一步统一监管标准,预计香港监管机构将继续关注国际人工智能监管的发展。例如,2024 年 7 月 8 日,政府就进一步加强《版权条例》以应对人工智能(尤其是生成式人工智能)引起的问题开展了公众咨询。諮 詢 文 件 討 論 的 事 項 包 括 可 否 在 《 版 權 條 例 》 下 引 入 文 本 及 數 據 開 採 的 例 外 情 況 , 而 有 些 司 法 管 轄 區 的 制 度 已 有 這 種 例 外 情 況 。我们将继续关注这方面的发展,并随时向您通报最新情况。
In the meantime, we recommend that organisations also monitor international Al regulatory developments and seek legal advice on how to align with regulations and standards when developing, procuring and deploying AI. With more than 650 lawyers in 47 countries advising on data and technology issues, including AI, we are closely monitoring developments in AI regulation and governance principles around the world and have published an APAC AI regulatory tracker, which is updated periodically.
与此同时,我们建议各组织也要关注国际人工智能法规的发展,并就如何在开发、采购和部署人工智能时与法规和标准保持一致寻求法律建议。我们在 47 个国家/地区拥有 650 多名律师,为包括人工智能在内的数据和技术问题提供咨询服务,我们正密切关注全球人工智能监管和治理原则的发展,并发布了亚太地区人工智能监管跟踪报告,定期更新。
随着人工智能技术的不断发展,主动与人工智能框架中的建议保持一致的组织将能更好地利用人工智能的优势,同时降低相关风险。全球有可能进一步统一监管标准,预计香港监管机构将继续关注国际人工智能监管的发展。例如,2024 年 7 月 8 日,政府就进一步加强《版权条例》以应对人工智能(尤其是生成式人工智能)引起的问题开展了公众咨询。諮 詢 文 件 討 論 的 事 項 包 括 可 否 在 《 版 權 條 例 》 下 引 入 文 本 及 數 據 開 採 的 例 外 情 況 , 而 有 些 司 法 管 轄 區 的 制 度 已 有 這 種 例 外 情 況 。我们将继续关注这方面的发展,并随时向您通报最新情况。
In the meantime, we recommend that organisations also monitor international Al regulatory developments and seek legal advice on how to align with regulations and standards when developing, procuring and deploying AI. With more than 650 lawyers in 47 countries advising on data and technology issues, including AI, we are closely monitoring developments in AI regulation and governance principles around the world and have published an APAC AI regulatory tracker, which is updated periodically.
与此同时,我们建议各组织也要关注国际人工智能法规的发展,并就如何在开发、采购和部署人工智能时与法规和标准保持一致寻求法律建议。我们在 47 个国家/地区拥有 650 多名律师,为包括人工智能在内的数据和技术问题提供咨询服务,我们正密切关注全球人工智能监管和治理原则的发展,并发布了亚太地区人工智能监管跟踪报告,定期更新。
In depth 深入浅出
Background 背景介绍
The PDPO, effective since 1996, has served as the main legislative framework for personal data protection in Hong Kong. The six Data Protection Principles (DPPs) in Schedule 1 of the PDPO set out obligations for a data user (the equivalent concept under the PDPO to a data controller) covering the life cycle of handling of personal data - collection, retention, use, security, openness and access. The PDPO is a technology-neutral ordinance supplemented by the PCPD's non-binding guidance notes and information leaflets, and has been subject only to limited amendments, principally to introduce offences related to direct marketing (2012) and "doxxing" (2021).
私隱條例》自 1996 年起生效,是香港保障個人資料的 主要法律架構。私隱條例》附表 1 所載的六項保障資料原則,訂明資料使 用者(在《私隱條例》下等同於資料控制者的概念)在處理個人資料 的整個過程(即收集、保留、使用、保安、開放和查閱)中須履行 的責任。私隱條例》是一項技術中立的條例,並由私隱專員發出不具約束力的指引及資料單張作為補充,只曾作出有限的修訂,主要是引入與直接促銷(2012 年)及 "doxing"(2021 年)有關的罪行。
私隱條例》自 1996 年起生效,是香港保障個人資料的 主要法律架構。私隱條例》附表 1 所載的六項保障資料原則,訂明資料使 用者(在《私隱條例》下等同於資料控制者的概念)在處理個人資料 的整個過程(即收集、保留、使用、保安、開放和查閱)中須履行 的責任。私隱條例》是一項技術中立的條例,並由私隱專員發出不具約束力的指引及資料單張作為補充,只曾作出有限的修訂,主要是引入與直接促銷(2012 年)及 "doxing"(2021 年)有關的罪行。
In August 2021, the PCPD published the "Guidance on the Ethical Development and Use of Artificial Intelligence" ("2021 Guidance"), which mainly provides recommended measures for organisations that develop in-house AI systems involving the use of personal data. As an overarching principle, the 2021 Guidance encourages the adoption by Al users of seven internationally recognised "Ethical Principles for Al", which were developed from the three "Data Stewardship Values", and represent the core values in the development and use of AI, as summarised in the table below:
公 署 於 2021 年 8 月 發 出 《 有 關 開 發 及 使 用 人 工 智 能 的 道 德 操 守 指 引 》 ( 《 2021 年 指 引 》 ) , 主 要 為 開 發 涉 及 使 用 個 人 資 料 的 內 部 人 工 智 能 系 統 的 機 構 提 供 建 議 措 施 。作为一项总体原则,《2021 年指南》鼓励人工智能用户采用七项国际公认的 "人工智能道德原则",这些原则由三项 "数据管理价值观 "发展而来,代表了开发和使用人工智能的核心价值观,如下表所示:
公 署 於 2021 年 8 月 發 出 《 有 關 開 發 及 使 用 人 工 智 能 的 道 德 操 守 指 引 》 ( 《 2021 年 指 引 》 ) , 主 要 為 開 發 涉 及 使 用 個 人 資 料 的 內 部 人 工 智 能 系 統 的 機 構 提 供 建 議 措 施 。作为一项总体原则,《2021 年指南》鼓励人工智能用户采用七项国际公认的 "人工智能道德原则",这些原则由三项 "数据管理价值观 "发展而来,代表了开发和使用人工智能的核心价值观,如下表所示:
Data Stewardship Values 数据管理价值观
Being respectful 尊重他人
Being respectful 尊重他人
Being beneficial 有益
Being fair 公平
Ethical Principles for AI
人工智能的伦理原则
人工智能的伦理原则
Accountability 问责制
Human oversight 人力监督
Transparency and interpretability
透明度和可解释性
Data Privacy 数据隐私
Beneficial AI 有益的人工智能
Reliability, robustness and security
可靠性、稳健性和安全性
Fairness 公平性
Transparency and interpretability
透明度和可解释性
Data Privacy 数据隐私
Beneficial AI 有益的人工智能
Reliability, robustness and security
可靠性、稳健性和安全性
Fairness 公平性
The PCPD carried out compliance checks on 28 local organisations from August 2023 to February 2024 to understand their practices in relation to the collection, use and processing of personal data in the development or use of Al, as well as the Al governance structure of the relevant organisations. The recommendations that the PCPD published following the compliance checks are also broadly reflected in the content of the AI Framework.
公 署 於 2023 年 8 月 至 2024 年 2 月 期 間 對 28 間 本 地 機 構 進 行 循 規 審 查 , 以 了 解 他 們 在 發 展 或 使 用 資 料 中 收 集 、 使 用 及 處 理 個 人 資 料 的 做 法 , 以 及 有 關 機 構 的 資 料 管 治 架 構 。公署在循規查察後發表的建議,亦大致反映在認可基建的內容。
公 署 於 2023 年 8 月 至 2024 年 2 月 期 間 對 28 間 本 地 機 構 進 行 循 規 審 查 , 以 了 解 他 們 在 發 展 或 使 用 資 料 中 收 集 、 使 用 及 處 理 個 人 資 料 的 做 法 , 以 及 有 關 機 構 的 資 料 管 治 架 構 。公署在循規查察後發表的建議,亦大致反映在認可基建的內容。
Whom does the Al Framework affect?
《框架》对谁有影响?
The AI Framework provides guiding principles for organisations that engage third-party service providers to develop AI systems or purchase off-the-shelf Al systems for use or customisation and that process personal data in their use or customisation of the Al systems. The AI Framework is therefore aimed at the increasing number of end users who do not develop in-house Al technology but rely on third-party AI developers and/or vendors and recommends organisations that develop in-house Al models to refer to the 2021 Guidance.
人工智能框架为聘请第三方服务提供商开发人工智能系统或购买现成的人工智能系统以供使用或定制,并在使用或定制人工智能系统时处理个人数据的组织提供指导原则。因此,人工智能框架针对的是越来越多不开发内部人工智能技术而依赖第三方人工智能开发商和/或供应商的最终用户,并建议开发内部人工智能模型的组织参考 2021 年指南。
人工智能框架为聘请第三方服务提供商开发人工智能系统或购买现成的人工智能系统以供使用或定制,并在使用或定制人工智能系统时处理个人数据的组织提供指导原则。因此,人工智能框架针对的是越来越多不开发内部人工智能技术而依赖第三方人工智能开发商和/或供应商的最终用户,并建议开发内部人工智能模型的组织参考 2021 年指南。
What is the significance of the AI Framework for data users?
人工智能框架对数据用户有何意义?
The AI Framework takes as its foundations the same principles and values introduced in the 2021 Guidance. The Al Framework is likely to become a de facto standard for organisations in Hong Kong, providing a roadmap for compliance with the PDPO in the context of AI procurement, implementation and decommissioning. For example, the obligations on a data user to use contractual or other means to ensure that a data processor (which may include an AI system provider) retains data only for as long as necessary (DPP 2(3)) and takes practicable steps to ensure that the personal data is kept secure (DPP 4(2)) are expressly referred to in the AI Framework.
人工智能框架以《2021 年指南》中引入的相同原则和价值观为基础。人工智能框架很可能成为香港机构的实际标准,为在人工智能采购、实施和停用方面遵守《私隐条例》提供路线图。舉例來說,資料使用者有責任以合約方式或其他方法,確保資料處理者(可能包括人工智能系統供應商)只在有需要的情況下保留資料(保障資料第2(3)原則),並採取切實可行的步驟,確保個人資料的安全(保障資料第4(2)原則)。
人工智能框架以《2021 年指南》中引入的相同原则和价值观为基础。人工智能框架很可能成为香港机构的实际标准,为在人工智能采购、实施和停用方面遵守《私隐条例》提供路线图。舉例來說,資料使用者有責任以合約方式或其他方法,確保資料處理者(可能包括人工智能系統供應商)只在有需要的情況下保留資料(保障資料第2(3)原則),並採取切實可行的步驟,確保個人資料的安全(保障資料第4(2)原則)。
However, the AI Framework goes further and sets out the following specific recommendations:
然而,大赦国际框架更进一步,提出了以下具体建议:
Leveraging Existing Frameworks: Organisations are encouraged to build upon their existing data governance, accountability, and vendor management frameworks, which they may have developed, for example, in compliance with the PCPD's "Privacy Management Program: A Best Practice Guide".
《利用现有框架:鼓励各组织以现有的数据治理、问责和供应商管理框架为基础,这些框架可能是根据公署的 "隐私管理计划 "制定的:最佳实践指南》。
然而,大赦国际框架更进一步,提出了以下具体建议:
Leveraging Existing Frameworks: Organisations are encouraged to build upon their existing data governance, accountability, and vendor management frameworks, which they may have developed, for example, in compliance with the PCPD's "Privacy Management Program: A Best Practice Guide".
《利用现有框架:鼓励各组织以现有的数据治理、问责和供应商管理框架为基础,这些框架可能是根据公署的 "隐私管理计划 "制定的:最佳实践指南》。
Enhanced Risk Assessment: Organisations should expand monitoring mechanisms to include AI-specific vulnerabilities, consider privacy impact assessments for AI systems and conduct due diligence on AI system suppliers to address potential risks.
加强风险评估:各组织应扩大监控机制,将人工智能特有的漏洞纳入其中,考虑对人工智能系统进行隐私影响评估,并对人工智能系统供应商进行尽职调查,以应对潜在风险。
加强风险评估:各组织应扩大监控机制,将人工智能特有的漏洞纳入其中,考虑对人工智能系统进行隐私影响评估,并对人工智能系统供应商进行尽职调查,以应对潜在风险。
Transparency and Accountability: Organisations face heightened expectations regarding transparency in Al use, including clearly communicating Al-related risks to data subjects and reframing privacy disclosures to account for varying levels of technical understanding among data subjects.
透明度和问责制:各组织在 Al 使用的透明度方面面临着更高的期望,包括向数据主体明确传达与 Al 相关的风险,以及重新构建隐私披露,以考虑到数据主体不同的技术理解水平。
透明度和问责制:各组织在 Al 使用的透明度方面面临着更高的期望,包括向数据主体明确传达与 Al 相关的风险,以及重新构建隐私披露,以考虑到数据主体不同的技术理解水平。
AI Incident Response: The AI Framework introduces the concept of an "AI Incident," defined as an event where an AI system causes harm to a person, property, or the environment. Organisations should develop Al-specific incident response plans and integrate such plans with existing data breach response mechanisms. While there is no mandatory data breach notification obligation under the PDPO, organisations should consider the potential mandatory breach notification obligations under the proposed PDPO amendments (although there is no concrete legislative proposal for such amendments yet - please refer to our earlier alert on the proposed changes to the PDPO).
人工智能事件响应:人工智能框架引入了 "人工智能事件 "的概念,将其定义为人工智能系统对人员、财产或环境造成伤害的事件。各组织应制定针对人工智能的事件响应计划,并将此类计划与现有的数据泄露响应机制相结合。虽然《私隱條例》並無強制性資料外洩通報責任,但機構應考慮《私隱條例》修訂建議可能帶來的強制性資料外洩通報責任(雖然目前尚未有具體的立法建議,請參閱我們早前就《私隱條例》修訂建議發出的警示)。
人工智能事件响应:人工智能框架引入了 "人工智能事件 "的概念,将其定义为人工智能系统对人员、财产或环境造成伤害的事件。各组织应制定针对人工智能的事件响应计划,并将此类计划与现有的数据泄露响应机制相结合。虽然《私隱條例》並無強制性資料外洩通報責任,但機構應考慮《私隱條例》修訂建議可能帶來的強制性資料外洩通報責任(雖然目前尚未有具體的立法建議,請參閱我們早前就《私隱條例》修訂建議發出的警示)。
There is likely to be increased regulatory scrutiny on AI-related processing in future. The AI Framework notes that organisations are expected to monitor developments in both the regulatory and technological environments. Other regulators, such as the Hong Kong Monetary Authority (HKMA) and the Securities and Futures Commission (SFC), have published various reports, studies, statements and guiding principles relating to the use of Al in the banking and financial services industries.
未来对人工智能相关处理的监管审查可能会增加。人工智能框架指出,各机构应同时关注监管和技术环境的发展。其他监管机构,如香港金融管理局(金管局)和证券及期货事务监察委员会(证监会),已就银行和金融服务业使用人工智能发布了各种报告、研究、声明和指导原则。
未来对人工智能相关处理的监管审查可能会增加。人工智能框架指出,各机构应同时关注监管和技术环境的发展。其他监管机构,如香港金融管理局(金管局)和证券及期货事务监察委员会(证监会),已就银行和金融服务业使用人工智能发布了各种报告、研究、声明和指导原则。
Key components of the AI Framework
人工智能框架的主要组成部分
The AI Framework covers recommended measures around four general business processes, each addressing crucial aspects of AI implementation and data protection, with each recommendation aligning with one or more of the ethical principles for AI. Notably, the AI Framework also makes recommendations that go beyond the existing obligations imposed on data users under the PDPO, e.g., developing an AI incident response plan. Here are the four pivotal areas covered by the AI Framework:
人工智能框架涵盖围绕四个一般业务流程的建议措施,每个流程都涉及人工智能实施和数据保护的关键方面,每个建议都与一个或多个人工智能道德原则相一致。值得注意的是,人工智能框架提出的建议还超出了《私隐条例》对数据用户规定的现有义务,例如制定人工智能事件响应计划。以下是人工智能框架涵盖的四个关键领域:
人工智能框架涵盖围绕四个一般业务流程的建议措施,每个流程都涉及人工智能实施和数据保护的关键方面,每个建议都与一个或多个人工智能道德原则相一致。值得注意的是,人工智能框架提出的建议还超出了《私隐条例》对数据用户规定的现有义务,例如制定人工智能事件响应计划。以下是人工智能框架涵盖的四个关键领域:
1. Al Strategy and Governance
1.Al 战略与治理
Organisations are encouraged to:
鼓励各组织
a. Formulate a comprehensive AI governance strategy for procurement, implementation and use of AI - establish appropriate internal policies, procedures and infrastructure to support lawful and responsible Al implementation, including ensuring that potential AI solutions are appropriate and suitable for the organisation's purpose and provided by suppliers that are compliant with key privacy and security obligations as well as international technical and governance standards (which should be addressed in the relevant service agreements, including data processing agreements), and formulate a policy on handling output generated by the AI system;
a.为人工智能的采购、实施和使用制定全面的人工智能治理战略--制定适当的内部政策、程序和基础设施,以支持合法、负责任地实施人工智能,包括确保潜在的人工智能解决方案适合组织的目的,并由符合主要隐私和安全义务以及国际技术和治理标准的供应商提供(应在相关服务协议,包括数据处理协议中述及),并制定处理人工智能系统生成的输出的政策;
b. Consider governance structure - this may include the establishment of an Al governance committee comprising a crossfunctional team, establishing clear roles and responsibilities for different personnel, ensuring adequate resources in terms of finance and personnel, and establishing internal mechanisms for reporting system failure or raising data protection or ethical concerns;
b.考虑治理结构--这可能包括建立一个由跨职能团队组成的 Al 治理委员会,为不同人员确定明确的角色和职责,确保在财务和人事方面有足够的资源,并建立内部机制来报告系统故障或提出数据保护或道德方面的问题;
鼓励各组织
a. Formulate a comprehensive AI governance strategy for procurement, implementation and use of AI - establish appropriate internal policies, procedures and infrastructure to support lawful and responsible Al implementation, including ensuring that potential AI solutions are appropriate and suitable for the organisation's purpose and provided by suppliers that are compliant with key privacy and security obligations as well as international technical and governance standards (which should be addressed in the relevant service agreements, including data processing agreements), and formulate a policy on handling output generated by the AI system;
a.为人工智能的采购、实施和使用制定全面的人工智能治理战略--制定适当的内部政策、程序和基础设施,以支持合法、负责任地实施人工智能,包括确保潜在的人工智能解决方案适合组织的目的,并由符合主要隐私和安全义务以及国际技术和治理标准的供应商提供(应在相关服务协议,包括数据处理协议中述及),并制定处理人工智能系统生成的输出的政策;
b. Consider governance structure - this may include the establishment of an Al governance committee comprising a crossfunctional team, establishing clear roles and responsibilities for different personnel, ensuring adequate resources in terms of finance and personnel, and establishing internal mechanisms for reporting system failure or raising data protection or ethical concerns;
b.考虑治理结构--这可能包括建立一个由跨职能团队组成的 Al 治理委员会,为不同人员确定明确的角色和职责,确保在财务和人事方面有足够的资源,并建立内部机制来报告系统故障或提出数据保护或道德方面的问题;
c. Provide Al-related training to employees.
c.为员工提供与 Al 有关的培训。
2. Risk Assessment and Human Oversight
2.风险评估和人为监督
The AI Framework advocates:
人工智能框架主张
a. Comprehensive risk assessments - a risk-based management system should be formulated, implemented, documented and maintained throughout the entire life cycle of an AI system, with the AI governance committee consulting industry frameworks such as the ISO/IEC 23894:2023 (Information technology - Artificial intelligence - Guidance on risk management) to identify and evaluate risks, including privacy risks, and adopt appropriate risk management measures;
a.全面风险评估--应在人工智能系统的整个生命周期内制定、实施、记录和维护基于风险的管理系统,人工智能治理委员会应参考 ISO/IEC 23894:2023(信息技术--人工智能--风险管理指南)等行业框架,以识别和评估风险,包括隐私风险,并采取适当的风险管理措施;
b. Determining appropriate levels of human oversight - underscoring the necessity of proactive risk management in Al deployment, recognising that different AI applications may require varying degrees of human intervention;
b.确定适当程度的人工监督--强调在部署人工智能时进行主动风险管理的必要性,同时认识到不同的人工智能应用可能需要不同程度的人工干预;
c. Considering risk mitigation trade-offs - organisations may need to strike a balance when conflicting criteria emerge around seeking to mitigate AI risks, e.g., improving the accuracy and fairness of AI models typically requires more data (including personal data) for training, which may clash with the obligation under DPP 1 to ensure that only adequate and not excessive personal data are used.
c.考虑降低风险的权衡--当寻求降低人工智能风险的标准出现冲突时,组织可能需要取得平衡,例如,提高人工智能模型的准确性和公平性通常需要更多数据(包括个人数据)用于训练,这可能与保障信息第 1 原 则下确保只使用足够而非过度的个人数据的义务相冲突。
人工智能框架主张
a. Comprehensive risk assessments - a risk-based management system should be formulated, implemented, documented and maintained throughout the entire life cycle of an AI system, with the AI governance committee consulting industry frameworks such as the ISO/IEC 23894:2023 (Information technology - Artificial intelligence - Guidance on risk management) to identify and evaluate risks, including privacy risks, and adopt appropriate risk management measures;
a.全面风险评估--应在人工智能系统的整个生命周期内制定、实施、记录和维护基于风险的管理系统,人工智能治理委员会应参考 ISO/IEC 23894:2023(信息技术--人工智能--风险管理指南)等行业框架,以识别和评估风险,包括隐私风险,并采取适当的风险管理措施;
b. Determining appropriate levels of human oversight - underscoring the necessity of proactive risk management in Al deployment, recognising that different AI applications may require varying degrees of human intervention;
b.确定适当程度的人工监督--强调在部署人工智能时进行主动风险管理的必要性,同时认识到不同的人工智能应用可能需要不同程度的人工干预;
c. Considering risk mitigation trade-offs - organisations may need to strike a balance when conflicting criteria emerge around seeking to mitigate AI risks, e.g., improving the accuracy and fairness of AI models typically requires more data (including personal data) for training, which may clash with the obligation under DPP 1 to ensure that only adequate and not excessive personal data are used.
c.考虑降低风险的权衡--当寻求降低人工智能风险的标准出现冲突时,组织可能需要取得平衡,例如,提高人工智能模型的准确性和公平性通常需要更多数据(包括个人数据)用于训练,这可能与保障信息第 1 原 则下确保只使用足够而非过度的个人数据的义务相冲突。
3. Customisation, Implementation, and Management of AI Systems
3.人工智能系统的定制、实施和管理
The key recommendations of the AI Framework include:
人工智能框架的主要建议包括
a. Data preparation for the use of AI, including effective data management for Al system customisation and various measures to ensure compliance with PDPO requirements, including collecting an adequate but not excessive amount of personal data by lawful and fair means (DPP 1);
为使用人工智能做好数据准备,包括为 Al 系统定制进行有效的数据管理,以及采取各种措施确保符合《个人数据保护条例》的要求,包括通过合法、公平的方式收集足够但不过量的个人数据(保障原则 1);
b. Customisation and implementation of AI solutions, including rigorous testing and validation of AI models, integration and hosting of the AI solution and ensuring system and data security;
b.定制和实施人工智能解决方案,包括人工智能模型的严格测试和验证、人工智能解决方案的集成和托管,以及确保系统和数据安全;
c. Continuous monitoring of Al systems as well as the regulatory and technological environment, and considering the establishment of an AI Incident Response Plan - these guidelines highlight the ongoing nature of Al governance, emphasising that responsible Al use extends beyond initial implementation.
c.持续监控人工智能系统以及监管和技术环境,并考虑制定人工智能事件响应计划--这些指导方针突出了人工智能治理的持续性,强调负责任地使用人工智能不仅仅局限于最初的实施。
4. Stakeholder Communication and Engagement
4.利益攸关方的沟通和参与
人工智能框架的主要建议包括
a. Data preparation for the use of AI, including effective data management for Al system customisation and various measures to ensure compliance with PDPO requirements, including collecting an adequate but not excessive amount of personal data by lawful and fair means (DPP 1);
为使用人工智能做好数据准备,包括为 Al 系统定制进行有效的数据管理,以及采取各种措施确保符合《个人数据保护条例》的要求,包括通过合法、公平的方式收集足够但不过量的个人数据(保障原则 1);
b. Customisation and implementation of AI solutions, including rigorous testing and validation of AI models, integration and hosting of the AI solution and ensuring system and data security;
b.定制和实施人工智能解决方案,包括人工智能模型的严格测试和验证、人工智能解决方案的集成和托管,以及确保系统和数据安全;
c. Continuous monitoring of Al systems as well as the regulatory and technological environment, and considering the establishment of an AI Incident Response Plan - these guidelines highlight the ongoing nature of Al governance, emphasising that responsible Al use extends beyond initial implementation.
c.持续监控人工智能系统以及监管和技术环境,并考虑制定人工智能事件响应计划--这些指导方针突出了人工智能治理的持续性,强调负责任地使用人工智能不仅仅局限于最初的实施。
4. Stakeholder Communication and Engagement
4.利益攸关方的沟通和参与
The Al Framework stresses:
《框架》强调
a. Regular and effective communication with stakeholders, fostering transparency and trust and in particular staff, Al suppliers, customers and regulators;
a.定期与利益相关者进行有效沟通,促进透明度和信任,特别是员工、铝供应商、客户和监管机构;
b. Ensuring that data subjects have a mechanism for exercising their legal rights and providing feedback to adjust the relevant Al systems;
b.确保数据主体有机制行使其合法权利并提供反馈,以调整相关的 Al 系统;
c. Making the decisions and output of AI explainable;
c.使人工智能的决策和产出具有可解释性;
d. Communicating with stakeholders, particularly consumers, in plain language that is clear and understandable to lay persons.
d.用通俗易懂的语言与利益相关者,特别是消费者进行沟通,让非专业人士清楚明白。
《框架》强调
a. Regular and effective communication with stakeholders, fostering transparency and trust and in particular staff, Al suppliers, customers and regulators;
a.定期与利益相关者进行有效沟通,促进透明度和信任,特别是员工、铝供应商、客户和监管机构;
b. Ensuring that data subjects have a mechanism for exercising their legal rights and providing feedback to adjust the relevant Al systems;
b.确保数据主体有机制行使其合法权利并提供反馈,以调整相关的 Al 系统;
c. Making the decisions and output of AI explainable;
c.使人工智能的决策和产出具有可解释性;
d. Communicating with stakeholders, particularly consumers, in plain language that is clear and understandable to lay persons.
d.用通俗易懂的语言与利益相关者,特别是消费者进行沟通,让非专业人士清楚明白。
Comparison with the Al frameworks in other jurisdictions
与其他司法管辖区的 Al 框架比较
Hong Kong's approach to AI regulation through the AI Framework presents some distinct characteristics when compared to other jurisdictions.
与其他司法管辖区相比,香港通过 "人工智能框架 "进行人工智能监管的方法呈现出一些明显的特点。
与其他司法管辖区相比,香港通过 "人工智能框架 "进行人工智能监管的方法呈现出一些明显的特点。
While Singapore's regulatory framework also addresses responsible AI use, it takes a broader governance approach, with the Singapore Government publishing an updated national AI strategy in December 2023. From a data privacy perspective, the Personal Data Protection Commission of Singapore published the Model Al Governance Framework (updated in 2020), which provides detailed and readily-implementable guidance to private sector organisations to address key ethical and governance issues, not limited to data privacy, when deploying Al solutions, and in March 2024, issued the finalised Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems, which provide guidance on the use of personal data in relation to these types of AI during three stages of Al system implementation: development, deployment and procurement (see our Singapore team's client alert here).
虽然新加坡的监管框架也涉及负责任的人工智能使用,但它采取了更广泛的治理方法,新加坡政府于 2023 年 12 月发布了最新的国家人工智能战略。从数据隐私的角度来看,新加坡个人数据保护委员会发布了《人工智能治理框架范本》(2020 年更新),为私营部门组织在部署人工智能解决方案时解决关键的道德和治理问题(不限于数据隐私)提供了详细且易于实施的指导,并在 2024 年 3 月发布了最终定稿的《人工智能建议和决策系统中个人数据使用咨询指南》,为在人工智能系统实施的三个阶段(开发、部署和采购)使用与这些类型的人工智能相关的个人数据提供了指导(请参见我们新加坡团队的客户提醒)。
虽然新加坡的监管框架也涉及负责任的人工智能使用,但它采取了更广泛的治理方法,新加坡政府于 2023 年 12 月发布了最新的国家人工智能战略。从数据隐私的角度来看,新加坡个人数据保护委员会发布了《人工智能治理框架范本》(2020 年更新),为私营部门组织在部署人工智能解决方案时解决关键的道德和治理问题(不限于数据隐私)提供了详细且易于实施的指导,并在 2024 年 3 月发布了最终定稿的《人工智能建议和决策系统中个人数据使用咨询指南》,为在人工智能系统实施的三个阶段(开发、部署和采购)使用与这些类型的人工智能相关的个人数据提供了指导(请参见我们新加坡团队的客户提醒)。
The EU's AI Act takes a sweeping, horizontal approach to the regulation of AI, categorising Al systems based on risk levels and mandating reporting of serious AI incidents. It is essentially a piece of prescriptive, product safety legislation that seeks to provide a structure for day-to-day AI lifecycle management, and is legally binding on providers, distributors, importers and deployers of AI systems. Al practices posing unacceptable risks are prohibited, while at the other end of the spectrum, Al systems with low and minimal risks are not subject to any obligations. Al systems with high risk and limited risk fall in the middle. A new European AI Office is to be established and will be responsible for implementing the EU AI Act, by issuing opinions, recommendations and guidance.
欧盟的《人工智能法》对人工智能的监管采取了全面、横向的方法,根据风险等级对人工智能系统进行分类,并强制要求报告严重的人工智能事故。它本质上是一项规范性的产品安全立法,旨在为日常的人工智能生命周期管理提供一个架构,对人工智能系统的提供商、分销商、进口商和部署商都具有法律约束力。构成不可接受风险的人工智能做法是被禁止的,而在另一端,低风险和最小风险的人工智能系统则不受任何义务约束。高风险和有限风险的人工智能系统则处于中间位置。新成立的欧洲人工智能办公室将通过发布意见、建议和指导,负责实施《欧盟人工智能法》。
欧盟的《人工智能法》对人工智能的监管采取了全面、横向的方法,根据风险等级对人工智能系统进行分类,并强制要求报告严重的人工智能事故。它本质上是一项规范性的产品安全立法,旨在为日常的人工智能生命周期管理提供一个架构,对人工智能系统的提供商、分销商、进口商和部署商都具有法律约束力。构成不可接受风险的人工智能做法是被禁止的,而在另一端,低风险和最小风险的人工智能系统则不受任何义务约束。高风险和有限风险的人工智能系统则处于中间位置。新成立的欧洲人工智能办公室将通过发布意见、建议和指导,负责实施《欧盟人工智能法》。
The Chinese Mainland ("China") has been active in enacting legislation to address AI and its by-use-case approach contrasts with other jurisdictions, as explained in this client alert. China has so far taken a vertical approach, regulating AI technologies by type, first focusing on AI recommendation algorithms, then on "deepfakes", and most recently on generative AI, with the Interim Measures for the Management of Generative Artificial Intelligence Services, which took effect on 15 August 2023, regulating providers of generative Al services (see our client alert here). Further regulatory developments are already underway, including plans to enact an overarching Al Law.
中国大陆(以下简称 "中国")一直在积极立法应对人工智能,其按用途分类的方法与其他司法管辖区形成鲜明对比,本客户提醒对此进行了解释。迄今为止,中国采取的是纵向方法,按类型对人工智能技术进行监管,首先关注的是人工智能推荐算法,然后是 "深度伪造",最近则是生成式人工智能,《生成式人工智能服务管理暂行办法》于 2023 年 8 月 15 日生效,对生成式人工智能服务提供商进行监管(参见我们的客户提醒)。进一步的监管发展已在进行中,包括计划颁布一部总体性的《人工智能法》。
中国大陆(以下简称 "中国")一直在积极立法应对人工智能,其按用途分类的方法与其他司法管辖区形成鲜明对比,本客户提醒对此进行了解释。迄今为止,中国采取的是纵向方法,按类型对人工智能技术进行监管,首先关注的是人工智能推荐算法,然后是 "深度伪造",最近则是生成式人工智能,《生成式人工智能服务管理暂行办法》于 2023 年 8 月 15 日生效,对生成式人工智能服务提供商进行监管(参见我们的客户提醒)。进一步的监管发展已在进行中,包括计划颁布一部总体性的《人工智能法》。
In contrast, Hong Kong's AI Framework, which applies to organisations procuring AI systems, aligns more closely with the PDPO's obligations on data users and non-mandatory reporting approach for data incidents, and while the PCPD and sectoral regulators have taken a keen interest in publishing guidelines on AI, there have not been any discussions about a general purpose AI law or establishing an overarching AI regulator in the near future.
相比之下,香港的人工智能框架适用于采购人工智能系统的机构,与《私隐条例》规定的数据使用者义务和非强制性数据事故报告方法更为一致,虽然公署和行业监管机构对发布人工智能指引非常感兴趣,但尚未就制定通用人工智能法或在不久的将来设立人工智能总体监管机构进行任何讨论。
相比之下,香港的人工智能框架适用于采购人工智能系统的机构,与《私隐条例》规定的数据使用者义务和非强制性数据事故报告方法更为一致,虽然公署和行业监管机构对发布人工智能指引非常感兴趣,但尚未就制定通用人工智能法或在不久的将来设立人工智能总体监管机构进行任何讨论。
Contact Us 联系我们
Dominic Edmondson 多米尼克-埃德蒙森
Special Counsel 特别顾问
Dominic.Edmondson@bakermckenzie.com
Dominic.Edmondson@bakermckenzie.com
Jacqueline Wong 杰奎琳-王
Knowledge Lawyer 知识律师
Jacqueline.Wong@bakermckenze.com
Jacqueline.Wong@bakermckenze.com
Abstract 摘要
(c) 2024 Baker & McKenzie. Ownership: This site (Site) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms, including Baker & McKenzie LLP). Use of this site does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All information on this Site is of general comment and for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulation and practice are subject to change. The information on this Site is not offered as legal or any other advice on any particular matter, whether it be legal, procedural or otherwise. It is no intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any information provided in this Site. Baker McKenzie, the editors and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any
(c) 2024 年贝克-麦坚时律师事务所。所有权:本网站(以下简称 "本网站")为Baker McKenzie(指Baker & McKenzie International及其成员所,包括Baker & McKenzie LLP)独家拥有的专有资源。使用本网站本身并不构成贝克-麦坚时与任何人之间的合同关系或任何律师/客户关系。不依赖和排除:本网站上的所有信息均为一般性评论,仅供参考,可能并不反映最新的法律和监管动态。所有法律、法规和惯例摘要均可能发生变化。本网站上的信息不作为对任何特定事项的法律或任何其他建议,无论是法律、程序或其他方面的建议。本网站所提供的信息无意取代对适用法律、法规、规章或表格的详细规定的参考(和遵守)。在根据本网站提供的任何信息采取任何行动或避免采取任何行动之前,应始终寻求法律意见。贝克-麦坚时、编辑和撰稿人不保证本网站内容的准确性,并明确声明不对任何人因完全或部分依赖本网站全部或任何内容而作出或允许作出或不作出的任何行为的后果承担任何及一切责任。
of the content of this Site without express written authorization is strictly prohibited.
未经明确书面授权,严禁使用本网站内容。
f
Other regulators in the region have released guidelines on data privacy aspects of specific types of AI (rather than AI generally), such as the Personal Data Protection Authority, Singapore - Advisory Guidelines on use of Personal Data in AI Recommendation and Decision Systems (2024).
该地区的其他监管机构发布了关于特定类型人工智能(而非一般人工智能)的数据隐私方面的指导方针,例如新加坡个人数据保护局--关于在人工智能推荐和决策系统中使用个人数据的咨询指导方针(2024 年)。 https://www.pcpd.org.hk//english/resources_centre/publications/files/PMP_guide_e.pdf
See for example, the HKMA's report titled "Reshaping Banking with Artificial Intelligence" published in December 2019 as part of a series of publications on the study of the opportunities and challenges of applying Al technology in the banking industry, and the CEO of the SFC reminded licensed corporations that they will ultimately be held responsible for any issues which arise from the use of generative AI, during a keynote speech at the Hong Kong Investment Funds Association Annual Conference on 5 June 2023: https://www.scmp.com/business/china-business/article/3222954/hong-kong-finance-sector-hook-deploy-ai-responsibly-saysmarket-watchdogs-ceo
例如,请参阅金管局于2019年12月发布的题为 "以人工智能重塑银行业 "的报告,该报告是研究在银行业应用人工智能技术的机遇和挑战的系列出版物的一部分;证监会行政总裁在2023年6月5日举行的香港投资基金公会年会上发表主题演讲时提醒持牌法团,因使用生成式人工智能而产生的任何问题,最终将由持牌法团负责:https://www.scmp.com/business/china-business/article/3222954/hong-kong-finance-sector-hook-deploy-ai-responsibly-saysmarket-watchdogs-ceo
https://www.hkma.gov.hk/eng/news-and-media/press-releases/2024/04/20240426-4/