5 April 2024
New PDPC Guidelines on Use of Personal Data in AI Recommendation and Decision Systems
Use of personal data in the development and deployment of AI systems has been a key area of concern, especially where used by AI systems to make recommendations, predictions or decisions.
Recognising the need for clearer guidance, the Personal Data Protection Commission (“PDPC”) of Singapore published their Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems (“Advisory Guidelines”) on 1 March 2024. The Advisory Guidelines serve to:
-
clarify when personal data may be used in the development and the deployment of AI systems which embed machine learning (ML) models (“AI Systems”) to make decisions, recommendations, or predictions; and
-
provide consumers with assurance by setting out baseline guidance and best practices for organisations on the use of personal data in AI Systems.
Who do the Advisory Guidelines apply to?
The Advisory Guidelines apply to:
-
organisations which collect and/or use personal data to train and develop and deploy AI Systems; and
-
third-party developers of bespoke AI Systems who act as data intermediaries.
Key takeaways from the Advisory Guidelines
The Advisory Guidelines focus on data protection concerns relating to the three main stages of AI System implementation, namely, development, testing and monitoring, deployment, and procurement.
Use of Personal Data in AI System Development, Testing and Monitoring
Organisations involved in the development of AI Systems, whether through in-house expertise or the engagement of third-party services providers, may collect and use the personal data for such purposes if:
-
meaningful consent from individuals for such purposes is obtained; or
-
if no consent is obtained, any of the following Exceptions under the PDPA apply ¹:
-
the Business Improvement Exception ² - relevant when organisations are developing AI Systems to enhance an existing product or service. For example, the Business Improvement Exception may be relevant if an organisation collects and uses personal data of its customers to develop recommendation engines to offer more personalised content aligned to its customer’s browsing or purchase history; or
-
the Research Exception ³ - relevant when organisations are conducting broader commercial research and development to develop AI that may not have immediate application to their products, business operations or market.
Deployment - Collecting and Using Personal Data in AI Systems
When deploying AI Systems, organisations need to be mindful of the applicable Consent, Notification, and Accountability obligations:
-
Consent Obligation ⁴: Consent will be required for the collection and use of personal data in the deployment of AI Systems to provide recommendations, predictions or decisions, unless deemed consent or exceptions apply e.g. Legitimate Interests Exception. Consent should also be meaningful, i.e individuals should be given information about the type of personal data collected and processed, and the purpose for the processing, eg. user’s movie viewing history will be collected to recommend movies.
-
Notification Obligation ⁵: Organisations must notify individuals about the types of personal data that will be collected and processed, and purposes for the processing. Notifications need not be overly technical or detailed and should be proportionate to the risks of each use-case.
-
The Legitimate Interests Exception ⁶ refers to legitimate interests such as the use of personal data in AI Systems for the purposes of detecting or preventing illegal activities. To rely on this exception, organisations must notify individuals of this exception when collecting and using personal data, and must assess and ensure that the legitimate interest outweighs any adverse effect.
-
Accountability Obligation ⁷: Organisations must discharge their responsibility for personal data collected or obtained for processing, and which it has control over. For example, organisations that use AI Systems should be transparent and include in their written policies relevant practices and safeguards to achieve “fairness” and “reasonableness”. These written policies should be published as a form of best practices even if organisations rely on exceptions to consent (i.e. the Business Improvement and Research Exceptions).
Procurement of AI Systems – Best Practices for Service Providers supporting implementation of AI Systems
Service providers who are engaged to develop and deploy customisable AI Systems take on the role of data intermediaries and would have to comply with their own obligations under the PDPA, in addition to supporting the organisations which engage them in their obligations under the PDPA. Service providers should also implement data mapping and labelling to track data used in the training dataset and to maintain a provenance record to track the lineage of the training data and its transformation during data preparations.
For queries or more information, please contact:
.jpg)
¹ Subject to the organisation meeting the prescribed conditions for each Exception.
² Part 5, First Schedule of the PDPA
³ Part 2, Second Schedule of the PDPA
⁴ Section 13 of the PDPA.
⁵ Section 20 of the PDPA.
⁶ Part 3 of the First Schedule of the PDPA.
⁷ Sections 11 and 12 of the PDPA.
This article is intended to provide general information only and should not be relied upon as an exhaustive or comprehensive statement of law. Should you have any specific questions, please speak with one of our above contacts, or your usual contact at Amica Law LLC.
We wish to express our thanks to Joan Soo, our practice trainee, for her contributions to this update.
© 2024 Amica Law LLC. All rights reserved.