人工智能迅速发展，不断涌现新的突破和创新。随着人工智能技术日益精进并逐步融入商业和日常生活，香港的数据保护法律和法规必须与时俱进。本文概述了香港在人工智能背景下的数据保护和隐私的法律和监管框架。

香港主要的数据保护法为《个人资料（私隐）条例》（下称“私隐条例”）。除此之外，个人资料私隐专员公署（下称“私隐专员公署”）还为人工智能开发和使用制定了道德标准指引，并为采购、实施及使用人工智能系统的机构提供模范框架。

01、私隐条例及六项保障资料原则

私隐条例是技术中立且基于原则的。根据私隐条例第2条规定，“资料使用者”是指控制个人资料的收集、持有、处理或使用的人。

因此，任何开发和/或使用涉及处理个人资料的人工智能系统的个人、实体、机构或企业，都可能会被视为资料使用者。而资料使用者除了私隐条例其他要求外，还必须遵守私隐条例附表1中的六项保障资料原则（下称“DPPs”）：

1.DPP1（收集目的及方式）：资料使用者必须以合法和公平的方式收集个人资料，其目的必须合法且与其职能或活动直接相关。收集的资料应是必需及足够的，但不得超出目的所需范畴；

2.DPP2（准确性及保留期限）：资料使用者必须采取切实可行的步骤确保个人资料准确和更新，并且保留时间不会超过实际所需的时间；

3.DPP3（使用）：个人资料只能用于收集时表明的目的，若用以其他目的，则必须取得资料当事人明确且自愿的同意；

4.DPP4（保安）：必须采取合理的保安措施保障个人资料不会未经授权或意外地被查阅、处理、删除、丧失或使用；

5.DPP5（透明度）：资料使用者必须公开其处理个人资料的政策和方式，并交代其所持有个人资料的类别、使用方式及主要用途；以及

6.DPP6（查阅及更正）：资料当事人有权要求查阅和更正其不准确的个人资料。

02、人工智能指引

2021年8月，私隐专员公署发布了《开发及使用人工智能道德标准指引》（下称“人工智能指引”），主要为开发和使用人工智能系统时涉及使用个人资料的机构提供建议。

人工智能指引建议机构采纳三项核心数据管理价值（下称“价值”）：

1.尊重；

2.互惠；和

3.公平。

同时鼓励机构采用七项国际公认的人工智能道德原则（下称“道德原则”）：

1.问责；

2.人为监督；

3.透明度与可解释性；

4.数据私隐；

5.公平；

6.有益的人工智能；以及

7.可靠、稳健及安全。

为确保这些价值和道德原则的切实可行，各机构在开发和使用人工智能并制定适当的政策、措施和程序时，应考虑人工智能指引中就下述范畴提出的建议措施：

1.制定人工智能策略及管治；

2.进行风险评估及人为监督；

3.实行人工智能模型的开发及人工智能系统的管理；以及

4.促进与持份者的沟通及交流。

03、模范框架

2024年6月11日，私隐专员公署发布了《人工智能：个人资料保障模范框架》（下称“模范框架”），为采购、实施及使用任何涉及个人资料的人工智能系统或解决方案（包括预测式人工智能和生成式人工智能）的机构提供最佳行事常规建议。

与人工智能指引类似，模范框架列出了确保落实该等价值和道德原则的建议措施。各机构在采购、实施及使用人工智能解决方案以及制定适当的政策、措施和程序时，应考虑下述范畴的建议措施：

1.制定人工智能策略及管治；

2.进行风险评估及人为监督；

3.实行人工智能模型的定制及人工智能系统的实施和管理；以及

4.促进与持份者的沟通及交流。

04、步履不停

尽管人工智能指引和模范框架不具强制性，其建议也并非详尽无遗，但它们的发布无疑是支持香港人工智能负责任且合乎道德的发展的重要一步。鉴于人工智能的快速发展和突破性进展，香港相关的法律和监管环境将继续演变，以应对新的问题和挑战。

目前，资料使用者必须确保遵守私隐条例和六项保障资料原则，并遵循人工智能指引和模范框架中的最佳行事常规建议，特别是在人工智能开发、运营和使用过程中涉及个人资料收集、使用和保留时。

本篇文章仅是对有关题目提供的一般概述，并非旨在成为可依赖的专业意见。请联系我们获取进一步的具体法律意见。

（原文首发于公众号 ：商法CBLJ）

Key points of AI data protection and privacy regulations in Hong Kong

Artificial intelligence (AI) has been developing rapidly, with new breakthroughs and innovations emerging constantly. As AI technology becomes more advanced and integrated into businesses and everyday life, it is crucial for Hong Kong’s data protection laws and regulations to keep pace. This article provides an overview of the current legal and regulatory framework of data protection and privacy in Hong Kong in the context of AI.

In Hong Kong, the primary law governing data protection is the Personal Data (Privacy) Ordinance (PDPO). Additionally, the Office of the Privacy Commissioner for Personal Data (PCPD) has provided guidance on the ethical development and use of AI and the model framework for organisations that procure, implement and use AI systems.

01、PDPO and DPPs

The PDPO is technology-neutral and principle-based. Section 2 of the PDPO defines a “data user” as a person who controls the collection, holding, processing or use of personal data.

Accordingly, any individual, entity, organisation or business that develops and/or uses AI systems involving the handling of personal data is likely to be considered a data user and must adhere to the following six data protection principles (DPPs) in schedule 1 of the PDPO, among other requirements under the PDPO:

1.DPP 1 (Purpose and manner of collection): Personal data must be collected in a lawful and fair manner for a lawful purpose directly related to the data user’s function or activity. The data collected shall be necessary and adequate but not excessive for such purpose;

2.DPP 2 (Accuracy and duration of retention): The data user must take all practicable steps to ensure that personal data is accurate, up to date and not kept longer than necessary;

3.DPP 3 (Use): Personal data can only be used for the purposes for which it was collected, unless express and voluntary consent has been obtained from the data subjects for any other purposes;

4.DPP 4 (Security): Reasonable security measures must be taken to protect personal data from unauthorised or accidental access, processing, erasure, loss or use;

5.DPP 5 (Openness): The data user must be open about its policies and practices in relation to personal data, the kind of personal data it holds, how it is used and the main purposes for which personal data is held; and

6.DPP 6 (Access and correction): Data subjects shall have the right to request access to and correction of their own personal data if it is inaccurate.

02、AI guidance

In August 2021, the PCPD published the Guidance on the Ethical Development and Use of Artificial Intelligence (AI Guidance) to provide recommendations primarily for organisations that develop and use AI systems involving the use of personal data.

The AI Guidance recommends that organisations embrace three core data stewardship values (Values), being:

1.respectful;

2.beneficial; and

3.fair

It also encourages organisations to adopt the seven internationally recognised ethical principles (Ethical Principles) for AI:

1.accountability;

2.human oversight;

3.transparency and interpretability;

4.data privacy;

5.fairness;

6.beneficial AI, and

7.reliability, robustness and security.

To ensure the Values and the Ethical Principles are practicable, organisations should take into consideration the recommended practices in the following areas, as set out in the AI Guidance, when they develop and use AI and formulate appropriate policies, practices and procedures:

1.establishing AI strategy and governance;

2.conducting risk assessment and human oversight;

3.executing development of AI models and management of AI systems; and

4.fostering communication and engagement with stakeholders.

03、Model framework

On 11 June 2024, the PCPD published the Artificial Intelligence: Model Personal Data Protection Framework (Model Framework). The Model Framework provides recommendations on the best practices for organisations that procure, implement and use any type of AI systems or solutions involving the use of personal data, including predictive AI and generative AI.

Similar to the AI Guidance, the Model Framework outlines recommended measures to ensure the implementation of the Values and the Ethical Principles. Organisations should consider these recommended practices in the following areas when procuring, implementing and using AI solutions, as well as when formulating appropriate policies, practices and procedures:

1.establishing AI strategy and governance;

2.conducting risk assessment and human oversight;

3.executing customisation of AI models and implementation and management of AI systems; and

4.fostering communication and engagement with stakeholders.

04、An evolving landscape

While the AI Guidance and the Model Framework do not impose mandatory requirements and their recommendations are not exhaustive, their publication is a significant step towards supporting the responsible and ethical development of AI in Hong Kong. Given the rapid development and groundbreaking advancement of AI, it is likely that the relevant legal and regulatory landscape in Hong Kong will continue to evolve to address new issues and challenges.

For the time being, data users must ensure they comply with the PDPO and the six DPPs, and follow the best practice recommendations in the AI Guidance and the Model Framework, especially when it comes to the collection, use and retention of personal data during the development, operation and use of AI.

This material has been prepared for general informational purposes only and is not intended to be relied upon as professional advice. Please refer to your advisors for specific advice.

（Original source:  商法CBLJ）