On March 1, 2024, the Personal Data Protection Commission (PDPC) published Advisory Guidelines on use of Personal Data in AI Recommendation and Decision Systems.

What is the scope of the guidelines?

In particular, the guidelines highlight their application to the design and/or deployment of artificial intelligence (AI) systems involving the use of personal data in scenarios governed by the Personal Data Protection Act (No. 26 of 2012) (PDPA). The guidelines:

• clarify how the PDPA applies when organizations use personal data to develop and train AI systems; and
• set out guidance and best practices for organizations on how to be transparent about whether and how their AI systems use personal data to make recommendations, predictions, or decisions.

The guidelines consider AI systems at three different stages:

• development, testing, and monitoring - which considers consent, research exceptions, implementation data protection, and anonymization;
• deployment - which considers notification and consent, and accountability of AI systems in business-to-consumer scenarios; and
• procurement - which considers notification and consent, and accountability of AI systems in business-to-business circumstances.

Exemptions

Notably, the guidelines provide for exemptions for both business improvement and research.

The business improvement exception applies when the organization has developed a product or has an existing product that is enhanced and is also relevant where an AI system is intended to improve operational efficiency by supporting decision-making or to offer more or new personalized products and/or services. This applies to sharing with related companies within a group of companies, as well as interdepartmental sharing.

The research exception applies when organizations conduct commercial research to advance science and engineering without a product development roadmap. Research may also cater to sharing between unrelated companies for jointly conducted commercial research to develop new AI systems.

Data protection considerations

The guidelines detail data protection considerations including data minimization, appropriate technical and/or legal controls, and the pseudonymization of personal data and security measures where this is not possible. In addition, the guidelines outline that organizations should, whether AI systems are built in-house, externally, or using a combination of both, take a privacy-by-design approach and assess risks to privacy.

Regarding anonymized data specifically, the guidelines specify that organizations should anonymize their datasets as far as possible instead of using personal data. While anonymized data is not subject to the PDPA, organizations are recommended to bear in mind the risks of re-identification and disclosure and refer to the PDPC's Guide to Basic Anonymization.

On consent and notification, the guidelines remind that requirements relating to consent are outlined in the PDPA and the Advisory Guidelines on Key Concepts on the PDPA. However, the guidelines clarify the general concept of consent, which is that it should be meaningful, and provide practical examples of requesting consent and of notification.

You can read the press release here and the guidelines here.