Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 41
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
de-identify or minimise the use of personal
data wherever possible, and to develop
adequate policies regarding the use of personal
data in the development of their AI systems.
At the same time, the AI Guidelines
recognise that the use of anonymised data
may compromise model accuracy or the
reproducibility of research results. Accordingly,
organisations are permitted to “carefully
weigh” the advantages and disadvantages
of using anonymised versus personal data.
If personal data is used, that decision must
involve stakeholder consultation and senior
management consideration. The organisation
must also clearly document its reasons for
using personal data.
In allowing this margin of discretion, the AI
Guidelines illustrate the PDPC’s overarching
support for a pro-responsible business,
pro-innovation approach in its regulation of
personal data and governance of trustworthy
AI. That position is consistent with – and
indeed, builds upon – the introduction of the
Business Improvement Exception and other
amendments in 2020 through the Personal
Data Protection (Amendment) Bill.
Consent and notification obligations in
AI deployment
The AI Guidelines reinforce the importance of
the PDPA’s consent and notification obligations
in the deployment of AI systems that form
recommendations or decisions based on
personal data.
The AI Guidelines state that organisations
must enable individuals to provide meaningful
consent for the collection, use, or disclosure
of his personal data in such AI systems. In
practical terms, this means that an organisation
must notify them of the function of the product
or service that requires the collection of their
personal data; the types of personal data
collected; and the specific features of personal
data that are likely to influence the
product feature.
41
