With generative AI models being trained on ever larger datasets, personal information is often processed without individual consent or knowledge. Existing privacy laws and obligations should always be followed. We look at key Rouse jurisdictions.
China
As with many other jurisdictions, AI-related regulations in China emphasise the need to protect personal information in line with existing laws. Read about the latest updates to China’s data regulatory framework.
AI providers must ensure personal information and IP rights are not infringed upon when training AI models, or in the resulting AI-generated content. China’s regulation on AI algorithms contains special provisions on respecting user rights and protecting vulnerable groups (e.g. workers, minors, the elderly).
The European Union
AI systems used in the EU must adhere to GDPR (General Data Protection Regulation) principles, including provisions for purpose limitation, transparency and accountability. High-risk AI systems – as defined by the EU AI Act – require providers to conduct risk assessments and implement appropriate measures for personal data processing.
Member state authorities compliance. Providers must maintain documentation to prove adherence to data protection and risk management protocols. They are also obligated to clearly communicate information to users about AI systems and potential risks.
Where AI systems compromise user rights, the AI Act provides avenues for action. Users can file complaints with authorities and seek remedies for any harm. They also have the right to request human intervention in significant AI decisions that impact their rights or interests.
The GCC Region
In the United Arab Emirates, the use of AI to target customers is governed by strict data privacy regulations.
According to Federal Law No. 45 of 2021 on the Protection of Personal Data (PDPL), personal data processing for direct marketing requires explicit, clear and unambiguous consent from the data owner. The PDPL mandates that consent must be verifiable and provided in a straightforward manner, including a simple withdrawal process. Data subjects have the right to halt or opt-out of data processing at any time.
Federal Decree-Law No. 34 of 2021 – aimed at combating cybercrime – stipulates potential criminal penalties for misuse of personal data.
———-
Privacy & Security is one of the seven principles that govern AI development and use in Saudi Arabia’s AI Ethics Principles (Version 2.0 published September 2023).
Southeast Asia
The Personal Data Protection Act in Thailand regulates the collection, disclosure and use of personal data. This applies in all contexts including data use in AI.
The draft AI laws, The Draft Royal decree on Business Operations that Use Artificial Intelligence Systems and The Draft Act on the Promotion and Support of AI Innovations also address data issues and rules for governing data management.
———–
Similarly, Vietnam currently does not have specific legislation governing data in AI. But the country’s legal framework has several provisions that address the use and protection of personal data in various contexts, including AI applications.
Legislation includes Decree No. 13/2023/ND-CP on Personal Data Protection, contains general provisions as well as sector-specific laws covering consumer right protection, e-commerce and more. In February 2024, Vietnam announced the development of a Personal Data Protection Law to strengthen their approach. A draft is not yet published. This is an area to watch.
———-
Activity in Indonesia must be compliant with the Data Protection Law. Beyond that, , AI falls in the category of an ‘Electronic Agent’ – as defined by Indonesia’s Electronic Information and Transaction Law.
Thus, operators of electronic systems that utilise AI to manage user information are responsible for any legal issues that may arise, including user’s digital privacy.
What are the best practises to follow?
Rouse recommends following a common-sense approach based on existing relevant legislation. We also recommend keeping an eye on the evolution of relevant laws.
There is no one-size-fits all approach for every market, but in general the following criteria should always be considered:
Overarching principles
Personal information collection and processing should adhere to key principles and best practices, including data minimisation, transparency, accuracy, etc.
Legal basis for processing
Where possible, individual consent should be obtained before processing personal information. A process to withdraw consent should also be established.
Impact Assessment
Depending on the nature of the AI application, an impact assessment is advisable to detect potential risks and demonstrate compliance.
Individual rights
Ensure compliance protocols are in place to respect user rights, including the right to access, correction and deletion, consent withdrawal, etc.