Artificial Intelligence and Data Privacy (Philippines)

Obligations of PICs

Based on the Advisory, among the obligations of PICs when using AI systems to process personal data is to observe:

a) Transparency

Consistent with the data subject’s rights to be informed, PICs must clearly explain to the data subject the purpose and risks associated with processing using the AI systems, the expected outputs and impacts of the AI systems, as well as the dispute mechanisms available, among others.

b) Accountability

Since PICs remain primarily accountable for compliance with the Data Privacy Act of 2012 and for personal data under their control and custody, they are required to institute effective governance mechanisms, as may be appropriate under the circumstances, that ensure responsible and ethical processing of personal data by AI systems, even when processing activities are subcontracted or outsourced to their personal information processors.

These governance mechanisms can include the conduct of privacy impact assessments, integration of privacy-by-design, privacy-by-default, or common industry security standards, creation of a dedicated AI ethics board, and continuous monitoring or retraining of the AI systems. Further, when the AI systems involve automated decision making (i.e., use of wholly or partially automated processing operation that serves as the sole basis for making decisions that would significantly affect a data subject) the PICs should implement as additional safeguards, mechanisms that (i) allow for human intervention by individuals with the necessary competence and authority, and (ii) allow the data subjects to question and contest the automated decisions which pose a significant risk to their rights and freedoms.

c) Fairness

To maintain fairness in processing, PICs are required to adopt measures that identify, monitor and limit biases of AI systems (e.g., based on systemic, human or statistical bias) so that the processing methods do not become manipulative or unduly oppressive to data subjects. PICs are also prohibited from using misleading practices such as AI washing, where they overstate to the data subjects the involvement of AI systems in their data processing activities.

d) Lawful basis for processing

Prior to processing personal data in the development or deployment of AI systems, PICs should also determine whether there is a lawful basis for processing (e.g., based on consent, legitimate interest, etc.). This requirement applies even if the personal data to be processed is publicly accessible or already made public, since these do not result in such personal data losing the protection extended by the Data Privacy Act of 2012.

e) Accuracy and data minimization

PICs should also ensure that personal data processed by AI systems are accurate and up to date and proportionate for the purposes intended by excluding the processing of personal data that is unlikely to enhance the development, deployment, testing, or training of the AI systems.

f) Rights of data subjects

Finally, PICs should ensure that data subjects will be able to exercise their data privacy rights before, during, and after the development or deployment of the AI systems. Privacy-Enhancing Technologies (e.g., encryption, anonymization, access controls, etc.) are mechanisms recommended by the Advisory to be adopted by PICs to ensure proper exercise of the data subject’s rights while maintaining responsible and ethical processing of personal data.

Conclusion

Although there may be a need for more robust laws that address the other evolving risks and challenges posed by AI innovation, in so far as AI intersects with data privacy, the Advisory signals the importance of balancing the protection of data privacy rights and the continued development of AI systems. It also serves as a reminder to PICs of the critical role they play in achieving responsible and ethical use of AI systems with respect to processing of personal data and ensuring that AI is used as a tool to enhance data protection.