The Proposed Guidelines clarify how the Personal Data Protection Act (“PDPA”) applies to AI and the key data protection issues relating to generative AI throughout its lifecycle, including development, deployment, and post-deployment stages.
While not legally binding, the Proposed Guidelines underscore the PDPC’s increasing focus on the use of personal data in generative AI systems and provide an early insight into how existing data protection obligations may apply in this context.
Key features
AI Lifecycle
Summary of Key Points
Development
Where personal data is publicly available, organisations may rely on the Publicly Available Exception to collect, use, or disclose such data without consent. However, where data is placed behind a digital barrier, extra caution is required and best practice is for the collecting organisation to notify the organisation holding the data.
Where user data (i.e. data created in the course of or as a result of the individual’s use of the organisation’s products or services) is used to develop generative AI models, organisations must obtain consent from the individuals through clear AI‑specific notifications and ensure appropriate data minimization and safeguards. General notifications describing only the broad purpose of processing are insufficient.
Deployment
Generative AI involves model providers, system providers, and system deployers, each with distinct data protection obligations:
Model Providers: Must comply with all PDPA obligations, including data retention limits and safeguards to protect personal data, especially when acting as data intermediaries.
System Providers: Must implement security measures to address risks such as data leakage, and may act as organisations or data intermediaries depending on their role.
System Deployers: Bear primary responsibility for PDPA compliance, including appropriate data use, safeguards, governance, training, and regular reviews.
Post-Deployment
In the context of generative AI, the PDPC recognised that it may be challenging for organisations to comply with their Access and Correction Obligations under the PDPA (i.e. granting individuals the right to request access to and correction of their personal data) due to the massive amounts of data used, the nature of generative AI models and other technical limitations.
Notwithstanding these difficulties, organisations are expected to adopt best practices in processing access and correction requests including adopting upstream data handling measures, handling requests on a case-by-case basis and accede where reasonable, and tracking maturity and adopting technical measures to remove inaccurate personal data (e.g. machine unlearning).
What should businesses do?
While the Proposed Guidelines remain subject to public consultation, they signal the PDPC’s likely approach to regulating the use of personal data in generative AI. Organisations are encouraged to align with the potential Guidelines by taking the following steps:
Reviewing the current use of personal data in AI systems and logging what categories of personal data are used in training existing AI systems;
Assessing whether consent and notification practices are sufficient;
Ensuring appropriate data governance and safeguards are in place; and
Monitoring developments as the Proposed Guidelines are finalized.
Should you wish to discuss how the proposed Guidelines may impact your organisation, please do not hesitate to reach out to us.
The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.