Peter A Clarke

Generative Artificial Intelligence (GenAI) poses two major challenges/threats to organisations privacy obligations; namely the proper use and storage of personal information. The first challenge is that by using personal information of others in conjunction the GenAI it is likely that that personal information will find its way into the mass of data collected and used by GenAI in training itself. It could easily be used to assist another party using GenAI. That is a data breach. The second problem with GenAI is that it is supercharging hackers in locating weaknesses in cyber security.

The PDPC noted that the Advisory Guidelines was organized across three stages of the Gen AI lifecycle.

First, the development stage.  The PDPC addressed the application of the publicly available exception to web-scraped datasets.  Organisations are required to provide AI-specific notifications, rather than general notifications, when seeking consent to use personal data for Gen AI model training and fine-tuning.

The deployment stage.  There are three categories of stakeholders:

• model providers;
• system providers; and
• system deployers.

The PDPF sets out their respective data protection responsibilities under the PDPA, including obligations relating to retention limitation, protection, purpose limitation, and accountability.

The post-deployment stage.  The PDPC addresses access and correction obligations under the PDPA as they apply to personal data used in Gen AI development.  It recommends best practices including upstream data verification, case-by-case review of access requests, and adoption of technical measures such as machine unlearning to remove inaccurate personal data from models and systems.