7th APB Forum, 2019 Spring

Continually leading in the development of personal information protection law
systems in Asia, China is effectively responding to privacy violations like Datatang and HOME LINK through its China Cyber Security Law. There are eight areas in which China is targeting potential criminal and civil liability: 1) infringement of personal information; 2) denial of cyber security management obligations; 3) illegal hacking of computer information systems; 4) provision of incompatible network products/services; 5) failure to accept requests of credible personal identity information; 6) participation in activities that threaten cyber security; 7) infringement of personal information-related rights; 8) failure to fulfill cyber security protection obligations. Corporations in China’s financial, healthcare, and TMT (technology, media, and telecommunications) sectors are increasingly concerned about the amount of sensitive data they have and the aggressive handling and utilization of big data and AI technologies. Consequently, it is necessary to use personal information that is collected outside the company more effectively and safely.

According to Singapore’s “Model Artificial Intelligence Governance Framework”, the process of AI-generated data must be ensured to be explainable, transparent, and fair throughout the entire private sector. Moreover, in order to understand the relation between AI innovation and data protection laws, further reference to the European Commission’s “Ethics Guidelines for Trustworthy AI” (presented on April 8th, 2019) and Singapore’s Infocomm Media Development Authority (IMDA)’s “Model Artificial Intelligence Governance Framework” (presented on January 23rd, 2019; currently undergoing a period of consulting and examination of the feedback received) is needed. With the Singaporean government-led Centre for AI & Data Governance, also benchmarked by Barun ICT Research Center of Yonsei University, both centers hope to lead the integration of civic science and collaborative, interdisciplinary research in the era of the Fourth Industrial Revolution.

Through the Privacy Management Program (PMP), the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) emphasizes the fulfillment of fundamental corporate law compliance and ethical obligations in order to efficiently manage personal information, minimize privacy-related risks, and effectively handle data breaches. Moreover, the program provides three key elements for effective personal information protection: organizational support including top management, an education program and system, complementation through regulatory evaluation, and more. In their report titled, “Ethical Accountability Framework for Hong Kong, China,” the core value of data ethics are centered on “data management.” Hence, data must be respected (transparent, under individual control), must provide benefits (benefit to the subject, minimize risks), and be fair (without bias and discrimination). The Hong Kong PCPD also publishes and distributes a data ethics information leaflet for small and medium-sized enterprises that are experiencing difficulties in data management.

Big data analysis using AI requires a completely different approach. In other words, rather than performing the analysis initially as it is programmed, we must execute an intelligent learning process using learning data, and then analyze it through the learned model. When big data is analyzed through AI, it uses its own algorithms; the processing of information is relatively opaque and has a tendency to collect and use different types of data, which then leads to the possibility that the collected data in the learning and analysis process may change. Taking these qualities into account, there are seven considerations for effective data protection when analyzing big data through AI. First, the boundaries between personal and non-personal information are ambiguous. Second, the question regarding whether personal information consent procedures are truly practical or not. Third, that limitations on the objective can be an obstacle to big data analysis. Fourth, it is paradoxical in that it minimizes data. Fifth, the fact that problems with data accuracy exist. Sixth, there is a power-related issue regarding the right to data sovereignty that arises from big data diversity, quantity, and complexity. Last, the differentiation between the data controller and data processor is ambiguous. In regards to these aforementioned issues, we should adopt the approach to create “trustworthy AI.” Thus, big data analysis using AI should be legitimate, ethical, and robust from both a technical and social standpoint.

One reason the AI and big data markets are shrinking in Korea is due to the
complexity of data privacy and big data regulations. This is because various personal information privacy-related laws, as well as business regulations, apply in many different ways. In Korea, many businesses struggle to enter the AI and big data market. The current amendment of the Personal Information Protection Act, the Information and Communication Network Act, and the Credit Information Act are all pending issues in the National Assembly. Moreover, the strong opposition by NGOs increases the practical difficulties for businesses as well. The goals on revising the Personal Information Protection Act are as follows. First, to expand the purpose of data collection to focus on scientific research. Second, to include the concept and usage of pseudonymized and anonymized data in the conceptual definition process of personal information. Finally, the data combination process should include (deidentification → request for data combination → specialist enterprise → evaluation of the combined DB → additional de-identification if necessary). Furthermore, standardizing pseudonymized data, combination data, and creating more flexibility in pre-agreement regulation are other ways to invigorate the big data industry.

Indonesia currently does not have legislation regarding personal information
protection nor an autonomous organization specializing in the matter. Currently, the rules governing the protection of personal information are scattered throughout several sectoral regulations or institutions such as the information and electronic transaction laws, telecommunications, and banks. However, as personal information leakage and privacy violation spread with the increasing usage of the internet and social media, a consensus on the necessity of a personal information protection law is emerging. It is expected that the new private information protection law will be passed in September this year and that this piece of legislation will follow international laws and standards, as well as take into consideration the ASEAN regulations and existing Indonesian legal system.

After the U.S. Privacy Act of 1974, countries such as the E.U., Japan, and Korea have consistently passed related legislation and remained active in the matter of personal information protection. In particular, with the emergence of the EU's GDPR in 2016, privacy issues are now recognized as a relevant issue in the business environment. It is also important to note that the recent Personal Information Protection Act does not simply strengthen protection of personal data, but includes regulations for invigorating the data economy through safe usage of personal information. Hence, efforts are being made to harmonize regulations and mitigations when using personal data. For example, Japan’s Act on Protection of Personal Information reflects the same level of privacy protection as the GDPR while simultaneously contains provisions for data utilization to strengthen the data economy. In other words, the law does not stop at mere privacy protection but provides several regulations to promote safe data usage. Korea also includes regulations related to data utilization, such as the principle of reciprocity and the designation of a national agent of a foreign
operator in the revised Information and Communication Network Act. The global trend is heading towards more rigorous protection of personal information. However, there has never been a time in which personal information has not been utilized as humankind advances. Therefore, more discussion is needed on how to safely use and effectively protect personal information.