Artificial Intelligence and Data Privacy: NPC Issues Guidance on the Application of the Data Privacy Act to AI Systems

The National Privacy Commission (NPC) has issued Advisory No. 2024-04, clarifying how the Data Privacy Act of 2012 applies to artificial intelligence (AI) systems. The NPC emphasizes that any processing of personal data during the development, training, deployment, or operation of AI systems remains subject to the requirements of the DPA. 

The Advisory makes clear that the obligations imposed by the DPA apply throughout the lifecycle of AI systems. The guidance places significant accountability on Personal Information Controllers (PICs), requiring transparency regarding the nature, purpose, extent, and risks associated with the use of AI. PICs remain fully accountable for all processing activities and outcomes, even if they are subcontracted or outsourced. In addition, PICs must incorporate meaningful human oversight and intervention mechanisms to safeguard against the effects of automated decision-making that can pose a significant risk to the rights and freedoms of data subjects.

To ensure compliance, the Advisory requires adherence to the core principles of fairness, accuracy, and data minimization. PICs must implement mechanisms to 1) identify and monitor biases and ensure that processing is neither manipulative nor unduly oppressive, 2) ensure that personal data remains accurate and up to date, and 3) exclude the collection and use of personal data that is unlikely to improve AI systems. The NPC also reiterates that, prior to processing activities, PICs must determine the most appropriate  lawful basis under Sections 12 or 13 of the DPA. This requirement applies even where data is publicly available or obtained through web scraping activities.

The Advisory likewise underscores the continuing applicability of data subject rights throughout the entire AI lifecycle. PICs are expected to implement appropriate mechanisms, including Privacy-Enhancing Technologies (PETs), to facilitate the exercise of rights such as the right to object, the right to rectification, and the right to erasure or blocking. The NPC clarifies that the inclusion of personal data in large datasets does not render compliance with these rights unreasonable. Where full compliance is technically infeasible, PICs must provide a valid justification and adopt effective alternative measures to protect data subjects.

Finally, the Advisory provides that any doubt in the interpretation of its provisions shall be liberally construed in favor of the rights and interests of data subjects.