Nowadays, Artificial Intelligence (AI) technology is playing an important role in society, both in personal use, such as using AI to search for and summarize data, and in business contexts, where AI is utilized to create chatbots or virtual assistants that provide customer support around the clock. This includes tracking and analyzing consumer behavior to increase sales and expand their businesses and services.
However, AI machine learning is needed to maximize the quality of use. Using input data provided by the developer, such as disguising images to spot the correct one. Therefore, AI is involved with data from upstream to downstream, and personal data is also used in training AI.
There are 3 types of AI Machine Learning as follows,
1. Supervised Learning
The learning method where the developer inputs many sets of labelled data to make the AI learn and provide the outcome. The developer sets the correct outcome. For example, inputting a picture of a man and labeling it as 'man,' then letting the AI learn and eventually distinguish between men and women. Or predicting stock market trends based on various economic data, historical statistics, and other relevant factors. This type of learning may involve personal data inputs, such as using people's photos to distinguish gender, nationality, etc.
2. Unsupervised Learning
The learning method where the developer does not input labelled data like in the first one, but emphasizes enabling AI to group data and find relationships between data points. For example, customer grouping based on purchasing behaviors or website browsing patterns. This type of learning may involve personal data, such as analyzing website usage behavior or shopping data.
3. Reinforcement Learning
The learning method where the AI learn through trial and error, realizing which actions lead to good or bad outcomes. Therefore, the AI is capable of solving complicated problems and enhancing itself beyond human capability. For example, AlphaGo was able to play Go and defeat world champion Lee Sedol. This learning method may not involve personal data as much as the first two learning methods.
Currently, large businesses in Thailand have begun implementing AI in their product manufacturing or service delivery. For example, Siam Commercial Bank (SCB) has started using AI to help manage users' finances and investments. The AI collects data about users' interests and investment behaviors, then processes this information together with current investment trends to help decide which assets should be bought or sold for profit. Additionally, AI helps increase the efficiency of investment risk management and provides interest rates that align with users' debt repayment capabilities.
Including True Corporation, which has implemented AI in the form of virtual agents or virtual customer service, providing services through both chat channels (Chatbot) and telephone (Voicebot) for customer service and problem-solving. However, it can be seen that both AI must be provided with customers’ personal data, whether financial data or service data, for processing and delivering the outcome.
Although data protection laws were enforced before AI became as widespread as it is today, there are still periodic conflicts between AI usage and personal data violations. For example, ChatGPT was suspended in Italy due to the following personal data protection legal issues:
Additionally, there's the case of Deepseek, which was banned in many countries, along with several other cases in multiple countries where AI has caused concerns about user privacy. Therefore, establishing a framework for AI data usage that complies with personal data protection laws is important.
The more accurate you want AI processing to be, the more data (Big Data) you need to use for training. However, personal data protection laws aim to protect the privacy rights of data owners, causing these two issues to conflict with each other. Organizations that benefit from AI should not only consider how AI can benefit their business, but also consider the aspects of the PDPA.
The PDPA emphasizes the principle of Purpose Limitation according to the Personal Data Protection Act B.E. 2562 (2019), Section 21, which establishes that personal data controllers must collect, use, or disclose personal data only according to the purposes that were notified to the data owner before or during data collection. It also emphasizes the principle of Data Minimization according to the Personal Data Protection Act B.E. 2562 (2019), Section 22, which establishes that personal data should be collected only to the extent necessary for the intended purposes.
Implementing AI provides numerous benefits, but at the same time, to maximize AI efficiency, more data for training is progressively required, including personal data as mentioned above. Therefore, defining the scope of data usage is important, and PDPA can help establish boundaries for AI data usage when considering the following legal principles:
According to Section 23, personal data controllers are required to provide a privacy notice, which may be in the form of a pop-up window, to inform personal data owners about what personal data the AI will collect, use, and disclose, and for what purposes. Including various details as required by law, such as the rights of data owners, contact channels for the personal data controller, etc.
If AI needs to use personal data from users to collect information for further AI training, it may need to consider obtaining consent. According to ICO (Information Commissioner's Office) principles, consent must be voluntary, meaning users can choose whether to give consent or not. Refusing to give consent should not cause damage or impact the data owner or completely prevent them from using the AI. The consent request must include the following information:
Providing appropriate security measures that comply with the minimum standards set by the Personal Data Protection Committee. This serves both to secure the vast amount of data collected by AI and to fulfill duties as a personal data controller under personal data protection law.
Appoint a DPO to help oversee and control the use of personal data by AI to ensure it stays within the framework of its purposes and complies with other details provided in the Privacy Notice and consent forms. The DPO helps manage personal data breach incidents and assists in developing policies or practices regarding AI usage in compliance with the PDPA.
Providing a Data Protection Impact Assessment (DPIA) in cases where the processing of personal data poses a high risk to the rights and freedoms of individuals. This can be determined by examining cases that fall within the criteria established by the European Commission. Although PDPA does not directly specify the duty to conduct a DPIA as the 4 principles mentioned above, it is necessary under PDPA to understand the impacts and appropriate measures for each risk level. In the case of high-risk personal data processing from AI training, this may be considered in the following cases:
This may also fall under other cases, depending on the nature of data usage in training, which may differ for each type of AI.
In the future, AI is likely to become more popular and widespread in business sectors. Therefore, the implementation of AI, starting from the training process, must be transparent in terms of personal data usage. This means data owners must be informed about how their data will be used and for what purposes, as well as their rights regarding the data used to train AI. The daily advancement of AI should not only focus on improving efficiency in responding to user commands but should also develop security measures and respect for users' rights and privacy. This ensures that technological development in globalization does not leave users' safety and rights behind.
If you have any questions about the process, Atentic Consulting Co., Ltd. has experts in personal data protection law who are happy to provide you with comprehensive advice on PDPA Compliance.
Source:
1. (SCB ขับเคลื่อนองค์กรด้วย AI-Driven สู่ความยั่งยืนองค์กรและความยั่งยืนระดับโลก | SCBX)
2. (จับตา “มะลิ” หุ่นยนต์ที่มี Gen AI อยู่เบื้องหลังที่กำลังเข้ามาปฏิวัติงานบริการลูกค้า - True Blog)
3. (ChatGPT banned in Italy over privacy concerns)
