人工智能中的数据隐私保护：在创新、风险与伦理挑战间寻求平衡

Safeguarding Data Privacy in AI:Balancing Innovation against Risk, and Ethical Challenges October 2025 Overview of the Regulatory Landscape Indonesia, Malaysia, the Philippines, and Vietnam are also strengtheningtheir data protection laws to ensure international alignment and to addressmodern challenges. These efforts reflect a growing commitment to balanceinnovation with robust data protection and foster international collaboration.Furthermore, taken as a whole, most regimes include features that grant rightsto individuals regarding their personal data and require data controllers andprocessors to safeguard and manage their data appropriately. A key development in data privacy regulation is the introduction ofthe General Data Protection Regulation (GDPR) in the European Union(EU).7 The GDPR applies to any organisation handling EU residents' data, regardlessof location, and enforces strict rules on data collection, use, and protection.Keyfeatures include robust data subject rights,stringent accountabilityrequirements, and significant penalties for non-compliance, making it a leadingglobal standard for data protection. The GDPR also introduces other rigorousrequirements, such as keeping detailed records of data protection measures,promptly reporting data breaches to regulators, and designating a DataProtection Officer in certain cases. These obligations require organisations toestablish, review, and demonstrate robust compliance processes, which addsto the overall complexity and cost of regulatory compliance. China (Mainland) However,approaches to integrating AI specific considerations into dataprivacy regulatory frameworks vary significantly. Some jurisdictions with a highemphasis on fostering AI development, such as Hong Kong, Singapore, andSouth Korea have been proactive in releasing AI specific guidance in relationto their data privacy regulatory regimes. In contrast, other AP jurisdictionshave focused on establishing and strengthening their general data privacyregulations and legislation. Although these frameworks do not specificallyaddress the use of AI, firms deploying such technologies are still required tocomply with the overarching regulatory requirements. Hong Kong SAR The GDPR has been a pioneering regulation in the context of data privacy,with many AP regulators either introducing new data privacy regulations orupdating existing frameworks following its introduction. Further, the GDPR is aprominent example of the “Brussels effect,” due to its significant extraterritorialimpact, exposing a large number of producers and consumers of data-drivenapplications to EU regulation. Large international companies, therefore oftenfind it more effective to adopt these rules across their global operations toenhance efficiency and interoperability. Whilst the GDPR does not specificallyrefer to AI, it puts in place several key requirements particularly relevant tofirms utilising this technology. Furthermore, as is often the case, the devil lies in the details. Even whenregulatory priorities are generally aligned, important differences may persistin specific consent requirements, breach notification timelines, and rulesgoverning data storage and transfers. In some regions such as China, SouthKorea and Indonesia strict data localisation laws may clash with the widespreadadoption of cloud hosting in others. AI models, which routinely ingest andprocess data from multiple sources, can quickly turn minor compliance gapsinto significant legal risks. For instance, organisations may inadvertently storeor reproduce personal data in locations where local regulations expresslyforbid it. This is a problem that can be exacerbated by the use of third-partyservice providers for data storage purposes where oversight of the datalocation cannot be tracked by the principal firm. Philippines The global landscape of data privacy and AI regulation is rapidly evolving,with significant steps taken across the AP region to enhance personal dataprotection. Australia, for example, has introduced the Privacy and OtherLegislation Amendment Bill 2024 to address rising data breaches and enhancechildren'sonline privacy.Mainland China's(“China”)Personal InformationProtectionLaw(PIPL)and Data Security Law(DSL)set comprehensivestandards for data protection and national security. Singapore and Hong Konghave released detailed guidelines for AI, emphasising transparency and ethicalconsiderations. Japan, South Korea, and Taiwan (China) (“Taiwan”) have updatedtheir data privacy laws to include enhanced security measures and flexibledata processing rules. India's Digital Personal Data Protection Act (DPDP) andDPDP Rules establish a robust framework for data protection and compliance. Singapore South Korea Given the rapid pace of AI development over the last year, firms should expectlocal regulators to continue adapting their regulatory expectations in line withcurrent global trends and technological advancements. Therefore, AP firmsusing A