Earlier this month, the National Information Security Standardisation Technical Committee (better known as TC260) released a short set of guidelines on AI ethics - as a non-mandatory national standard. The guidelines build upon TC260’s Artificial Intelligence Security Standardisation White Paper, published in 2019.

The TC260 guidelines apply to any application of AI, and to all forms of AI, and do not at this stage attempt to establish specific rules for particular sectors.

The TC260 guidelines start by laying down a familiar set of potential concerns with advanced uses of AI that align closely with concerns expressed in the Monetary Authority of Singapore’s Fairness, Ethics, Accountability and Transparency (FEAT) principles, the Hong Kong Privacy Commissioner’s (PCPD) Ethical Accountability Framework and the EU’s Ethics Guidelines for Trustworthy AI, among earlier ethical frameworks for AI development. One reference cited in the TC260 guidelines is the OECD’s Principles on Artificial Intelligence, adopted in June 2019.

Alongside more general principles-based guidance, none of which charts new ground, the TC260 guidelines also contain a number of specific, actionable recommendations. Such as:

  • To adopt agile governance techniques to achieve a continual reduction of ethical and security risk across the product life-cycle.
  • To set up failsafe mechanisms, including manual intervention mechanisms, and conduct post-incident reviews. Although the guidance is not as structured in relation to governance as, for example, the Model AI Governance Framework of the Singapore Personal Data Protection Commission (PDPC) or the PCPD’s Ethical Accountability Framework in Hong Kong, the broad theme of ensuring proper human oversight is similar.
  • To document key research and development decisions, such as the selection of datasets and algorithms, and establish traceability mechanisms related to ethical risks.
  • The need to explain the functions, limitations, security risks and possible impact of AI for users in an accurate, complete and unambiguous manner. The guidelines do not, however, attempt, to lay down anything that comes close to the detailed recommendations and illustrations contained in the ICO’s Explaining decisions made with AI, developed together with the Alan Turing Institute, or the model PDPC’s AI Governance Framework.
  • To not rely on AI as the sole basis for decision-making in the fields of public services, financial services, health, welfare and education.
  • To give users non-AI alternatives in other sectors as well, both where an AI option is not objectively suitable (physical disability being given as an example) or based on a user’s subjective preferences.
  • To give users easy to access channels for feedback and complaints.

The TC260 guidelines are not formally binding. However, it would not be overly surprising if these guidelines came to be viewed later as the first step on an evolution towards enforceable regulation – following the arch taken by TC260’s Personal Information Security Specification, first introduced in 2017, and which now forms the basis of the draft proposed Personal Information Protection Law released in October 2020.

The State Council’s New Generation Artificial Intelligence Development Plan from July 2017 in fact does propose eventual regulation. While the first steps towards the regulation of AI ethics across the world have preferred flexible, principle-based approaches built around the promotion of ethical development, proposals for enforceable regulation are expected to start emerging as early as this year - led by the European Commission. In its White Paper on Artificial Intelligence, published in February 2020, the European Commission proposed the imposition of legal requirements in high-risk sectors. The Commission is expected to announce its detailed proposals soon.  

With its aspirations for AI predominance (to become the leading AI power globally by 2030), will China be far behind in adopting harder regulation?