A festive hello to all fellow privacy professionals.

This week, we are happy to celebrate the Hindu festival of Diwali or Deepavali, with variations across other Indian religions, symbolic of the spiritual victory of light over darkness, good over evil, and knowledge over ignorance.

It is against this backdrop that we unveil Singapore's finalized Guidelines on Securing Artificial Intelligence Systems, ignited from a wick of consultations with the last round only in July this year.

A core tenet that has burst out and emerged from the flame is that AI should be secure by design, and secure by default.

While not mandatory, the guidelines are a lamp in shining a bright light on the principles that AI system owners should consider adopting when developing or integrating AI into their enterprise systems.

There is also a Companion Guide on Securing AI Systems, a community-driven resource crystallized from working with AI and cybersecurity practitioners, focusing on practical security control measures that can be implemented across a colorful spectrum of use cases.

Some of us will also be dressing up for Halloween, which falls on 31 Oct. this week. The handling of kids' data privacy, however, is far from child's play.  

In the Philippines, a set of proposed guidelines on "child-oriented transparency" is brewing, and its skeletal points follow:

  • Any processing of children's data must have their best interests at its candy heart-center.
  • Children are recognized as rights holders but with billowing degrees of digital maturity, and hence the need for organizations to accord protection on a context-specific basis.
  • A data controller must perform a child impact assessment before launching any product or service on which children are likely to go trick-or-treating (access).
  • There must be age-assurance mechanisms to determine the age range of users, who must not be spooked by (must be made aware of) how their age is conjured up and for such verification to have a lawful basis.
  • A risk-based approach must be used to implement enhanced security measures by default, such as the disabling of geolocation services, setting profiles to ghost (private) mode, and keeping data sharing to a bare-bones minimum unless necessary for the specific purpose.
  • Children must have the ability and knowledge of how to control and adjust their privacy preferences, and no eerie or creepy deceptive design patterns used.
  • Finally, data breaches affecting children must not be buried from (must be notified to) not only the kids as data subjects, but also their mummies, daddies or guardians.

Wishing everyone light, love and a good dose of laughter throughout these festivities.

Charmian Aw, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Squire Patton Boggs.