A warm and humid hello to all my fellow privacy pros.
As one might have forecast, the deluge of developments in Southeast Asian privacy and artificial intelligence governance continues. A drizzle of headlines trickles down below.
Vietnam
As of 1 June, an updated Cybersecurity Administrative Sanctions Decree has condensed regulatory penalties for breaches involving personal data. Infringing businesses face thunderous fines of up to 5% of total revenue in the preceding financial year or profits earned within Vietnam, for contraventions of privacy requirements including unauthorized processing and cross-border data transfer violations.
The decree also clears the air of dark patterns invoked to obtain consent, by unveiling that the muddying of information online through the dissipation of falsehoods will lead to torrential sanctions.
A cloud of gray has, however, formed between this decree and the preexisting Personal Data Protection Decree. For instance, it is hazy as to what fines can be imposed for similar infringements and whether the response window for deletion requests by data subjects should be 48 or 72 hours (taking into account bank holidays).
Thailand
Thailand has been windswept by a gust of regulatory activity, too. Among other things, a public consultation was recently concluded on a draft cybersecurity standard applicable to cloud services. In that consultation paper, it was proposed that personal data on the cloud would by default be accorded a "medium level" of impact, from which a higher level of security standards and obligations would be imposed.
Singapore
There has been a monsoon of developments including an amendment to Singapore's Cybersecurity Act, which now covers overseas-located critical information infrastructure, CII owners that use computing vendors including cloud providers, digital infrastructure of a "foundational nature" to Singapore, entities of "special cybersecurity interest" (which are especially attractive to malicious threat actors), and systems of "temporary cybersecurity concern" (who play a critical role for a time-limited period such as providing services in a high-profile international event or a pandemic).
Singapore also published 30 May, its Model AI Governance Framework for Generative AI, precipitating the necessary safeguards to achieve the following principles in generative AI: accountability, data, trusted development and deployment, incident reporting, testing and assurance, security, content provenance, safety and alignment research and development, and AI for public good.
There was also a rainstorm of enforcement recently, culminating in a downpour of decisions and regulatory penalties totaling USD76,000 in May alone.
Finally, an amendment to Singapore's business registry which will evaporate nonlegitimate public disclosures of company directors' residential addresses was hailed as privacy-centric, receiving showers of blessings.
While such lightning flashes of updates appear to be inclement, they do offer a silver lining, in that Southeast Asian privacy is witnessing a sunrise and outpouring of support, interest and engagement like never before.
And let's not forget, the best place to make rainbow connections with our growing APAC privacy community is at the forthcoming IAPP Asia Privacy Forum 2024, 17-18 July. See you all there.
Charmian Aw, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Squire Patton Boggs.