A warm hello to all my fellow privacy professionals — and for those of us that celebrate it, I hope your Lunar New Year was a good one.
The Association of Southeast Asian Nations made two significant strides in the realm of privacy recently.
The first saw the completion of a much-awaited implementation guide with the EU, the second of a two-part document in which pragmatic simplicity and user-friendliness belie the "extensive cooperation between the European Commission and ASEAN administrations and authorities, and broad consultation of companies," as noted by First Counsellor at the EU Delegation to Singapore Benoit Sauveroche. These efforts culminated in a first-of-its-kind joint guide on the interoperability of the two regions' otherwise distinct data transfer frameworks.
In a second notable development, the ASEAN published the Guide on AI Governance and Ethics, the contents of which include a nifty artificial intelligence risk-assessment framework for businesses to use, which borrows from an earlier one Singapore published. While the guide focuses on what is referred to as "traditional AI" and excludes generative AI specifically from its ambit, this is a sign of more to come by way of ASEAN-led initiatives addressing AI.
Apart from the parallel timing at which these two announcements were made, it is interesting to note an important deviation between them.
The joint guide on standard transfer clauses demonstrates a degree of alignment which underscores the importance of cross border trade and data flows among EU and ASEAN member states. These are two economic blocs that have enjoyed strong strategic cooperation particularly in foreign direct investments with the ASEAN being the EU's third largest trading partner after China and the U.S., and the EU, the second largest investor in ASEAN. However, regarding the overall maturity of digital infrastructure and relevant regulatory frameworks in each of these associations, the EU is generally considered more advanced. This is borne out by the standard and model clauses adopted by the EU and ASEAN, respectively, for transborder data flows, from their applicability to outbound versus intra-regional transfers to the imposition of undertakings versus recommended contractual provisions.
In contrast, as the EU gears up for its groundbreaking, omnibus AI Act, the ASEAN has presently opted for a more self-determinative approach to guiding businesses looking to develop and deploy AI centered in governance. This is a sensible starting point for the ASEAN, given the myriad of diversities and disparities among member states that would almost certainly make any form of "hard" regulation at this stage premature — and only hamper innovation and potential industry growth in the burgeoning field of AI.