A blistering hello to my fellow privacy pros.
The Formula 1 Grand Prix night race just concluded here in Singapore, yet the dual engines of privacy and artificial intelligence governance continue to rev up to roaring decibels across Southeast Asia.
In this week's digest, we dive deep into Vietnam's draft Personal Data Protection Law, published for public comment 24 Sept. The consultation will close 26 Nov.
The PDPL is slated to take effect 1 Jan. 2026. Once passed, it will augment existing privacy rules in the Personal Data Protection Decree. However, the PDPL's provisions cover a more extensive scope including:
- Lawful bases for processing apart from consent (Article 17).
- Data subject rights.
- Publicly available data.
- Minors.
- Biometrics.
- Marketing and advertising.
- Data monetization.
- Big data, AI, cloud.
- Labor and employment.
- Sectoral issues, such as in finance and health care.
- Geolocation data.
- Data protection impact assessments.
- Cross border transfers and requisite transfer impact assessments to be filed with a local authority.
Switching lanes to Vietnam's Data Law, a consultation was conducted on the draft and the checkered flag waved 1 Sept. Zooming in to the aerodynamics of the draft, its thrust is to "turn Vietnam into one of the (world's) leading data centers" by forming "data center clusters in the Northern and Southern regions." The draft flags South Korea and the EU as other countries with similar regulations on the exploitation and use of nonpersonal data by state agencies, businesses and individuals.
However, it's been noted there are still many drag factors, such as insufficient infrastructure, the lack of consensus on data categories, inconsistent standards on security, safety and technical regulations, as well as weak human resourcing, among others. To address these gaps, a national general database is intended to be set up to enable information to be accessible by and shared for common use by ministries and other local government bodies.
A National Data Center would also be set up under the draft to serve Vietnam's state management and socio-economic development, such as the prevention of crime.
A major feature of Vietnam's draft Data Law that warrants a pit stop is Article 22, which mandates data classified as core or important must not be transferred outside the borders of Vietnam, unless with the assessment and approval of "competent authorities."
Data owners must minimally pass a prescribed data security assessment to be conducted by the Ministry of Public Security — which must specify, among other things, the legality, scope, method of transfer and processing abroad, nature of the data and any risks posed to Vietnam's national security, and the public interest or legitimate interests of any individuals or organizations — and sign a contract with the foreign recipient which will be a standard form to be developed by the ministry in due course.
It has been submitted by at least one respondent to the consultation, that the definitions of "core data" and "important data" should be narrowed such that only the data most sensitive to Vietnam's national security be captured. It was argued that data localization or very stringent restrictions against cross-border data transfers would adversely impact Vietnam's domestic market, particularly its digital economy.
We will have to wait for the final results to see if the draft stays on track with these recommended steers.
Switching gears to another Southeast Asian development, the flood lights reveal a new law Singapore is looking to pass to combat deepfakes and other digitally manipulated content — including AI-generated misinformation — ahead of its general elections this year. The bill takes the podium for a second reading at Parliament's next available sitting.
Singapore has also ignited on the start grid a circular on the use of generative AI in court proceedings, slated to take effect 1 Oct. Court users continue to be in the driver's seat of responsibility for the use of generative AI tools in the preparation of court documents. They must announce any use and ensure accuracy of contents, and must steer the protection of confidential or sensitive information, and of intellectual property.
Moving further through the circuit, Malaysia launched Artificial Intelligence Governance and Ethics guidelines which have been clarified to be a formation lap for pacing and warm-up, rather than outright legislation. The guidelines are intended to supplement and strengthen existing laws such as Malaysia's Cyber Security Act 2024 and its recently amended PDPA.
As ever, the race that is Asian privacy continues to keep us all on the edge of our seats. Here's to a roaring start to the final lap of 2024.
Charmian Aw, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Squire Patton Boggs.
