Notes from the Asia-Pacific region: Generative AI strikes 'reverberating chord'

Hello (allegro, calore) to all my fellow privacy professionals.

I am composing this amid Personal Data Protection Week here in Singapore.

As in past years, an exciting ensemble of announcements came on day one. This year, the canon that has struck a reverberating chord is generative artificial intelligence.

We enumerate these in the following stanzas:

• Singapore is set to publish for industry consultation a set of guidelines for generative AI app development and deployment. The guidelines will effectively require safety labeling type transparency to end-users and testing to address risks such as misinformation and bias. These guidelines will be rolled out by early 2025 and will apply to all sectors, including health care and financial services.
• Singapore's privacy enhancing technologies regulatory sandbox will be expanded to include data use for generative AI. In tandem, a proposed guide on synthetic data was released, specifying synthetic data generation techniques and potential use cases particularly for AI.
• By 2025, the Association of Southeast Asian Nations will release a guide on data anonymization to facilitate secure and trusted data flows among the 10 member states across the region.

Bridging over to Malaysia, overtures in its Personal Data Protection (Amendment) Bill 2024 — read for the first time in Parliament last week — have played out into a crescendo of privacy developments.

Key chords include a mandatory data protection officer appointment and mandatory data breach reporting requirements. On breach notification, a subsequent verse of regulations is expected to specify the triggers of reporting, and any requisite timeline, contents and exceptions.

The penalty an offending data controller could face for a contravention has seen an increased tempo to MYR1 million or three years imprisonment, or both. A failure to report a breach could result in a diminuendo fine of up to MYR250,000 or a two-year imprisonment sentence, or both. We expect further guidance and clarity to be issued in due course as to the scope of such penalties including the thresholds of culpability that must be crossed for incarceration to be meted out.

Malaysia will accord individuals a right of data portability, which will again warrant an accompaniment to be provided clarifying the precise scope for which a relevant portability request can be made.

Last but not least, personal data transfers from Malaysia to another jurisdiction must ensure the same or higher octave of protection.

For everyone who is in Singapore for the IAPP Asia Privacy Forum 2024, we wish you a gaudioso and gioioso time.