Warm, festive greetings to all digital governance professionals around the world.
It's beginning to look a lot like Christmas, even here in the tropics.
This week, we deck the halls with two developments that have surfaced in mostly sunny — with the occasional storm — Singapore, and then with Vietnam, which, coincidentally, is where I am as I type this.
Singapore's Personal Data Protection Commission announced 14 Dec. it will consult with industry and the public to update last Christmas' advisory guidelines for national identification numbers to reflect its policy intent on the appropriate use and conversely, misuse, of such identifiers.
The guidelines will provide Rudolph the Red-Nosed Reindeer-guidance to organizations on the legitimate means and purposes of processing — as well as address data privacy and security concerns arising from the disclosure — of national identification numbers, which encompass Singapore national registration identity card numbers, passport numbers (whether issued in Singapore or elsewhere), and other government issued identifiers.
Until then, in lieu of rockin' around the Christmas tree, organizations should ensure adherence to the current regulatory guidelines on national identification numbers and avoid using such numbers as default passwords or as a means for authentication.
Still in Singapore, which let it snow with regulatory guidance on artificial intelligence, Santa Claus is back in town with the Monetary Authority of Singapore's seminal information paper for the financial industry "AI Model Risk Management — Observations from a Thematic Review" published earlier this month.
The paper provides silver bells on the systems and processes needed to assess and frame AI risk management and governance, as well as supervisory oversight and the mitigation of risks associated with AI development and use. The little drummer boy of data and privacy also played a role, as the paper addressed the use of data throughout the AI model development life cycle.
Finally, we heard the carol of the bells for Vietnam's Data Law which was adopted by the National Assembly, imposing new obligations on the transfer and/or processing by agencies, organizations or individuals of "important" and "core" data. Important data refers to that which could impact Vietnam's national defense, security, foreign affairs, macroeconomics, social stability, health and/or public safety. Core data refers to important data that directly affects national defense, security, foreign affairs, macroeconomics, social stability, health and/or public safety. As these distinctions may be somewhat amorphous, like Frosty the Snowman, further details are anticipated as to what each type of data covers exactly.
On a holly jolly note, the scope of transferring or processing data was clarified to include transfers of data retained in Vietnam, to a storage system away in a manger, located outside of Vietnam; transfers of data by Vietnamese agencies, organizations or individuals, to foreign organizations or individuals; and Vietnamese agencies, organizations or individuals using platforms located outside Vietnam to process data.
With cross border data transfers that do not fall within such categorizations more broadly, the Data Law does not impose the same "please come home for Christmas" restrictions as above. This is unless the activities impact the country's national defense, security, national and public interests, legitimate rights and/or interests of data subjects and data owners, in accordance with Vietnamese law and international treaties of which Vietnam is a member.
Once again, while these requirements will jingle all the way into 2025, it is expected further regulation will be issued to guide organizations in their sleigh ride of operationalizing compliance.
Merry Christmas, everyone.
Charmian Aw, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Squire Patton Boggs.
