"Navigating Governance Frameworks for Generative AI in the

Asia-Pacific: Preliminary Findings"

The increased use of AI, especially modelslike GPT-3, has raised concerns and problems, exemplified by incidents like
Samsung data leaks and an AI chatbot promoting self-sacrifice. In response to the growing concerns and challenges associated with the increased use of AI, governments around the world have taken proactive measures to address the ethical, legal, and regulatory aspects of AI technology. Preliminary findings
from these efforts highlight a growing consensus on ethical principles for AI in the Asia-Pacific (APAC) region and globally. These principles stress the significance of Privacy and Security in AI development and deployment. Notably, data protection authorities, both globally and in the APAC region, have become
de-facto regulators for generative AI, actively addressing policy risks and promoting responsible AI practices.

"Transparency from the perspective of Japanese Privacy Law"

TheJapanese Privacy Law (APPI) broadly defines personal information, encompassing both direct and indirect identification. Deceptive data collection is prohibited, with clear purpose specification. Unlike GDPR, there is no "legitimate interest" concept, and general consent is not mandatory, except for sensitive data. APPI enforces limited use of personal information, encourages data accuracy and timely deletion, and governs responsible data practices. Regarding personal data for AI model development, specifying the purpose of use, mainly for machine learning, is essential. When acquiring data from sources like common crawls, understanding the collection process and identifying sensitive personal information is crucial. A recent PPC reminder underscores not obtaining sensitive personal information without consent. For publicly available internet data collection for AI training, minimizing sensitive data is crucial. If discovered later, prompt deletion or de-identification is required. Compliance with requests to avoid gathering
sensitive data is necessary, unless justified. Purpose notifications for personal data usage must be in Japanese and accessible to all users.

"META's approach to building AI responsibly"

"China Cross-Border Data Transfer Compliance Challenges

and Solutions"

China's Cross-Border Data Transfer (CBDT) legislation is rooted in fundamentallaws like the Cyber Security Law, Data Security Law, and PI Protection Law. These legal frameworks are essential for governing data transfers, but there are existing challenges in conducting CBDT security assessments and effectively implementing Standard Contract Clauses (SCC). To address these challenges, the new draft regulations introduce exemptions based on criteria such as data volume, origin, necessity, and emergencies. They also provide clarity on
"Key Data," which encompasses information that could pose risks to China's national security, economic operations, social stability, public health, or public security. To navigate this evolving landscape, companies should continuously monitor regulatory updates. They must conduct due diligence
to identify data transfer scenarios, assess compliance requirements, and develop localized measures for scenarios that lack justification for cross-border data transfer. This includes comprehensive impact assessments, data protection measures, and a robust emergency response framework. Staying informed and proactive in adhering to these evolving regulations is crucial for businesses operating in China's data transfer environment.

"Personal Data Protection Decree 2023: Navigating Vietnam's

Cross-Border Data Teansfer Landscape"

Vietnam,with its vast population and high internet penetration, is witnessing a surge in data collection and cross-border data flows. The country's strong commitment to AI leadership, reflected in its national strategies, is further influenced by international developments like APEC's data cooperation declaration and trade discussions with the US. The recent implementation of the Personal Data Protection (PDP) Decree in 2023 marks a significant shift in Vietnam's data privacy framework. It introduces Data Processing Impact Assessments (DPIA) and mandates consent and Cross-border Transfer Impact Assessments (CTIA) for cross-border data transfers. Personal data trading is strictly prohibited, and
specific entities must adhere to data localization requirements. To ensure compliance, organizations need to appoint data protection officers, implement technical measures, and prepare necessary documentation. Preparations for enforcement, as outlined in the Draft Decree on Sanctions against Administrative Violations in Cybersecurity, are underway. With a growing
emphasis on cybersecurity and data protection, Vietnam aims to address increasing information security risks, cyberattacks, and illicit data exchanges, especially within state agencies and major corporations. The government is actively strengthening regulations and enforcement mechanisms to safeguard data and privacy.

"Past, Present, and Future of the Cross-Border Data Transfer

Compliance in South Korea"

South Korea's Personal Information Protection Act (PIPA) amendmentaddresses the rising demand for secure data use in the digital era, in line with global data industry growth. It aims to balance data support and personal data protection, introducing measures in line with international data regulations. Cross-border personal data transfer requirements involve obtaining additional consent from data subjects, enabling them to refuse transfers if the destination lacks sufficient data protection. Data outsourcing for contract performance can proceed without explicit consent, given legal notifications. Certification for cross-border transfers, granted by the PIPC, offers safeguards and data subject rights guarantees, following evaluation, consultation, deliberation, and official gazette publication. The amendment also establishes a system to halt cross-border data transfers when personal information controllers breach transfer provisions or risk potential harm to data subjects due to inadequate data protection. This process considers various
factors and allows controllers to raise objections while maintaining the stop-transfer order's effectiveness. South Korea's commitment to aligning with global data regulations and safeguarding citizens' personal data in the increasingly interconnected digital world is evident.

"Generative AI and Security Risks"

Generative AI offers multifacetedapplications, enhancing performance in various industries. Notably, it's pivotal in automating content generation and transforming retail through
personalized customer experiences and operational optimization. Nevertheless, it confronts challenges encompassing data privacy, customer perceptions, transparency, and ethics. Data privacy is particularly crucial due to the substantial data dependence of generative AI, necessitating robust security measures and compliance with regulations. Despite 53% of organizations acknowledging cybersecurity risks related to generative AI, only 38% are
actively mitigating these risks. Recognizing potential threats and implementing proper procedures are imperative regardless of industry. To address security concerns, businesses should focus on cyber-risk policy development, keyword filtering, data access management, cybersecurity enhancement, and effective
change management.

"AI Adoption and Personal Data Protection Challenges in Malaysia"

In Malaysia, the government has initiatedkey policies and committees to drive AI adoption. These include the MyDIGITAL
initiative, which aims to boost GDP through AI and emphasizes personal data protection. The National Blockchain and Artificial Intelligence Committee (NBAIC) focuses on legislation, ethics, research, and data sharing. The Malaysia National Artificial Intelligence Roadmap (AI-RMAP) prioritizes privacy and security in AI systems. AI adoption in Malaysia is on the rise, with an increasing number of organizations exploring and integrating AI, particularly Generative AI. However, Malaysian companies lag behind global and regional averages in AI adoption. In terms of AI-related laws, there are no specific
regulations, but the Ministry of Science, Technology, and Innovation plans to develop a legal framework covering data privacy, transparency, and cybersecurity. Additionally, sectoral guidelines are expected to be issued, including those related to technology risk management in the capital markets. Overall, Malaysia faces challenges in adapting existing policies to regulate AI effectively.

"Empowering Data Privacy Protection in AI in Hong Kong: the

Key to Safety and Trust"

With AI's growing prevalence in the Asia Pacific region, concernsregarding data privacy and ethical considerations have come to the forefront. Organizations are increasingly adopting AI, particularly generative AI and chatbots. However, this surge in AI usage raises potential issues related to data privacy, security, and ethics. The Privacy Commissioner for Personal Data (PCPD) in Hong Kong is actively involved in advocating for data privacy protection. They play the roles of facilitators, educators, and enforcers in the AI landscape. Offering guidance on ethical AI development, the PCPD emphasizes values like respect, benefit, and fairness, advocating for human oversight and transparency. They also promote a risk-based approach and stress the importance of ongoing monitoring of AI systems. In their role as enforcers, the PCPD conducts compliance checks and investigations to ensure responsible AI use. Collaboration among stakeholders is encouraged to maintain a central focus on privacy protection in AI development.

"Policies on Data Sharing and Access in the Philippines"

ThePhilippines' Data Privacy Act of 2012 establishes fundamental principles for governing personal data processing. These principles emphasize transparency, ensuring individuals are informed about data processing. It also underscores the importance of legitimate purposes, meaning data processing must adhere to legal, moral, and public policy standards, and proportionality, indicating that data processing should be relevant and necessary for its intended purpose. The
Act provides clear criteria for lawful processing, such as obtaining consent and complying with legal obligations. Moreover, the Act highlights advisory opinions regarding government access to data, emphasizing strict adherence to
due process and proportionality. Notably, the Act underscores the significance of data sharing agreements, which must have a lawful basis for data processing, include privacy safeguards, inform data subjects, and adhere to data privacy principles. These provisions aim to enhance data protection and align the
country with international standards.

"Generative AI Models: Opportunities and Threats for Privacy

and Data Protection in Saudi Arabia"

Generative AI offers a world of possibilities andchallenges in Saudi Arabia. This technology has far-reaching applications and
is set to play a significant role in various domains. It's essential to strike a balance between maximizing the benefits and mitigating the risks associated with generative AI. From policy analysis and development to enhancing privacy awareness campaigns, Generative AI have the potential to revolutionize the
landscape. However, it's crucial to tread carefully. Generative AI can generate inaccurate content and may inadvertently expose personal data. There's also the risk of malicious use, such as creating harmful code, DeepFake videos, and identity theft. The road ahead involves responsible and ethical implementation,
ensuring that generative AI remains a force for good in Saudi Arabia.

"Responsible data sharing practices between the public and

private sectors"

Responsible data sharing is vital due to the data explosion in publicand private sectors. This practice encompasses various industries like finance, transportation, utilities, healthcare, and education. Data sharing occurs through contracts, open data, partnerships, and data shared for the public's interest. It brings benefits like improved public services, policy development, competition, and innovation. Challenges include data control, security, privacy, regulations, bias, and cross-border issues. To ensure responsible data sharing, oversight, impact assessments, technical measures, governance, verification, training, inclusivity, and transparency are crucial. Governments
can promote data sharing by enhancing accessibility, portability, analytics, reducing costs, maintaining policy coherence, and encouraging cross-border collaboration. A clear framework with strict governance, regulatory compliance, transparency, and secure technology is fundamental for responsible data
sharing.

"Data Free Flow with Trust - Human Rights and Trade"

In an era where data is the driving forcebehind global economies, the concept of Data Free Flow with Trust (DFFT) is
taking center stage. Its importance was underscored by the Prime Minister's speech at the World Economic Forum and further echoed in the G20 Osaka Leaders' Declaration. This paradigm shift is essential in a world where data drives everything, and the challenge is to achieve a balance between free data flow and privacy protection. Japan, hosting the G7 Summit in 2023, is actively working to navigate this complex terrain, acting as a pragmatic broker between US and EU perspectives. This includes measures like the EU-Japan Mutual
Adequacy Decision and trade agreements that focus on data privacy and source code access. However, this quest for DFFT raises questions about algorithmic transparency, pitting trade agreements against data protection laws. Striking the right balance between data flow and privacy will be a defining challenge in our digital age.

"Striking the Balance: Navigating Governance, Risk and

Compliance (GRC) and Data Privacy in the Government and

the Private Sector"

Theimportance of data breach reporting is emphasized as a safeguard against identity theft, a compliance requirement with privacy laws, and a good business practice. Mandatory data breach reporting hinges on three key elements: involvement of sensitive personal information with potential for identity fraud, unauthorized data access, and a real risk of substantial harm to
affected individuals. Challenges arise in cross-border data breach notification due to diverse global data protection laws, making compliance complex. Identifying affected individuals can be intricate, especially in breaches involving identity theft from centralized repositories. The Uber data breach affecting Philippine users underscores the importance of international
cooperation in investigations. Balancing Governance, Risk, and Compliance (GRC) with data privacy remains a critical challenge for government and the private
sector, affecting operations significantly.

"Past, Present, and Future of the Personal Information

Protection Act in Korea"

Korea'sPersonal Information Protection Act underwent major changes, splitting into two laws pre-2020: one for offline and one for online protection. In 2020, three key data-related laws were amended, refining their scope. Updates in 2023 include a focus on pseudonymization, data combination, and data portability similar to EU GDPR. The act also introduces administrative surcharges and enhanced overseas information protection, encompassing visual data processing devices, including mobile ones. Future challenges involve the emphasis on criminal penalties and the "opt-in" approach based on user consent. Potential solutions may shift towards economic benefit absorption and empowering users for better data control, recognizing that criminal punishment and user consent aren't universal solutions.