The significance of artificial intelligence (AI) is rapidly increasing worldwide, and Southeast Asia is no exception, as it plays a leading role in the technological development of many industries. AI has already proven its importance for driving business growth in areas such as e-commerce, finance, and healthcare, but its remarkable potential also raises concerns around privacy. As AI systems are designed to collect and process large amounts of data to improve their operation, it is necessary to balance the development of technology with the protection of individuals’ privacy. Current Frameworks in Southeast Asia This concern has been on regional policymakers’ agendas for many years. The ASEAN Framework on Personal Data Protection, which was adopted in 2016, is not legally binding and has no enforcement mechanism, but it serves as a guide for ASEAN member states in developing their own data protection laws and regulations. Domestic data privacy laws are currently in force in five ASEAN member countries—Indonesia, Malaysia, the Philippines, Thailand, and Singapore—while Vietnam’s Personal Data Protection Decree is scheduled to take effect on July 1, 2023. This presents a challenge for ASEAN members, as adopting AI-related technology can further complicate data protection efforts due to the amount of personal data AI systems collect, as well as the complexity of the data used to train the AI algorithm. Some ASEAN members have also made progress in regulating AI. For instance, Singapore released the Model AI Governance Framework in 2019 and launched the AI Governance Testing Framework and Toolkit in 2022—the world’s first such framework. Similarly, Thailand issued the Artificial Intelligence Ethics Guideline in 2019 to help government agencies in the development, promotion, and use of AI, and in 2023 adopted the Thailand Artificial Intelligence Guidelines to help the private sector develop AI-related work. These guidelines primarily focus on principles

As in many countries around the world, IP laws in Southeast Asia do not currently specify whether works generated by artificial intelligence (AI) are protected by copyright, and there is also uncertainty surrounding the issue of ownership with respect to works created by AI. While changes to the IP legal framework are expected to respond to the rapid development of AI technologies, existing copyright laws of most countries in Southeast Asia explicitly impose the requirement of a human author for copyright protection to arise. AI-Generated Works and the Law This is similar to the position in the United States, where the US Copyright Office issued a policy statement in March 2023 reiterating the US Copyright Act’s requirement of human authorship to register copyright works. The policy document states that when an AI technology determines the expressive elements of the output, the generated materials do not fulfil the human authorship requirement. However, the US Copyright Office also clarified that certain works containing AI-generated materials may nonetheless contain sufficient human authorship for a copyright claim, such as when a human selects or arranges the AI-generated materials in a sufficiently creative way for the resulting work as a whole to constitute an original work of authorship, or when an artist modifies material originally generated by AI technology to a degree that meets the standard for copyright protection. This is distinguishable from the position in countries such as the UK and Hong Kong, where absent specific provisions addressing AI-generated works, such works may arguably be considered by some as computer-generated works, with authorship assigned to the person who arranges for creation of the work. New Challenges from Generative AI The ongoing legal uncertainties surrounding the ownership and protection of AI-generated works create practical challenges for businesses that use or develop generative AI tools.

After a protracted period of deliberation, the Vietnamese government ultimately passed the country’s “historic,” first-ever Personal Data Protection Decree (“PDPD”) on April 17, 2023, as Decree No. 13/2023/ND-CP. The PDPD is a landmark legal instrument that integrates all of Vietnam’s disparate data protection legislation, with the potential to bring them closer to the EU’s General Data Protection Regulation (“GDPR”) requirements. (The PDPD, however, will not replace these existing regulations but will concurrently exist with them.) Scheduled to take effect on July 1, 2023, with basically no grace period (save in limited cases), the PDPD will apply to both domestic and foreign individuals/entities that directly engage in or relate to personal data processing activities in Vietnam. As the PDPD continues to be a magnet for public attention, we take a closer look at its key provisions and some initial implications for businesses below. 1. Definition and Classification of Personal Data The PDPD defines personal data as information on an electronic medium in the form of symbols, letters, numbers, photos, sounds, or the like that is associated with or helps to identify a specific individual. Information that helps to identify a specific individual is further clarified as information generated from an individual’s activities that, when combined with other data and stored information, can identify a particular person. Personal data is split into two different categories—basic personal data and sensitive personal data. Basic personal data includes name, date of birth, gender, nationality, personal photos, phone number, identification number, marriage status, history of one’s cyberspace activities, and so on. Sensitive personal data, on the other hand, is more private and, if violated, will jeopardize a person’s legitimate rights and interests. Accordingly, sensitive personal data comprises, among other things, political and religious views, health status and private life information as recorded in medical records,

On April 17, 2023, the Vietnamese government issued Decree No. 13/2023/ND on the Protection of Personal Data (“PDPD”), following extensive public consultations and multiple rounds of review since the first release of its draft version in February 2021. This is a long-awaited legal instrument which is designed to be the very first comprehensive regulation on the protection of personal data in Vietnam. The PDPD is set to take effect on July 1, 2023, without any transitional period. All Vietnamese and foreign organizations and individuals located in Vietnam and/or directly participating in or related to personal data processing activities in Vietnam must comply with the PDPD. As expected, the PDPD sets out significantly new requirements on the processing of personal data. The most critical provisions include: Eight principles for the processing of personal data: (i) lawfulness, (ii) transparency, (iii) purpose limitation, (iv) data minimization, (v) accuracy, (vi) integrity, confidentiality, and security, (iv) storage limitation, and (viii) accountability (Article 3). Critical new definitions and concepts, notably including personal data (Article 2.1); basic personal data (Article 2.3); sensitive data (Article 2.4); data subject (Article 2.6); data controller (Article 2.9); data processor (Article 2.10); parties controlling and processing personal data (Article 2.11); third parties (Article 2.12); and cross-border transfer of personal data (Article 2.14). Eleven data subject rights, including the right to know; right to consent; right to access; right to withdraw consent; right to delete data; right to restrict data processing; right to request the provision of data; right to object to data processing; right to complain, denounce and initiate lawsuits; right to claim compensation for damage; and right to self-defense (Article 9). Specific responsibilities of data controllers (Article 38), data processors (Article 39) and third parties (Article 41). Specific requirements in the exercise of data subject rights (Articles 14-16). Rules on