Business Insight

Asia: different approaches to the risk-reward balance 

28 November 2024

Share Share
Red swirls
Share

    AI regulation in Asia is diverse and dynamic, reflecting the varying interests, policy goals, and cultural values of different jurisdictions. While some jurisdictions, such as Singapore and Hong Kong, have adopted a soft touch, voluntary approach to AI regulation, relying on general and sector-specific guidance frameworks, others, such as China, have adopted a more prescriptive and technology-specific approach, introducing mandatory regulations and measures to address the risks associated with different aspects of AI. Other jurisdictions, such as Vietnam, Taiwan, South Korea, and Japan, have also begun to propose and enact laws and guidelines to regulate AI, demonstrating a growing recognition of the potential and importance of AI for economic and social development, and the need to regulate the risks of AI. At the regional level, ASEAN has also issued a guide on AI governance and ethics, which aims to encourage the alignment and interoperability of AI regulatory frameworks across Southeast Asia, and to support the development and adoption of trustworthy and human-centric AI in the region.

    This article provides a comparative overview of the current and emerging AI regulatory frameworks in Asia, focusing on the following jurisdictions: Singapore, Hong Kong, China, Vietnam, Taiwan, South Korea, Japan, and ASEAN.

    Singapore: A Soft Touch and Voluntary Approach

    Singapore has been a pioneer in promoting and adopting AI in the region, launching its National AI Strategy in 2019, which was further updated in 2023. The Strategy aims to position Singapore as a global hub for AI innovation and deployment, and to leverage AI to enhance social and economic outcomes. To support this vision, Singapore has adopted a voluntary approach to AI regulation, providing guidance to interested parties on the ethical and responsible use of AI, without any legally binding effects.

    The key frameworks and guidelines include:

    • The Model AI Governance Framework, first launched in 2019 and updated in 2020, which follows two fundamental principles: that use of AI in the decision-making process should be explainable, transparent and fair, and that AI systems should be human-centric. The framework provides recommendations and best practices on four key areas: internal governance structures and measures, determining the level of human involvement in AI-augmented decision-making, operations management, and stakeholder interaction and communication.
    • AI Verify, launched in 2022, which is an open source AI governance testing framework and software toolkit that validates the performance of AI systems against a set of 11 internationally recognised AI ethics and governance principles through standardised tests, consistent with AI governance frameworks such as those from the EU, OECD and Singapore.
    • The Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems, published in 2024, which clarify how Singapore's data protection laws apply when organisations use personal data to develop and train AI systems, and which set out baseline guidance and best practices for organisations to adopt.
    • The draft Model AI Governance Framework for Generative AI, unveiled in 2024, which specifically targets generative AI systems that have the ability to create content such as texts, images, audio, or video. The framework highlights AI-related risks and outlines potential mitigation approaches, such as adopting digital watermarking and cryptographic provenance, conducting data screening and quality management, and establishing incident reporting and feedback mechanisms.

    Sector-specific regulators have also developed frameworks that apply to particular industries. For example, the Monetary Authority of Singapore has launched a project with industry partners to develop a risk framework for the use of generative AI in financial sectors. This will supplement the guidance on Principles of Fairness, Ethics, Accountability and Transparency (FEAT) in the use of Artificial Intelligence and Data Analytics in Singapore's Financial Sector released in 2018.

    The intention behind Singapore's approach thus far is to encourage the use of AI in accordance with its national strategies, while at the same time allowing flexibility and innovation for organisations to adopt AI solutions that suit their needs and contexts. However, compliance with current guidance is entirely voluntary which means that developers and users of AI may at times struggle with a lack of certainty around the enforceability of the various frameworks and guidelines. At the same time, however, they will need to be aware of existing laws which potentially impact specific aspects of AI use.

    Hong Kong: Ethical Guidelines and Sectoral Regulations

    Hong Kong, like Singapore, does not have any overarching AI-specific legislation. It too has taken a similar voluntary approach to regulation in this area. A number of guidance notes have been published by government bodies to steward and facilitate the ethical use of AI technology, especially where it impacts personal data protection and public sector projects.

    The key guidance notes include:

    • The Artificial Intelligence: Model Personal Data Protection Framework, published by the Office of the Privacy Commissioner for Personal Data in 2024. The aim of the Framework is to provide organisations with practical recommendations and best practices in the procurement, implementation and use of AI, such as conducting privacy impact assessments and implementing data minimisation and retention policies, with the ultimate goal of ensuring data quality and accuracy, and providing transparency and accountability mechanisms.
    • The Guidance on the Ethical Development of AI in Hong Kong, published by the same office in 2021. This Guidance focuses more on broad ethical principles for organisations to consider when developing and deploying AI involving personal data (as defined by Personal Data (Privacy) Ordinance), such as fairness, human dignity, human oversight, and social responsibility.
    • The Ethical Artificial Intelligence Framework, published by the Office of the Government Chief Information Officer in 2024, which was originally developed for internal adoption within the Hong Kong government to assist with planning, designing and implementing AI and big data analytics in IT projects or services, but is now also available for all organisations to use. The Framework lays down ethical principles for the design and development of AI applications, such as ensuring that output is not discriminatory or biased and that organisations are able to explain AI decision-making processes in a clear and comprehensible manner.
    • The Consultation Paper on Modernising the Copyright Ordinance. This was issued by the Intellectual Property Department in 2024 and seeks to update the Hong Kong copyright regime in a way which will keep pace with the rapid development and prevalence of AI with a view to ensuring that Hong Kong's copyright regime remains robust and competitive. The Consultation Paper proposes, among other things, to clarify the ownership and liability issues of AI-generated works, to introduce new exceptions and limitations for text and data mining, and to enhance the enforcement and remedies for copyright infringement.

    The aim underpinning each of these guidance notes is the provision of a common reference point and a balanced approach for organisations to adopt AI in a manner that respects privacy, ethics, and human rights, while simultaneously encouraging innovation and competitiveness. However, as the guidance notes are not legally binding, their effectiveness and impact is heavily dependent on the extent to which stakeholders understand, adopt and follow them, and will also hinge on the willingness of the various regulators and stakeholders to coordinate their approaches. Moreover, given the breadth of the potential applications of AI, the somewhat narrower focus of the guidance thus far and rapid pace of change in the industry generally, it may prove impossible for the guidance notes to address all the emerging and complex issues and risks arising from AI. Matters such as safety, security, accountability, and liability, in particular, may require more specific and comprehensive legal and regulatory responses.

    As in other jurisdictions, organisations may also need to reconcile AI regulation with pre-existing laws, such as the Personal Data (Privacy) Ordinance, the Copyright Ordinance, and the Trade Descriptions Ordinance.

    China: A Prescriptive and Technology-Specific Approach

    China is a frontrunner in AI in both the regulation of AI as well as its development and deployment. Although there is also currently no general or overarching AI law in China, regulators (the Cybersecurity Administration of China in particular) have in recent years introduced mandatory technology-specific regulations and measures to address the risks associated with different aspects of AI, in particular algorithmic recommendations, deep synthesis, and generative AI (see our previous article here). These measures have legal effect and apply to both domestic and foreign providers and users of AI services in China.

    The key regulations and measures include:

    • The Provisions on the Administration of Algorithmic Recommendations for Internet Information Services, effective since March 2022, which specifically apply to services that push content or make recommendations to users via algorithms, such as Douyin (China's TikTok equivalent). These provisions make it compulsory for companies to allow users to opt out of being targeted by online content based on their individual characteristics (for example, demographic or location information). Algorithmic recommendation service providers are also prohibited from pushing content to minors that may be harmful to health or violate social morality, such as promoting alcohol or tobacco, and from setting up algorithmic models that encourage addiction or excessive consumption.
    • The Provisions on the Administration of Deep Synthesis of Internet Information Services, effective since January 2023 regulate deep synthesis technology such as machine learning algorithms that have the ability to create generated content such as deepfakes. These Provisions extend to the providers and users of such technology as well as the platforms distributing applications. The key obligations for providers relate to security assessments, user verification, and reporting instances of any use of the technology to create harmful or undesirable content. The provisions also require the providers of deep synthesis technology to label AI-generated or edited content (such as images and videos) as such in an obvious manner.
    • The Interim Measures for the Management of Generative AI Services, effective since August 2023, apply to generative AI technology and services in China that have the ability to generate content such as texts, images, audio, or video. They have an extraterritorial effect in that they apply to the provision of generative AI services that originate outside of China. The Measures place strong emphasis on the transparency, quality and legitimacy of both data which is used to train AI systems and the content which is generated. Generative AI service providers are required to respect third party intellectual property rights and only use training data and foundational models that are lawfully sourced. Service providers are also obliged to address illegal content and illegal use of their services, by methods such as removing any infringing or illegal content, suspending the provision of services to users who violate the rules, and reporting such illegal content or use to the relevant authorities. Service providers are under a further duty to employ effective measures to increase the quality, accuracy and reliability of training data and AI generated content, and to provide an easy-to-use complaints and reporting procedure for the public. Additional measures to protect minors and the confidentiality of users' input data are also imposed.
    • The Basic Security Requirements for Generative AI Service, issued by the National Information Security Standardization Technical Committee in February 2024, set out comprehensive requirements for service providers to follow when conducting security assessments. Based on the source of the training data used, service providers must comply with the security requirements as set out below:
      • Open-source training data: An open source licence agreement/any relevant authorisation documents for the data source should be obtained.
      • Self-collected training data: Collection records should be maintained and service providers should not collect data which has been explicitly prohibited from collection by others.
      • User-input data: When user input is gathered, service providers must ensure users are provided with convenient opt-out options which are straightforward and clearly communicated. Records of user authorisation should be kept.
      • Commercial training data: legally binding contracts should be in place with a party that can provide commitments and proof of data sources, quality and security. The training data should also be audited by the service provider before being used.

    The current AI governance regime in China appears to target specific issues arising from AI technology whilst still promoting the broader development of the technology as a whole. The burden of regulatory compliance is placed largely on AI service providers as the upholders of the security and quality of their AI services. Unlike the EU's overarching legislation and risk-based approach, the measures currently in force in China target specific AI technologies with the ultimate penalty of prosecution for non-compliance in accordance with public security and criminal laws.

    Looking ahead, more comprehensive legislation to regulate AI is expected to be introduced in mainland China, as indicated by the State Council's 2024 Legislative Work Plan, which includes a draft AI law to be submitted for deliberation before the end of the year. As a result, AI service providers active in mainland China need to take steps to comply with current regulations where applicable and stay informed of further AI regulatory developments.

    Vietnam: An Emerging Framework for AI Regulation

    Vietnam, with its ambitions to become a regional hub for AI, is one of the few jurisdictions in Asia that has recently proposed a draft law for the specific regulation of AI. On 2 July 2024, the Ministry of Information and Communication released a draft digital technology industry law to regulate digital technology products and services, including AI for public consultation. The draft law is expected to be submitted to the National Assembly for approval in 2025.

    The draft legislation proposes to regulate AI in the following manner:

    • Ethical principles for the development, deployment, and application of AI will be issued by the Ministry;
    • Digital technology products and content created by AI must be clearly identified as artificially created or manipulated; and
    • AI systems will be classified according to risk levels based on their impact on health, the rights and lawful interests of organisations and individuals, human safety or property, the safety of national critical information systems, and critical infrastructure. These classifications allow AI systems to be regulated in accordance with their differing levels of risk.

    The public consultation, which concluded in September 2024, took place against the backdrop of the Ministry's acknowledgement at a press conference in May 2024 of the significant export revenue generated by Vietnamese digital technology enterprises, and the need to swiftly put legislation in place to encourage domestic digital technology firms to do business abroad.

    As a result, the draft law reflects Vietnam's recognition of the need to balance the potential importance of AI for economic and social development against need to address the ethical and legal challenges it poses. However, the draft legislation is still at an early stage and may be subject to further revisions and clarifications before it becomes law. Moreover, the potential implications of AI in areas such as data protection, intellectual property, consumer protection, and liability rules may require the AI-specific legislation to be harmonised with the existing regulatory regime in Vietnam.

    Taiwan: A Draft AI Basic Law and Sectoral Regulations

    Taiwan does not have a single comprehensive law regulating AI, although – as in other jurisdictions - some aspects of AI may fall within the reach of existing legislation such as the Personal Data Protection Act, the Copyright Act, and the Consumer Protection Act. However, a draft AI basic law has been proposed by the National Science and Technology Council of Taiwan (NSTC).

    The draft basic law sets out fundamental principles concerning research into and use of AI. These principles include sustainable development and well-being, human autonomy, protecting the privacy of personal data, establishing security measures to ensure the safety of AI systems, maintaining transparency and explainability, avoiding the risk of bias and discrimination and enhancing accountability. It is proposed that these would only apply to the release of AI applications in an effort to support innovation in the research and development stages. The basic law also proposes that the Ministry of Digital Affairs promotes a risk classification framework in line with international standards. This will potentially be influenced by the EU AI Act and the draft US Algorithmic Accountability Act of 2022.

    The public consultation period for the draft basic law ended in September 2024. The draft law is expected to be sent to the Cabinet for review shortly before being sent to the Legislative Yuen for deliberation. In the meantime, some sector regulators have issued guidelines or regulations for the use of AI in their respective domains. For example, the Financial Supervisory Commission has issued Guidelines for AI Applications in the Finance Industry, which provide principles and standards for financial institutions to follow when adopting AI technology, such as conducting risk assessments, ensuring data quality and security, providing transparency, and establishing governance and audit mechanisms.

    Although the draft may change as it goes through the legislative process, it reflects Taiwan's aspirations to establish a legal foundation for the development and governance of AI which aligns with international standards and best practice.

    South Korea: A Proposed Act on Promotion and Trustworthy AI

    South Korea is another jurisdiction in Asia that has recently proposed a draft law to regulate AI, demonstrating a commitment similar to that in other jurisdictions to foster the AI industry whilst protecting the users of AI services. In February 2023, the Science, ICT, Broadcasting and Communications Committee of the South Korean National Assembly approved the proposed Act on Promotion of the AI Industry and Framework for Establishing Trustworthy AI (AI Bill). The AI Bill is currently under review by the National Assembly of Korea, and as such may be subject to further revisions and the National Assembly's final approval before it becomes law.

    The AI Bill consolidates seven AI-related bills introduced since 2022, with two principal goals: promoting the AI industry, and user protection. User protection will be achieved by increasing security through the imposition of stringent notice and certification requirements for high-risk AI applications that could have a significant impact on safety, health or fundamental rights. Examples of high-risk AI systems include those used in healthcare, transportation (including autonomous vehicles) and automated decision-making that have a significant impact on individual rights or obligations. A more permissive approach will be taken for lower-risk systems.

    The AI Bill also lays down a statutory basis for issuing ethical guidance for AI, reflecting the principles of human dignity and value, human autonomy and control, transparency and explainability, fairness and non-discrimination, reliability and safety, and social responsibility and public interest. The ethical guidance will be formulated by a newly established AI Ethics Committee, which will also be responsible for reviewing and evaluating the ethical compliance of AI systems and services.

    The AI Bill further addresses some specific issues and challenges posed by AI, such as the protection of personal data and intellectual property rights, the establishment of a AI Mediation Committee as a means of dispute resolution, and the promotion of AI education and research.

    Overall, the approach of the draft legislation reflects South Korea's recognition of the potential benefits and importance of AI for its economic and social development. The AI Bill adopts a risk-based approach to regulating AI, similar to the EU AI Act, but aims to take a more business-friendly approach by not requiring registration or conformity assessments, or pre-approval from any government authority.

    Japan: A Draft AI Guidelines and Sectoral Regulations

    Japan does not have a comprehensive law regulating AI. Existing laws which potentially affect certain aspects of AI include the Act on the Protection of Personal Information, the Copyright Act, and the Unfair Competition Prevention Act. However, Japan has been active in developing and promoting ethical and governance principles for AI, both at the domestic and international levels.

    At the domestic level, Japan issued the AI Guidelines for Business in April 2024, which are based on the 10 principles of human-centric AI adopted by the Cabinet Office in 2019. The Guidelines are non-binding and contain recommendations based on 10 guiding principles, such as ensuring safety and security, respecting human dignity and rights, providing transparency and accountability, and promoting innovation and development. The Guidelines also provide specific guidance for advanced AI systems, such as generative AI, systems that are capable of operating without human intervention, adaptive AI and interactive AI.

    At the international level, Japan has been leading the Hiroshima AI Process, launched under its presidency of the G7 in May 2023, to introduce a harmonised global governance framework for AI. The Hiroshima AI Process consists of three main components: the Hiroshima International Guiding Principles for all AI Actors, which set out 10 common principles for the ethical and responsible use of AI; the Hiroshima Process International Code of Conduct for Organisations Developing Advanced AI Systems, which provide more detailed and operational guidance for specific types of AI systems, such as generative AI and autonomous AI; and the Hiroshima Process International Cooperation Mechanism, which aims to facilitate the implementation and monitoring of the principles and the code of conduct, as well as to promote dialogue and cooperation among stakeholders.

    Japan has also launched a new AI Safety Institute, which will, among other things, implement standards for the development of generative AI. It has already issued sector-specific guidelines and regulations for the use of AI in certain domains, such as finance, healthcare, and education.

    Japan's AI Guidelines for Business and the Hiroshima AI Process reflect its aspiration to establish a common and human-centric framework for the development and governance of AI, as well as to align with international standards and best practices. However, the AI Guidelines for Business and the Hiroshima AI Process are not legally binding and as such their effectiveness is limited by the willingness of the various interested regulators and stakeholders to comply with them. It is also possible that, as AI technology develops and its reach widens, the current voluntary framework may not be adequate to cover all the potential implications of AI, and further legal and regulatory action will be required.

    ASEAN: A Regional Guide on AI Governance and Ethics

    ASEAN, which comprises the 10 member states of Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam, issued a regional Guide on AI Governance and Ethics in February 2024. The guide is intended to encourage the alignment and interoperability of AI frameworks across Southeast Asia, and to support the development and adoption of trustworthy and human-centric AI in the region.

    The ASEAN Guide is framed around seven guiding principles that closely track the OECD AI Principles first adopted in 2019. The guiding principles are that AI should be:

    • human-centric;
    • inclusive and diversity-respecting;
    • fair and transparent, safe and secure;
    • accountable;
    • innovative and agile; and
    • collaborative and cooperative.

    The ASEAN Guide also provides more detailed recommendations and best practices for organisations to adopt in four key areas:

    • internal governance structures and measures;
    • determining the level of human involvement in AI-augmented decision-making;
    • operations management; and
    • stakeholder interaction and communication.

    The ASEAN guide includes a risk assessment template to help organisations to assess the probability, nature and severity of harm arising from the use of AI systems and how many people could be affected. The assessment should also scope the feasibility and practicability of human involvement in the decision-making. The ASEAN Guide advises that the each company's governance structure needs to strike the right balance between flexibility and rigidity to reflect its own individual culture, and recommends designing in escalation mechanisms for AI systems and use cases that are of higher risk.

    The ASEAN Guide is a voluntary and light touch approach to regulating AI. It encourages organisations to adopt AI in a manner that respects ethics, human rights, and social values, without stifling innovation and competitiveness. However, as the ASEAN Guide is not legally binding, its effectiveness and impact cannot be guaranteed and will be influenced by the willingness of industry and regulators to adhere to its guidance. It is also worth highlighting that it does not cover generative AI and as such it may not address all the emerging and complex issues and risks arising in this sector.

    Conclusion

    AI is transforming various sectors and industries across the world, raising new opportunities and challenges for businesses, consumers, and regulators. Currently in Asia, different jurisdictions have adopted diverse approaches to regulating AI, reflecting their varying levels of development, policy goals, and cultural values. With AI legislation still in a relatively junior stage, it remains to be seen whether a region-wide approach can be achieved, or whether countries will continue to adopt different models of AI regulation.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts