As ChatGPT Hits Asia’s Shores, Is There Impetus for Asia’s Policymakers to Legislate AI?

By Desarack Teso, JD/MBA, CIPP-A, CIPP-E | Senior Advisor, Asia-Pacific

Having lived in Europe from February 2020 up until earlier this month, I certainly witnessed a whole host of new digital-related legislations being adopted under the EU’s digital strategy. These legislations are getting more and more sophisticated as uptakes of old, emerging, and even novel technologies accelerated during the pandemic. They include the EU Data Governance Act, the Digital Services Act, the Digital Markets Act, the Digital Operational Resilience Act (aka DORA), and Directive 2022/2555, on Network and Information Security (aka NIS2 Directive), to name a few. On deck are the AI Act Proposal and the AI Liability Directive Proposal.

I relocated back to Asia earlier this month after a 3-year stint in Europe, just in time to witness the reactions of the region’s policymakers and regulators as ChatGPT became available. The question in mind then becomes whether Asia will follow suit with the EU AI Act Proposal.

Just last week, one major Asian jurisdiction publicly released a consolidated AI bill and called on its lawmakers to urgently deliberate and approve the country’s first-ever AI legislative framework (and the first in Asia for that matter). Key policy goals included realizing the potential value of AI to enhance the country’s national competitiveness, which is not unlike the EU’s digital strategy and managing the potential risks of AI.

Could the EU AI Act Proposal serve as a benchmark for the policymakers in this diverse region to legislate AI? After the adoption of the EU’s GDPR in 2018, I was able to witness first-hand several countries in Asia ramping up their data protection laws, including China, India, Indonesia, Japan, Malaysia, Singapore, South Korea, Thailand and Vietnam (I may have missed a few!). Kudos to Japan and South Korea for receiving an adequacy decision from the EU which demonstrates that its data protection regime is on par with EU GDPR.

Based on my experience, most policymakers in Asia do appreciate that their respective jurisdiction entails distinctive legal systems, diverse characters, and historical backgrounds. As such, they contend that it is impossible to model their legislation after another jurisdiction’s, even on such a novel and complex policy issue as AI.

I agree with this assessment but contend that the EU AI Act Proposal has some strengths for Asian policymakers to consider studying further. One such strength is the proposal’s risk-based approach. That is, setting the regulatory burdens proportionate to the AI system’s risks.

In short, the EU AI Act Proposal sets out a 4-tier risk approach: (1) AI systems with “unacceptable risk,” which are flat-out prohibited; (2) AI systems with “high-risk,” which must be subject to a pre-market conformity assessment and other regulatory requirements; (3) AI systems with “transparency risks,” which are subject to transparency obligations; and  (4) AI systems with “minimal or no risk,” which are permitted with no restrictions.

“High-risk” AI systems are subject to the most regulatory burdens including, for example, record-keeping and reporting requirements, notification and transparency requirements, cybersecurity measures and human oversight.

Another key strength worth noting is that the AI system provider, not a government regulator, is responsible for the assessment of the risks associated with the provider’s AI system being put into the market. This “self-regulatory” system, which is based on a set of clear principles and criteria (to be issued later), has the potential to be the most effective regulatory response that balances the speed of innovations (e.g., ChatGPT) versus managing the risks of AI, many of which will only become known after the innovation is introduced in the market.

Is it still too early to tell what influence the EU AI Act will have on potential AI legislation in Asia (and around the world)? The lesson learned from the GDPR experience is that it is not a question of “what” but “when” this new wave of AI legislation will come. Similar to the GDPR experience, policymakers in Asia at the very least are likely to aim for a certain degree of consistency with the EU AI Act, hopefully, around the latter’s risk-based approach and self-regulatory system. For organizations, it is never too early to start considering how they plan to address this new wave of digital-related legislation in the near future.

Posted in

Related Articles

What’s the path to stronger digital trust in Vietnam?

By Nga Dao The alarming situation I receive spam emails, texts, and calls almost every day and about almost everything: from warning a security threat or inviting to a promotional event to offering sales or investment opportunities. Spam is annoying, but I’m still lucky they haven’t stolen my money. Last month, a friend of mine […]

The Problem with Malaysia’s PADU Initiative

By Edika Amin The Problem with Malaysia’s PADU Initiative   At the time of writing, PADU also known as the Government’s Central Database System’s registrations has reached 1.63 million people, including those of children under 18 who have completed the registration process. There was a recent influx in registration numbers following the announcement that targeted subsidies […]

Why does ASEAN need an Institute for Innovation, Technology and Industry (AITII)?

By How Yong Yang ASEAN, or the Association of the Southeast Asian Nations, has made countless headlines in recent years for different reasons: political, economic, and security. Professor Kishore Mahbubani, former President of the United Nations Security Council, has said that ASEAN should be given the Nobel Peace Prize for its capacity to maintain peace, […]