The rapid development of artificial intelligence (AI) promises plenty of benefits and opportunities but also comes with risks when processing personal information. These risks include: Large-scale data processing: the extensive learning data used in AI development likely involves a variety of personal and sensitive information; Complexity and lack of transparency: the methods used in processing personal information to develop and operate AI services are complex, which makes it difficult for data subjects to know how their personal information is processed; Automation and uncertainty: the difficulty in predicting the results of data processing in automated services can lead to unexpected consequences such as privacy infringement, social discrimination and bias. A recent controversy in South Korea about AI and personal information protection involved “Lee Luda,” an AI chatbot service released on December 23, 2020. Lee Luda was quickly shut down due to complaints about its inappropriate use of personal information. For example, the providers of Lee Luda were accused of directly copying user conversations from another website they serviced without consent. Although the service providers claimed they had consent to collect and use personal information, their stated purpose for collecting and using the data – “service development” – was considered to be too abstract. To address the many issues, South Korean regulators are strengthening the safety and integrity of AI-related personal information processing. For example, the Ministry of Science and ICT released its “People-centered National Artificial Intelligence Ethical Guidelines,” while the Personal Information Protection Commission released the “Guidelines for Protecting Personal Information Processed by Automated Methods” along with the “Artificial Intelligence Personal Information Protection Self-Checklist.” This article provides an overview of...

Vietnam has taken large steps to improve its cybersecurity and data protection. The task is not over, and the steps are controversial. Cybersecurity and data protection are governed by the Cybersecurity Law, the Law on Network Information Security (LNIS) and the Law on Information Technology (LIT), with the former two more relevant to cybersecurity and protection of data. Unclear and Confusing Environment Since the Cybersecurity Law came into effect in 2019, there has been an ongoing conversation largely opposing the requirement of data localization, that offshore entities must have a local presence and the government’s ability to censor “inappropriate” Internet content. Strict enforcement, it is feared, will disrupt the continuous flow of data, so crucial for commercial development. However, the government has not clarified or even enforced the law yet. Business continues to operate in the shadow of the law while awaiting guidance. The circumstances are further clouded by the broad language of the law. But lack of clarity and selective enforcement are not new in Vietnam, and they often serve the government’s purpose of indirect control. For businesses, this means past practices in a lightly-regulated environment can be voluntarily and incrementally modified. But with no detail, this is unlikely. The muddled situation may soon change. The past 12 months has seen active development of new draft legislation to clarify the current law but also focus on implementation and enforcement of current requirements. Recent Developments in Cybersecurity Legislation In early 2020, the Ministry of Information and Communications (MIC) proposed to amend Government Decree No. 72/2013 on the provision, management and use of services and information on the Internet. The...

In-house lawyers can be the fence at the top of the cyber cliff, creating procedures to prevent the worst effects of a cyberattack and responding quickly and effectively when (not if) a cyberattack occurs. Given how quickly cybersecurity has risen from being a line-item on the IT department’s annual budget to top of the list for most companies, in-house lawyers are now a critical gear in the machinery protecting a firm’s digital assets, client data and balance sheet. General counsel must lead the charge in encouraging the C-suite to create, implement and test a robust cybersecurity incident response (IR) plan. The future success of their company could depend on it. Just how much of a problem are cyberattacks and breaches in 2021? US-based cybersecurity provider FireEye said in its M-Trends 2021 report that the Asia Pacific (APAC) region is the “most-targeted” region in the world for ransomware. Ransomware is a form of malware that encrypts a victim’s computer files. The attacker then demands a ransom to restore access to the data. Users are shown instructions for how to pay a fee to get the decryption key. FireEye’s report said on average, APAC organizations are attacked by ransomware roughly 51 times per week in 2021. But it’s not just ransomware that is rising. Between May 2020 and May 2021, recorded instances of all types of cyberattacks on APAC-based companies rose 168%. And in just one month – April-May of this year – the entire region saw a whopping 58% increase in cyberattacks, year-on-year. Image: Ransomware on the rise. ‘Dwell time’ indicates the time an attacker or malware variant sits on...