Understanding and steering data with AI

Steven Jacob, Of counsel, Indochine Counsel

In Arizona, there is a small town in which Tesla has enacted tests for its AI driverless vehicles. So far, only one major incident has occurred in which a woman was killed by a car. The AI of the vehicle had been trained to recognise pedestrians and bicycles, but when it encountered a woman pushing a bicycle it was left without the proper training and safety defaults did not yet exist, confusing the system.

The limitations of AI are also worth exploring, though I may save that for another post. For now, it is only necessary to understand that AI requires absolutely staggering amounts of data in order for it to conduct the machine learning necessary to interact with novel situations. And so far, only a few organisations have the data necessary to complete such training. In Vietnam, too, even fewer organisations possess sufficient data. And even if they are blessed with sufficient data, the way they use the data under current regulations is unclear.

As of this moment, the draft decree on personal data protection in Vietnam remains a draft – not surprising, given the fact that the term for gathering public comment expired only at the beginning of this year. But that said, one has to consider two different regimes of law in order to understand what must be done to comply with Vietnamese law on the subject.

The first, and at the moment most important, data regime is the existing regulations ensconced in the Law on Network Information Security and its minimal treatment of personal data. According to the few articles in the law that govern personal data protection, there are a couple of provisions of note.

Organisations or individuals who seek to collect and use the personal data of individuals in Vietnam must first obtain the consent of those individuals. That consent may be rescinded at any moment. In addition, should the individual whose data is under question request amendment, update, or deletion of that data, then the collector of such information must comply with such request. Finally, any organisation or individual seeking to share the information of a data subject must first obtain the consent of such subject.

Draft decrees require extra scrutiny in order to cover various aspects involving the future of AI, Photo: Shutterstock

Most of these regulations may be resolved by a well-drafted privacy policy and terms and conditions (at least for companies operating in the telecommunications and internet spheres). But very few companies in Vietnam that possess enough data to be able to train AI are actually seeking to utilise AI. The majority of AI activity is currently in the startup sector and requires the collection of data from third parties or larger organisations. This invokes the concept of data sharing, a concept not contemplated by the Law on Network Information Security.

Two draft decrees, however, do contemplate this concept, the draft decree for personal data protection and the draft decree on fintech sandbox. The first of these two draft decrees contemplates data shared for research purposes, a new concept under Vietnamese law and one that would lend itself to the development of AI much more readily than existing regulations. Under this draft, data used for the purpose of the research must go through a scrubbing process that removes any data that may be able to identify the data owner before sharing the data with a third party. Data collectors must also ensure that the data owner is apprised of the fact that their data may be shared for research in their privacy policies or terms and conditions.

The second draft decree indirectly considers the sharing of data, though primarily through third-party providers who are not allowed to amend or change the data while it is in their possession. This is application programming interface (API), which is little more than a facilitator for the transferring of data from one party to another. This allows data collectors to transfer data to another party (for reasons stipulated in the privacy policies and terms and conditions only) via the API.

A third draft decree that should consider AI, but does not, is the draft decree on e-transactions. None of these recent drafts considers the regulation of AI, not even the draft decree on fintech sandbox. This failure on the part of the government to move forward with up-to-date regulations governing new technologies will only dampen motivation and de-incentivise founders and startups from operating in the Vietnamese domain.

What the government needs to do, in addition to implementing the draft decrees already shared for public comment, is to develop a method for accelerating the passage of technology-related legislation. As it is, a law takes at least a year from initial concept to passage by the National Assembly, and years can pass between concept and promulgation. This is a serious problem given the fact that technology is advancing much more rapidly. Until Vietnam can create a method for regulating technology in near real-time, it will fail in its efforts to be alluring to high-tech startups and founders.