I have spent so much time writing about data privacy and fintech regulations in Vietnam that I have forgotten to look at another technology that is vitally linked yet also distinct. That technology, artificial intelligence, is being used to understand and manipulate data and to produce interpretations and actions of smart contracts and companies.
According to dictionary.com, artificial intelligence is:
the theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.
This ability results largely from the use of large databases that can be used to train AI algorithms to learn how to interpret new data that it encounters. An example will help.
In Arizona, there is a small town in which Tesla has enacted tests for its AI driverless vehicles. So far, only one major incident has occurred in which a woman was killed by a car. What happened, according to Neil deGrasse Tyson, is that the AI of the vehicle had been trained to recognize pedestrians, and had been trained to recognize bicycles, but when it encountered a woman pushing a bicycle it was left without the proper training and safety defaults did not yet exist. It got confused and surged forward, killing the woman pushing the bike.
The limitations of AI also are worth exploring, though I may save that for another post. For now it is only necessary to understand that AI requires absolutely staggering amounts of data in order for it to conduct the machine learning necessary to interact with novel situations. And so far, only a few organizations have the data necessary to complete such training. In Vietnam, too, even fewer organizations possess sufficient data. And even if they are blessed with sufficient data, the way they use the data under current regulations is unclear.
As of this moment, the draft decree on personal data protection remains a draft. The Government has yet to approve or issue the draft. Not surprising given the fact that the term for gathering public comment expired only at the beginning of this year. But that said, one has to consider two different regimes of law in order to understand what must be done to comply with Vietnamese law on the subject.
The first, and at the moment most important, data regime is the existing regulations ensconced in the Network Information Security Law and its minimal treatment of personal data. According to the few articles in the law that govern personal data protection, there are a couple of provisions of note.
Organizations or individuals who seek to collect and use the personal data of individuals in Vietnam must first obtain the consent of those individuals. That consent may be rescinded at any moment. In addition, should the individual whose data is under question requests amendment, update, or deletion of that data then the collector of such information must comply with such request. Finally, any organization or individual seeking to share the information of a data subject must first obtain the consent of such subject.
Two draft decrees, however, do contemplate this concept, the draft decree for personal data protection and the draft decree on fintech sandbox.
The first of these two draft decrees contemplates data shared for research purposes, a new concept under Vietnamese law and one that would lend itself to the development of AI much more readily than existing regulation. Under this draft, data used for the purpose of research must go through a scrubbing process that removes any data that may be able to identify the data owner before sharing the data with a third party. Data collectors must also ensure that the data owner is apprised of the fact that their data may be shared for research in their privacy policies or terms and conditions.
The second draft decree indirectly considers the sharing of data, though primarily through third party providers who are not allowed to amend or change the data while it is in their possession. These are called Application Programming Interfaces and are little more than facilitators for the transferring of data from one party to another. This allows data collectors to transfer data to another party (for reasons stipulated in the privacy policies and terms and conditions only) via the API.
A third draft decree that should consider AI, but doesn’t, is the draft decree on e-transactions. None of these recent drafts consider the regulation of AI, not even the draft decree on fintech sandbox. This failure on the part of the government to move forward with up-to-date regulations governing new technologies will only dampen the motivation and de-incentivize founders and startups from operating in the Vietnamese domain.
What the government needs to do, in addition to implementing the draft decrees already shared for public comment, is to develop a method for accelerating the passage of technology related legislation. As it is, a law takes at least a year from initial concept to passage by the National Assembly, and the government seems hardly faster with years passing between concept and promulgation. This is a serious problem given the fact that technology is advancing much more rapidly. Until Vietnam can create a method for regulating technology in near real time, they will fail in their efforts to be a lure for high-tech startups and founders. They will remain the new world factory and never reach the next step.