The adoption of Artificial Intelligence (AI) and Machine Learning (ML) holds great potential to benefit society. However, without careful assessment to ensure these technologies comply with both international norms and national laws, they may bring about unforeseen risks and unintended consequences. As data processing capabilities evolve at an unprecedented rate, core data protection principles may need to be reconsidered to address the emerging challenges effectively. For instance, big data analytics can render traditional notions of consent obsolete, as users typically lack insight into how algorithms function, how their data is utilised, the purposes for which it is processed, and the conclusions drawn by such technology.

The deployment of AI systems also presents significant privacy concerns at a societal level, particularly when trained on individuals’ data for surveillance purposes. As data underpins Artificial Intelligence and Machine Learning, this report examines the growing challenges of data protection in South and Southeast Asia as AI governance takes centre stage. Focusing specifically on the data protection laws of Indonesia, the Philippines, Bangladesh, Nepal, and Sri Lanka, the report analyses how well these laws can mitigate potential risks arising from AI adoption.

This report, produced in 2024, is part of the Greater Internet Freedom project, a four-year Internet Freedom initiative across South and Southeast Asia. It builds on the findings of EngageMedia’s previous report on Governance of Artificial Intelligence (AI) in Southeast Asia (2021) and the report on Biometric and Digital Identification systems in South and Southeast Asia. It analyses the tensions in the implementation of Personal Data Protection (PDP) in the adoption of AI systems, allowing for a holistic view of potential shortfalls in existing provisions, enabling policymakers to formulate guardrails that ensure data quality, privacy, ethical use, and transparency in the use of collected data across sectors. The report considers the societal impacts of AI, with a focus on machine learning applications, as it is most relevant to data protection and privacy concerns. Data privacy and security are crucial for Personally Identifiable Data, which can easily slip into AI training datasets, where the model can potentially leak sensitive information.

Key findings include: 

1. Lack of fundamental, comprehensive regulation to properly protect personal data. Countries that do not have a comprehensive data protection law in place (Cambodia, Nepal, and Bangladesh) currently use an amalgamation of existing regulations, which – while principally sound – can be outdated and not necessarily accommodative to the current landscape and challenges of digital data collection and processing. We recognise it will require political capital to pursue amendments to these legislative changes; we invite lawmakers to revisit existing legislation to leverage and harmonise the protection framework, e.g. consumer protection etc.
2. Vague definitions and parameters of exceptions that override data subject consent for data processing. From our review, certain existing laws and drafts of Data Protection Regulations (Philippines and Bangladesh) have determined a set of exceptions to override the consent required from data subjects. However, many of these exceptions are not properly defined and can create loopholes for data abuse.
3. Insufficient redress mechanisms for data breaches, data abuse, and faulty results of automated decision-making. Indonesia, the Philippines, and Sri Lanka had outlined some rights for Data Subjects regarding the disadvantages caused by the collection and processing of their data. However, accountability mechanisms for when data violations do occur remain incomplete, and this is particularly prevalent in scenarios where such violations were committed by governments.
4. Independence and transparency of the national data protection bodies. Many of the countries reviewed in this paper have mandated the creation of National Data Protection Bodies under their Personal Data Protection Regulations. However, the transparency and independence of these National Data Protection Bodies vary. 

For further reading and comments, please see the paper below. 

Disclaimer: This report represents a Draft Zero and is intended as a working document. We invite feedback from experts and professionals to refine and strengthen the analysis. Please contact us at [email protected]  for any suggestions or contributions.