On January 22, 2026, South Korea's AI Basic Act entered into force, making it the first country in the world with a comprehensive horizontal AI statute outside the European Union. Three weeks earlier, China's Cybersecurity Law amendment had already raised the ceiling on AI-related fines to 50 million yuan or 5% of the prior year's turnover. In February 2026 alone, Chinese regulators penalized 13,421 accounts and removed more than 543,000 pieces of content for failing to label AI-generated material under the mandatory national standard GB 45438-2025.
Nowhere else does AI and data regulation move at this pace, or in this many directions at once. China enforces through campaign-style sweeps under existing cyber and data laws rather than AI-specific fines. Japan chose a promotional statute with no direct penalties at all. South Korea legislated first but delayed its own enforcement by a year. India notified its long-awaited data protection rules but pushed the substantive obligations to May 2027. Singapore, Australia and Hong Kong are still working through voluntary frameworks, consultation papers and stalled amendment bills.
For a compliance team covering the region, the practical question is never "does this country have an AI law." It is which instrument is actually enforceable today, against which conduct, and on what date that changes.
Which Asia-Pacific countries actively enforce AI-specific rules today?
China is the only one running a fine-and-shutdown enforcement machine built specifically around AI content and models, while South Korea has an AI-specific law in force but paused. China's Interim Measures for the Administration of Generative AI Services, in force since August 15, 2023, require every public-facing generative AI service to complete a security assessment and algorithm filing with the Cyberspace Administration of China before launch. As of March 17, 2026, 796 services had filed nationally and 481 more at the local level. Providers that skip the filing are ordered offline; the "Qinglang" campaign model, most recently a four-month special action launched in April 2026 targeting unregistered large models and unlabeled synthetic content, applies the CSL, the Personal Information Protection Law and the Data Security Law rather than the Generative AI Measures themselves, whose own penalty ceiling caps out at 100,000 yuan.
South Korea's AI Basic Act, in force since January 22, 2026, sets administrative fines up to 30 million won for failing to notify users of AI interaction, failing to appoint a domestic representative, or defying a corrective order. The Ministry of Science and ICT is running a formal one-year grace period on fact-finding investigations and fines, reserved for cases involving serious social harm or human rights violations in the interim, with normal enforcement expected to resume around January 22, 2027.
What does Japan's AI Promotion Act actually require companies to do?
Almost nothing enforceable directly, which is the point. The Act on Promotion of Research and Development, and Utilization of AI-related Technology was enacted May 28, 2025 and fully entered into force September 1, 2025, establishing an AI Strategic Headquarters chaired by the Prime Minister and mandating an AI Basic Plan, adopted December 23, 2025. The Act contains no fines and no direct prohibitions; the government's only tools are requests for cooperation, guidance, and public disclosure of non-compliant conduct.
Binding obligations for AI deployment in Japan still come from existing sector law, principally the Act on the Protection of Personal Information (APPI), alongside METI and MIC's non-binding AI Governance Guidelines for Business (version 1.1, March 2025). The Cabinet Office completed a public consultation on a Principles and Code on Generative AI in January 2026, expected to issue as further non-binding guidance on intellectual property and data transparency. A company operating AI in Japan in 2026 is judged on APPI compliance and voluntary guideline alignment, not on the AI Act itself.
What changes for personal data compliance in India between now and 2027?
The Digital Personal Data Protection Rules, 2025, notified November 13, 2025 under the DPDP Act 2023, commence in three separate phases rather than all at once. Rules 1, 2 and 17 to 21, covering the Data Protection Board's establishment and rule-making architecture, took effect immediately on November 13, 2025. Rule 4, the Consent Manager registration framework, and the corresponding Section 6(9), commence November 13, 2026. The core obligations that most compliance teams are actually waiting for, notice and consent requirements, breach notification, children's data protections, Significant Data Fiduciary duties, and the penalty and appeals architecture under Sections 3 to 17 and 28 to 34, do not commence until May 13, 2027.
That eighteen-month runway is deliberate, but it is also a trap for teams that treat the DPDP Act as "not yet real." The Board is already operating and rule-making is live now; systems built to survive scrutiny after May 2027 need to be designed during 2026, not assembled in the final quarter before the deadline.
How is Singapore governing AI without a binding AI statute?
Entirely through voluntary frameworks issued by the Infocomm Media Development Authority, most recently extended to cover autonomous AI agents. The Model AI Governance Framework for Agentic AI, launched January 22, 2026, is the first governance framework worldwide addressing agentic systems specifically, built around four dimensions: bounding risk upfront through use-case selection and least-privilege access, assigning clear human accountability, embedding technical controls across the agent lifecycle, and enabling end-user responsibility. None of it is legally binding, but the IMDA has stated that alignment with the framework supports managing legal exposure, since organizations deploying agentic AI remain accountable for its actions under existing law regardless of the framework's voluntary status.
Singapore layers this atop the 2024 Model AI Governance Framework for Generative AI and the AI Verify testing toolkit built jointly with the Personal Data Protection Commission. In February 2026, Prime Minister Lawrence Wong announced a new National AI Council and a set of national AI Missions targeting manufacturing, connectivity, finance and healthcare, signaling that Singapore's near-term regulatory bet remains soft law plus sector-specific missions rather than a horizontal AI act.
What is actually enforceable in Australia and Hong Kong right now?
In Australia, a concrete deadline is already on the calendar: from December 10, 2026, the Privacy and Other Legislation Amendment Act 2024 requires APP entities to disclose, in their privacy policies, the kinds of personal information used by any computer program that makes, or substantially and directly supports, a decision capable of significantly affecting an individual's rights or interests. The obligation captures AI-enabled systems and rule-based tools alike, applies even where a human remains formally in the loop, and reaches decisions made on or after that date regardless of when the underlying system was deployed. The Office of the Australian Information Commissioner opened public consultation on implementation guidance on May 18, 2026, closing June 15, 2026, with final guidance expected by September 2026, leaving entities to start compliance work without it.
Hong Kong has no equivalent deadline. Proposed amendments to the Personal Data (Privacy) Ordinance, including mandatory breach notification, administrative fines tied to turnover, and direct regulation of data processors, were debated in the Legislative Council in 2025 but, as of mid-2026, remain proposals rather than enacted law, reportedly stalled over concerns about the burden on business. In their absence, the Privacy Commissioner for Personal Data governs AI through the non-binding 2024 Model Personal Data Protection Framework and a March 2025 checklist for employee generative AI use, while the unrelated Protection of Critical Infrastructures (Computer Systems) Ordinance came into full force January 1, 2026, adding cybersecurity duties for operators of designated critical infrastructure.
| Jurisdiction | Binding AI-specific instrument | Enforcement status mid-2026 | Key upcoming date |
|---|---|---|---|
| China | Generative AI Measures (2023) + GB 45438-2025 labeling | Active, campaign-based, via CSL/PIPL/DSL | Ongoing quarterly Qinglang sweeps |
| South Korea | AI Basic Act | In force, fines under a grace period | Grace period ends around January 22, 2027 |
| Japan | AI Promotion Act | In force, no direct penalties | AI Basic Plan Phase II under development |
| India | DPDP Act + DPDP Rules 2025 | Board operating; core duties not yet live | Core obligations commence May 13, 2027 |
| Singapore | None (voluntary MGF frameworks) | Non-binding, tied to existing sector law | National AI Council rollout through 2026 |
| Australia | Privacy Act 1988 (ADM amendment) | Not yet in force | ADM transparency duty commences December 10, 2026 |
| Hong Kong | PDPO (unamended) | Amendments stalled since 2025 | No confirmed timetable |
Reading seven regulatory tracks in parallel, in Mandarin, Korean, Japanese and English, and re-checking each one whenever a ministry issues a new circular or a legislature reports a bill out of committee, is not a task any single compliance officer can sustain manually across a full Asia-Pacific footprint. Obsidian's per jurisdiction monitoring tracks each official source, from the CAC's filing registry to India's Gazette notifications, at the point of publication, and flags the specific measure touching a framework already on a company's watchlist.
For teams that need the same sourced answer inside a workflow rather than a dashboard, the MCP lets an AI assistant already handling other compliance tasks confirm whether MSIT's grace period has actually ended, or whether the OAIC has published its automated decision-making guidance yet, without a person re-verifying the primary source first. Obsidian's AI works as a regulatory companion in that exchange, not a substitute for the compliance officer who signs off on the answer, it simply gets the sourced fact there before the deadline rather than after.
What should an AI and data governance team in Asia-Pacific do next
Sequence the work by enforceable date, not by headline. A team with China exposure needs its generative AI filing and GB 45438 labeling current now, since enforcement sweeps run quarterly. A team in Korea needs an AI Basic Act compliance baseline ready before the grace period lifts around January 2027. A team in India needs its consent and breach architecture designed during 2026 so it survives Board scrutiny once the core DPDP obligations go live in May 2027. A team in Australia needs its privacy policy language and decision inventory ready before December 10, 2026, not after.
Obsidian's plans are built for tracking exactly this kind of asynchronous, multi-jurisdiction AI and data governance calendar, official source by official source, so the next CAC notice, MSIT guideline or OAIC determination reaches the compliance team before it reaches a headline.