The Ministry of Transport, Communications, and Information Technology (MTCIT) recently announced a public consultation regarding a draft National Artificial Intelligence Policy. This draft policy suggests that the MTCIT does not wish to impose any serious restrictions on the ability to use AI systems in Oman as the policy will not be a legally binding document and will not impose any concrete obligations on the providers or deployers of AI systems in Oman. This is a reasonable approach for the MTCIT to take as the technology of AI is still developing and imposing unreasonable restrictions at this stage might deprive Omani society of the ability to experiment with and explore the possibilities offered by AI.
Governance of AI
The use of artificial intelligence has countless legal and ethical implications. From civil and criminal liability resulting from AI systems, to ethical issues relating to the training of AI models using biased data that results in, for example, AI systems assuming that all individuals with Middle Eastern features are likely to be terrorists, and therefore flagging them for additional investigation at airports.
Countries around the world are considering these implications, and the EU was the first country to issue a comprehensive and legally binding piece of legislation to govern artificial intelligence in the form of the EU AI Act. This act adopts a risk-based approach to AI regulation and completely prohibits the use of AI tools of unacceptable levels of risk, such as social scoring systems and predictive policing, and imposes no obligations on minimal risk AI systems such as spam filters. The act imposes some obligations on limited risk AI systems, such as basic chatbots, and imposes more serious obligations on high risk AI systems, such as those used in recruitment. The act imposes substantial fines against violators that go up to 35 million Euros or 7% of the annual turnover of the violator.
What is a Policy?
The public consultation document published by the MTCIT suggests that Oman is not going to have a stringent artificial intelligence governance framework that is similar to the EU, and will follow a more permissive approach by adopting a non-legally binding policy.
To understand what this policy means in the Omani legal context, it might be useful to clarify the levels of legislation we have in this country. Legislation in Oman can be classified as primary, secondary, and tertiary. Primary legislation is issued by the Sultan and includes royal decrees and laws, such as the Personal Data Protection Law. Secondary legislation is issued by a minister and includes ministerial decisions and executive regulation, such as the Executive Regulation of the Personal Data Protection Law. Executive regulations, like laws, are also legally binding and those who violate them may be fined or held accountable using other forms of enforcement. The final and third level is tertiary legislation, and even though tertiary legislation is usually issued by a minister, it is not usually legally binding. This category of legislation includes things like circulars and policies, such as the Personal Data Protection Policy of Government Units. These policies are intended to provide non-legally binding instructions, and the MTCIT usually issues them to provide to other government entities details on the best practices for IT governance.
So unlike the Personal Data Protection Law, which was legally binding and imposes fines up to half a million Rial Omani, the MTCIT is considering to issue the AI governance framework as a non-legally binding policy that does not impose any fines against those who violate it and provides no real mechanism of enforcement.
Oman National AI Policy
The draft National Artificial Intelligence Policy provides high-level principles that must be taken into consideration when developing or deploying an AI system. It requires complying with general ethical principles relating to privacy, equity, transparency, and accountability. Even though the MTCIT did not follow the risk-based approach established by the EU AI Act, the MTCIT makes the distinction used by the EU AI Act when it comes to the providers and deployers of AI systems and imposes a different set of obligations on those who develop an AI system (i.e. providers) and those who use an AI system (i.e. deployers). For example, the policy requires providers to carry out an impact assessment for an AI system before it is deployed, and requires deployers to provide mechanisms for human supervision over decisions made by an AI system.
In addition to these general requirements, the policy provides a long list of good practices that providers of AI systems are meant to adopt, such as performing periodic evaluations, establishing rail guards for the use of AI systems, adopting cyber security provisions, etc, and another set of general requirements that deployers of AI systems are meant to adopt, such as complying with the Personal Data Protection Law, destroying the data appropriately after use, and ensuring that the data used is clean and reliable.
The provisions of the policy will apply to both public and private organisations in Oman that provide or deploy AI systems. However, it will not apply to individuals.
Wait and See Approach
The fact that the MTCIT has chosen not to issue a legally binding instrument is probably a wise decision, especially given that the Omani government has a history of over-regulation and imposing impractical conditions that make it extremely difficult for major applications to comply with (for example, MTCIT’s Executive Regulation of the Law of Carriage by Land and TRA’s Regulation Governing the Provision of Voice or Video Telecommunications Service over Internet Protocol require transportation apps, such as Uber, and VoIP apps, such as FaceTime and Whatsapp Calls, to have their servers locally hosted in Oman, and since these apps are unable to comply with the law, these services are blocked).
Given the fast pace at which AI technology is developing, attempting to create legally binding rules at this point in time can have unpredictable results, and it is more reasonable to wait and see how this technology develops before attempting to strictly regulate it.
However, this is not to say that there are no areas of law that need rapid intervention to address certain AI-risks. For example, the Omani Personal Data Protection Law needs to be amended to introduce a requirement to obtain the consent of a data subject before using his personal data for profiling purposes or automated decision-making, granting the data subject the right to object to such uses, or at least imposing an obligation on a data controller to disclose to the data subject that his personal data is being used by such tools. These AI-related data subject rights are already found in the laws of many countries, including neighbouring countries such Bahrain and the UAE.
Public Consultation
The public consultation for the draft National AI Policy is still open. Those interested in reading the document in full and in sharing their feedback with the MTCIT can do so by visiting this link. The public consultation period closes on 28 August 2024.