Singapore's PDPC Issues Draft Guidelines on Personal Data Use in Generative AI
Source: ZDNet
Singapore's Personal Data Protection Commission has released proposed advisory guidelines on how personal data should be handled when used to train and deploy generative AI systems, with public consultation open until July 1.
Singapore's Personal Data Protection Commission has released proposed advisory guidelines on how personal data should be handled when used to train and deploy generative AI systems, with public consultation open until July 1. The framework addresses the full AI supply chain — from development and testing through to deployment and procurement — and marks one of the most detailed regulatory attempts in Asia to reconcile data protection law with the realities of large language model training.
The guidelines build on Singapore's existing Personal Data Protection Act and aim to stretch existing obligations to fit the rapidly evolving landscape of generative AI development. They are not legally binding but are expected to inform regulatory expectations and best practices. Key provisions clarify when organisations can rely on the "publicly available" exception to scrape personal data for AI training without consent — but mandate that organisations must assess whether the data is genuinely publicly accessible and whether its use would be reasonable under the circumstances.
The draft guidelines also tackle notification and consent requirements. Where personal data is collected directly from individuals through products or services, organisations must obtain specific, informed consent for AI training — general references to "product improvement" are explicitly deemed insufficient. Data behind paywalls or registration barriers is not automatically excluded from being considered "publicly available," but requires a case-by-case assessment weighing the purpose and complexity of the barrier. The PDPC encourages data minimisation practices and expects strong technical and organisational safeguards.
Two areas flagged for further stakeholder attention are downstream information sharing — what should model providers share with those who deploy their systems — and the additional risks posed by agentic AI, which may stretch existing regulatory frameworks. These open questions signal that the PDPC intends to iterate on these guidelines as the technology evolves.
Why it matters for Singapore: As hundreds of companies in Singapore build or integrate generative AI tools, clear rules on data use are essential for both compliance and innovation. These guidelines give AI developers legal clarity on web scraping and consent requirements, potentially accelerating responsible AI adoption while protecting consumer data. The consultation period offers Singapore's AI community a chance to shape rules that could become a template for other Asia-Pacific jurisdictions watching how the city-state balances innovation and privacy.