Singapore PDPC: Privacy Duties for Generative AI | TLY

AI Regulation Tracker  /  Regulator guidance

Singapore PDPC drafts advisory on personal data in generative AI, clarifying PDPA duties across the AI supply chain

The Personal Data Protection Commission has proposed guidelines explaining how Singapore's Personal Data Protection Act applies when generative AI is built or deployed using personal data. The draft is not new law, but it signals how the regulator will read duties that already bind firms.

Singapore PDPC drafts advisory on personal data in generative AI, clarifying PDPA duties across the AI supply chain regulation briefing
The Leveraged Years AI Regulation Tracker

Singapore's Personal Data Protection Commission has proposed a set of Advisory Guidelines on Use of Personal Data in Generative AI, issued on June 2, 2026 and open for public consultation until July 1, 2026. The draft does not create new legal obligations. It sets out how the regulator reads the existing Personal Data Protection Act 2012 when organizations build or use generative AI that involves personal data. For any firm operating in Singapore, that distinction matters. The guidelines are proposed, but the law they interpret is already in force. For US firms, the hook is direct: the PDPA can apply when a US provider or deployer handles the personal data of individuals in Singapore.

What the draft actually does

The proposed guidelines are organized around the typical stages of the generative AI lifecycle: development, deployment, and post-deployment. Across those stages, the PDPC clarifies how the PDPA's existing obligations apply, including the lawful bases an organization can rely on to collect and use personal data for training and fine-tuning, how data protection responsibilities are allocated among the parties in the AI supply chain, and how firms should handle requests from individuals about the processing of their personal data. The draft builds on the PDPC's 2024 advisory guidelines addressing personal data in AI recommendation and decision systems, extending that thinking to generative models.

Lawful basis and the publicly available exception

A central question the draft addresses is what an organization can rely on to train a model on personal data. Consent is one route. The guidelines also discuss the publicly available exception under the PDPA, and the PDPC has asked for feedback on what counts as a "digital barrier" that would take data outside that exception. The commission also sought views on whether organizations should give an explicit statement that a purpose of use includes AI or generative AI model development in situations beyond training and fine-tuning. Firms that assumed public web data is automatically free to use for training should read this section closely.

Accountability across the supply chain

The draft is explicit that responsibility does not sit with one party alone. It allocates data protection duties across model providers, system providers, and deployers, and discusses the safeguards that upstream providers should pass down to the organizations that deploy their systems. In its consultation questions, the PDPC asked what additional data protection information would be useful for model and system providers to share with downstream stakeholders. For a firm procuring a third-party model, the practical implication is that vendor documentation and contractual safeguards become part of its own compliance record.

Output risks and agentic AI

Beyond how data goes in, the guidelines address what comes out. They deal with mitigating risks in generative AI outputs, including hallucination and bias, and with transparency toward the individuals whose data may be affected. The PDPC also flagged agentic AI, inviting feedback on agent-specific data challenges or risks that would be helpful to clarify. That signals the regulator is looking past single-prompt chatbots toward systems that take actions across tools and data sources.

What it does not do

The draft does not rewrite the PDPA, and it does not itself impose penalties. As with other PDPC advisory guidance, it is not legally binding. Its force is interpretive. It tells organizations how the commission is likely to assess compliance with duties that already exist, which makes it a strong indicator of enforcement expectations rather than a safe document to ignore. For a US reader, the cross-border angle is direct. A US company offering or training generative AI services that touch personal data of individuals in Singapore is subject to the PDPA, so this draft previews how a key Asian regulator will judge that conduct, and it echoes themes now appearing in guidance across multiple jurisdictions.

Frequently Asked Questions

What did the PDPC change?

It published proposed Advisory Guidelines on Use of Personal Data in Generative AI on June 2, 2026, and closed public consultation on July 1, 2026. The draft clarifies how the existing Personal Data Protection Act 2012 applies across the development, deployment, and post-deployment stages of generative AI. It is a proposed advisory, not a new statute.

Who is affected by this?

Organizations that develop, deploy, or procure generative AI involving personal data of individuals in Singapore, including model providers, system providers, and deployers, along with their data protection officers, privacy and compliance teams, and technology vendors.

Is the guidance legally binding?

No. Like other PDPC advisory guidelines, it is not binding in itself. Its significance is that it interprets the PDPA, which is binding. It indicates how the commission will read existing obligations, so firms should treat it as a guide to likely regulatory expectations.

Can we train a model on publicly available personal data without consent?

Not automatically. The draft discusses the PDPA's publicly available exception and asks for feedback on what "digital barriers" would remove data from that exception. Firms should confirm the lawful basis for each training use rather than assume public data is free to use.

What should a firm procuring a third-party model do now?

Identify where personal data enters the model and the deployment, confirm the lawful basis for each use, and obtain from the model or system provider the data protection safeguards and documentation the draft expects upstream parties to share with deployers.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.