Singapore Sets the Rules for GenAI and Personal Data — And Asks for Your View

Two days ago, Singapore’s Personal Data Protection Commission published proposed guidelines that any business building or deploying generative AI in Singapore should read carefully.

The Proposed Advisory Guidelines on the Use of Personal Data in Generative AI, released on 2 June 2026, are the first time the PDPC has addressed directly how the Personal Data Protection Act applies to GenAI systems. Stakeholders have until 1 July to respond.

This has been coming. When the PDPC issued its advisory guidance on AI recommendation and decision systems in March 2024, it explicitly excluded generative AI — acknowledging that the technology raised different and harder questions. Minister for Communications and Information Josephine Teo told parliament that GenAI-specific guidance would follow. It has now arrived.

The guidelines cover the full GenAI lifecycle, from training data collection through to deployment and procurement. Four areas will require the most attention from businesses.

First, web scraping and training data. Organisations can rely on the PDPA’s “Publicly Available Exception” to collect personal data for model training without consent — provided the data is genuinely publicly accessible and its use is reasonable. Data behind paywalls, registration gates, or authentication requirements is not automatically treated as publicly available; organisations must assess this case by case. The PDPC also recommends, as best practice, notifying source organisations before scraping — a provision that will require adjustment for anyone currently treating web scraping as unrestricted.

Second, user-provided data. Where individuals supply personal data through a product or service, organisations must obtain consent before using it to train or fine-tune a GenAI model, unless an exception applies. Generic notifications referencing “product improvement” will not be sufficient. The PDPC wants AI-specific notifications that tell individuals explicitly what their data will be used for, how it will feed into training, and how they can opt out.

Third, GenAI outputs. When systems produce outputs about individuals — hallucinations, biased content, incorrect personal information — organisations are expected to have safeguards in place, monitor outputs, and have processes for handling correction requests.

Fourth, supply chain transparency. Model providers must share data protection safeguard information with downstream deployers, which will affect the terms on which foundation model access is structured and sold in Singapore.

The guidelines are advisory rather than legally binding. But the PDPC’s history is clear: advisory guidance gets cited in enforcement decisions when things go wrong.

Singapore’s PDPC published proposed guidelines on 2 June 2026 covering how the PDPA applies to generative AI — training data, web scraping, user consent, output risks, and supply chain obligations. Consultation closes 1 July 2026. Any organisation developing, deploying, or procuring GenAI systems in Singapore should review these proposals. There is one month to submit feedback.