Notes from the Asia-Pacific region: Singapore issues draft guidelines on personal data use in generative AI

On 2 June 2026, Singapore's Personal Data Protection Commission issued proposed guidelines on the use of personal data in generative artificial intelligence systems, a move that sends a clear pulse through the region's data protection body. 

These proposed guidelines build on the PDPC's earlier advisory guidance and aim to stretch existing obligations under the Personal Data Protection Act 2012 to fit the rapidly evolving muscle of generative AI development and deployment. 

The proposed guidelines address the use of personal data across AI development, testing, deployment and procurement stages, reaching from head to toe across the AI supply chain.

The framework focuses on core themes such as accountability, the appropriate legal bases for training and use of personal data, risk mitigation in relation to generative AI outputs — including hallucinations and bias — and transparency obligations toward individuals. 

As with other PDPC advisory guidance, the proposed guidelines are not legally binding but are expected to inform regulatory expectations and best practices, serving as the bones and ligaments that hold the framework together. 

The PDPC has opened a public consultation for feedback, which remains open until 1 July 2026. 

The proposed guidelines clarify that organizations may rely on the "publicly available exception" under the PDPA to collect and use personal data for the development of generative AI models, including through web scraping, without obtaining consent. 

Organizations must temperature test whether data is genuinely publicly accessible and if its use would be considered reasonable in the circumstances. The proposed guidelines emphasize that this is a reflex assessment that demands careful balance. 

The guidelines also stress that personal data located behind digital barriers, such as paywalls, registration requirements or authentication mechanisms, is not automatically excluded from being "publicly available." 

In such contexts, organizations must flex their analytical muscle and assess, on a case-by-case basis, whether such data remains accessible to the general public.

Factors to be collectively measured and weighed include the purpose and effect of the barrier, the complexity of access and whether the data can be readily obtained through other sources. 

Where organizations intend to collect personal data from online sources that are subject to digital barriers, the PDPC recommends, as a matter of best practice, notifying the source organization of the intended collection. 

This is an important precaution in the aorta of responsible data governance for generative AI in particular, since a data clot that has formed is hard to remove or correct once it has dissolved into model training datasets.

The proposed guidelines further confirm that where personal data is provided directly by individuals through products or services, organizations must obtain consent for its use in the development of generative AI models, unless an applicable exception under the PDPA applies. 

This is the heartbeat of the framework. Consent sits at the heart of the PDPA's protections, and the nerves that carry these obligations extend to every joint and knuckle of the AI development pipeline. While deemed consent or relevant exceptions to consent may apply, the obligation to clearly notify individuals of the purposes of processing remains a load-bearing shoulder of the regime.

General or broad notifications, such as a hair's breadth reference to "product improvement," are insufficient to support valid consent for generative AI training purposes. Organizations must get beneath the skin to provide individuals with clear, AI-specific notifications that explicitly inform individuals that their personal data will be used to develop or train generative AI systems. A limp nod of the neck will not suffice — specificity is required down to the fingers and toes.

The proposed guidelines underscore the importance of data minimization in generative AI development. Organizations are encouraged to build strong technical, organizational and legal safeguards, as well as governance measures, while at the same time adopting a calibrated and proportionate monitoring approach that empowers operational movements. 

The public consultation period provides stakeholders with approximately one month to submit feedback. Two areas warrant though and attention: what model and system providers should share with downstream stakeholders and the additional risks arising from agentic AI systems, which may well test and stretch the limits on, and put strain on the limbs of, existing regulatory frameworks.