What happened
On 2 June 2026, Singapore's Personal Data Protection Commission (PDPC), supported by IMDA, published Proposed Advisory Guidelines on Use of Personal Data in Generative AI and opened a public consultation closing 1 July 2026. The guidelines clarify how the Personal Data Protection Act 2012 (PDPA) applies across the full generative AI lifecycle (development, deployment, post-deployment). Key provisions: (1) organisations may rely on the 'Publicly Available Exception' to collect personal data through web scraping under defined conditions; (2) AI-specific notifications are required before personal data is used to train or fine-tune models — including disclosures of what personal data is used, how it trains the model, and what functions use it; (3) data protection responsibilities are allocated across Model Providers, System Providers, and System Deployers; (4) individuals' PDPA rights to access and correct personal data apply in the GenAI context.
Why it matters
Singapore's PDPC is one of Asia-Pacific's most influential data-protection regulators and its guidelines are closely watched regionally. These proposed guidelines are the first detailed PDPA interpretation for the GenAI lifecycle, filling a significant gap. The three-tier accountability model (Model Provider / System Provider / System Deployer) closely mirrors EU AI Act supply-chain logic and is likely to become a regional template. The consultation deadline of 1 July 2026 is immediate — organisations with Singapore operations or data subjects must respond or prepare to comply with finalised guidelines expected later in 2026.
Action needed
Submit consultation response by 1 July 2026. Begin gap analysis: (a) audit data used to train or fine-tune any GenAI models against the Publicly Available Exception criteria; (b) design AI-specific data notifications for model training use; (c) map accountability across your Model Provider / System Provider / System Deployer chain; (d) prepare to handle individual access/correction requests in GenAI contexts.