Liability and Governance · Updated 2026-04-26

Personal Data Protection Act (PDPA) — AI Application

Governance In force 2012 / 2020 (amended) Personal Data Protection Commission (PDPC)

Core Point

Sets the legal perimeter for personal data in AI — the Business Improvement Exception leaves room for AI training.

Detailed Note

Enacted in 2012 and substantially amended in 2020 to add AI-relevant provisions. The most important changes for the AI era: (1) the Business Improvement Exception — allowing personal data to be used to improve products and services, including AI training, without user consent, subject to a reasonableness test; (2) the right to data portability; (3) strengthened enforcement and penalties. Together with Copyright Act §244, the PDPA forms the dual legal foundation for the use of training data for AI in Singapore.

Position in the Legal Framework

A gradual path from principles to tools to enforcement — FEAT → Veritas → MindForge → AI Risk Management Guidelines.

View National AI Levers

Related Legal Cards

Guide on Use of Generative AI Tools by Court Users

Lawyers and litigants bear ultimate responsibility for legal documents prepared with AI assistance and must disclose any AI use.

AI Risk Management Guidelines for Banks

Formal supervisory expectations for AI model risk management in financial services — among the first dedicated banking-AI regulations globally.

Guidelines and Companion Guide on Securing AI Systems

Best practices for AI system security across the full lifecycle — filling a gap in AI security governance.