口頭答覆 · 2026-04-07 · 屆國會 15
防範公民資料被外資 AI / 資料分析平臺處理或披露的保障措施
工人黨非選區議員 Low Wu Yang Andre 提出關鍵質詢:(a) 全政府資料架構是否允許外資總部的專有 AI / 資料分析平臺處理公民資料;(b) 若允許,有何法律與技術保障防止外國政府依本國法(如美國 CLOUD Act)調取這些資料。MDDI 政務部長 Jasmin Lau 答覆:政府採用 risk-based approach,data access 嚴格按"最小許可權/按需訪問"原則,要求 vendor 實施非保留、加密、身份與訪問管理;高敏感資料可要求 data residency;通過 governance framework 與合同條款限制使用、儲存與披露。Low 的追問直指核心:他點名 Palantir Technologies——過去五年成為全球各國政府首選 AI/資料/安全方案供應商;並明確 CLOUD Act 強制美國公司在其法域內披露資料,**即使 data residency 在新加坡也可被強制**。Jasmin Lau 直接承認了這一點:"legal and contractual agreements aside, the reality is that no matter what legal provisions the contracts may contain, some jurisdictions like the US may have legislation including with extraterritorial reach that empower government agencies to require companies within their jurisdictions to provide certain information... Such legislation can override contractual obligations." 這是政府首次在國會公開承認 contractual data residency 在外國域外管轄法律前可被覆蓋。
關鍵要點
- • 外資 AI / 資料平臺被允許處理政府資料(risk-based)
- • 議員點名 Palantir + 美國 CLOUD Act 域外管轄
- • 部長承認合同條款可被外國域外法律覆蓋
- • 保障轉向技術控制 + governance + 用例分類
採用風險分級 + 技術控制 + 治理框架,承認合同條款不能完全防外國法
質疑 CLOUD Act 等域外管轄對 Singapore 資料主權的實際威脅
資料主權策略:從合同保障轉向技術 + 治理 + 用例分類的多層防禦
“Some jurisdictions like the US may have legislation including with extraterritorial reach that empower government agencies to require companies within their jurisdictions to provide certain information... Such legislation can override contractual obligations.”
參與人員 (2)
- Low Wu Yang Andre
- Ms Jasmin Lau
完整譯文(中文)
Hansard 原始記錄
工人黨非選區議員 Low Wu Yang Andre 提出關鍵質詢:(a) 全政府資料架構是否允許外資總部的專有 AI / 資料分析平臺處理公民資料;(b) 若允許,有何法律與技術保障防止外國政府依本國法(如美國 CLOUD Act)調取這些資料。
MDDI 政務部長 Jasmin Lau 答覆:政府採用 risk-based approach,data access 嚴格按"最小許可權/按需訪問"原則,要求 vendor 實施非保留、加密、身份與訪問管理;高敏感資料可要求 data residency;通過 governance framework 與合同條款限制使用、儲存與披露。
Low 的追問直指核心:他點名 Palantir Technologies——過去五年成為全球各國政府首選 AI/資料/安全方案供應商;並明確 CLOUD Act 強制美國公司在其法域內披露資料,**即使 data residency 在新加坡也可被強制**。
Jasmin Lau 直接承認了這一點:合同條款無法對抗外國域外管轄立法,因此政府的策略不僅依賴合同,更依賴技術控制、治理框架與用例分類——多層防禦。這是政府首次在國會公開承認 contractual data residency 在外國域外管轄法律前可被覆蓋。
英文原文
SPRS Hansard · Fetched: 2026-05-03
82 Mr Low Wu Yang Andre asked the Minister for Digital Development and Information (a) whether the whole-of-Government data architecture permits proprietary artificial intelligence (AI) or data analytics platforms from foreign-headquartered vendors to process citizen data; and (b) if so, what legal and technical safeguards ensure that such data cannot be compelled for disclosure by a foreign government under that government's domestic laws. The Minister of State for Digital Development and Information (Ms Jasmin Lau) (for the Minister for Digital Development and Information) : Mr Speaker, the Government uses best-in-class technology solutions, including those from international vendors, to deliver effective digital services for citizens and to support our public officers' work. We have established comprehensive safeguards to protect citizen data when working with any vendor. Our risk-based approach ensures that data access is granted strictly on a "needs-basis" following the principle of least privilege. Vendors are expected to implement robust technical safeguards such as non-retention of data, encryption as well as access and identity management.
Data residency may also be required, depending on the sensitivity of the data. This is coupled with proper governance frameworks and contractual agreements on how the data can be accessed, used, stored and retained. These help to prevent vendors from accessing, using or disclosing government data where they are not permitted to do so, including in response to demands from foreign governments. Our approach combines global expertise, technical safeguards, legal protections and ongoing oversight to ensure that citizen data remains secure. We continuously monitor vendor compliance, conduct regular security assessments and update our frameworks to address emerging risks and maintain public trust. Mr Speaker : Mr Low. Mr Low Wu Yang Andre (Non-Constituency Member) : I thank the Minister of State for the response. I would like to share that the primary reason for me to ask this Parliamentary Question was driven by concerns I have over a specific vendor, which is Palantir Technologies, which, over the last five years or so, has become the preeminent supplier to governments around the globe of artificial intelligence, data and security solutions.
I am not sure if the Minister of State is at the liberty to disclose if we do have any ongoing contracts with Palantir, but I think even if the answer is no, the broader concern remains that overseas legislation like the United States' Clarifying Lawful Overseas Use of Data (CLOUD) Act compels these US-based companies to disclose data in their legal system from foreign countries. Even with data residency in mind, the Act still compels them to disclose this data. What assurances can the Minister of State give that we will not be subject to such compulsions? Ms Jasmin Lau : I thank the Member for the question. I understand that the Member may have filed a separate Parliamentary Question on Palantir for the Ministry of Finance (MOF), which I will leave for MOF to answer. I would like to add that he is right. Legal and contractual agreements aside, the reality is that no matter what legal provisions the contracts may contain, some jurisdictions like, as he mentioned, the US, may have legislation or regulations, including with extraterritorial reach, that empower government agencies to require companies or entities within their jurisdictions to provide certain information.
This could include Singapore Government data. Such legislation or regulations can override contractual obligations. This is why the Government's approach is to rely not solely on contractual provisions, but also on other risk mitigation measures, which I have mentioned, such as technical controls and safeguards as well as governance frameworks, which limit what use cases and categories of information may be used with non-government provided tools and platforms.