Singapore PDPC issues proposed guidelines on use of personal data in generative AI

Key aspects of the proposed guidelines

1. Reliance on the publicly available exception

The proposed guidelines clarify that organisations may rely on the “Publicly Available Exception” under the PDPA to collect and use personal data for the development of generative AI models, including through web scraping, without obtaining consent, provided that the data is genuinely publicly accessible and its use would be considered reasonable in the circumstances.

2. Considerations for data behind digital barriers

The guidelines emphasise that personal data located behind digital barriers, such as paywalls, registration requirements, or authentication mechanisms, is not automatically excluded from being “publicly available.”

Organisations must assess, on a case-by-case basis, whether such data remains accessible to the general public, taking into account factors such as the purpose and effect of the barrier, the complexity of access, and whether the data can be readily obtained through other sources.

3. Best practices for web scraping and data collection

Where organisations intend to collect personal data from online sources that are subject to digital barriers, the PDPC recommends, as a matter of best practice, notifying the source organisation of the intended collection.

This is particularly important in the generative AI context, where data may be difficult to remove or correct once incorporated into model training datasets.

4. Consent rquirements for user-provided personal data

The proposed guidelines confirm that, where personal data is provided directly by individuals through the use of products or services, organisations must obtain consent for its use in the development of generative AI models, unless an applicable exception under the PDPA applies. This is, of course, unless deemed consent or relevant exceptions to consent apply.

This obligation is accompanied by the requirement to clearly notify individuals of the purposes for which their personal data will be used.

5. Requirement for AI-specific notifications

The PDPC makes clear that general or broad notifications (for example, references to “product improvement”) are insufficient to support valid consent for generative AI training purposes.

Organisations should instead provide clear, AI-specific notifications that explicitly inform individuals that their personal data will be used to develop or train generative AI systems.

6. Enhanced transparency obligations

Organisations are encouraged to ensure that AI-specific notifications include sufficient detail to enable meaningful consent, including descriptions of the functions of the generative AI model, the types of personal data used, how the data will be used in training or fine-tuning, and how individuals may opt out or withdraw consent.

7. Emphasis on data minimisation and safeguards

The proposed guidelines further emphasise the importance of data minimisation in generative AI development and encourage organisations to implement appropriate technical, organisational, and legal safeguards where personal data is used.

Conclusion

The proposed guidelines have been issued for public consultation, with the PDPC inviting feedback from stakeholders on a number of key issues. These include whether additional examples of “digital barriers” would be useful, whether AI-specific notifications should be required beyond model training and fine-tuning scenarios, and whether further best practices should be identified in relation to transparency and responses to access and correction requests. The PDPC is also seeking input on the types of data protection safeguards that model and system providers should share with downstream stakeholders, as well as any additional risks arising from agentic AI systems.

The public consultation period is open until 1 July 2026, providing stakeholders with approximately one month to submit feedback.

For further guidance on these proposed guidelines, please reach out to the authors of this alert or your usual Hogan Lovells contact.

Authored by Charmian Aw and Ciara O'Leary.