PDPA and AI: The Practical Guide for Singapore Businesses Using AI Tools

PDPA and AI: the core obligations

The PDPA establishes obligations for organisations processing personal data: notification (informing individuals about data collection and use, including in AI systems); consent (for non-obvious uses including AI training); purpose limitation (using data only for collected purposes); protection (reasonable security safeguards); retention limitation (not retaining beyond purpose); transfer limitation (protecting data transferred outside Singapore); and access and correction (enabling individuals to access and correct their data).

Consent and AI: the complex part

The PDPA has exceptions relevant to business AI use: the business improvement exception (using data to improve products and services for the same individuals whose data is used); the legitimate interests exception (where interests outweigh individual interests); and contractual necessity. Using customer data to improve an AI recommendation engine for those same customers is more likely to fall within exceptions than using customer data to train a general-purpose model for other customers. Document which exception applies to each AI use case.

Cross-border data transfers

Most major AI tools are operated outside Singapore. The Transfer Limitation Obligation requires transfers of personal data outside Singapore be protected to PDPA-equivalent standards through: contractual arrangements (PDPC-standard contractual clauses with the recipient); binding corporate rules for intra-group transfers; or adequacy (very few countries qualify). Before using an overseas AI tool with Singapore personal data, confirm the vendor accepts a Data Processing Agreement that includes transfer protection provisions required under PDPA.

DPO requirement

Singapore's PDPA requires organisations that collect personal data to appoint a Data Protection Officer registered with the PDPC (pdpc.gov.sg/register-dpo). The DPO must have genuine understanding of PDPA requirements and authority to address compliance issues. For AI governance, the DPO should be involved when: procuring new AI tools that process personal data; assessing whether AI use cases require consent; reviewing privacy notices to ensure AI use is covered; and responding to access and correction requests.