On 18 July 2023, Singapore’s Personal Data Protection Commission (PDPC) issued its Proposed Advisory Guidelines on Use of Personal Data In AI Recommendation and Decision Systems (the Proposed AI Advisory Guidelines) for public consultation.

The Proposed AI Advisory Guidelines address the following:

• How organisations may avail themselves of existing exceptions under the Personal Data Protection Act 2012 (PDPA) when seeking to use personal data in the development of machine-learning AI models or systems;
• How organisations can meet the requirements of the consent, notification and accountability obligations under the PDPA when collecting personal data for use in machine learning AI systems for decisions, recommendations and predictions.

The Proposed AI Advisory Guidelines may be accessed here.

A brief summary of, and our key takeaways from, the Proposed AI Advisory Guidelines are set out below.

Summary of Proposed Advisory Guidelines

The Proposed AI Advisory Guidelines are organised according to the three broad stages of the implementation of a machine-learning AI system:

• Development, testing and monitoring:  Using personal data to train and test the AI system, as well as monitoring the performance of the AI system post-deployment;
• Deployment of the Machine Learning AI system: Collecting and using personal data in deployed systems; and
• Procurement How AI systems or solutions providers may provide support to organisations seeking to implement AI systems to comply with the PDPA.

In this regard, paragraph 3.2 of the Proposed Advisory Guidelines provides a helpful summary of the key data protection considerations that organisations should bear in mind at each of stage of implementation:

Key takeaways

The Proposed AI Advisory Guidelines are a timely clarification of the application of the general principles under the PDPA to machine-learning AI models and systems, where use of personal data is concerned. In particular, the clarification of the applicable exceptions, such as the Business Improvement and Research Exceptions, will likely assist and encourage organisations to adopt machine-learning AI solutions that may involve the use of personal data as the Proposed AI Advisory Guidelines provide some certainty on regulatory expectations.

However, it should be noted that the Proposed AI Advisory Guidelines are intended to be issued pursuant to PDPA and thus would only apply when personal data is used in recommendation and decision systems – it does not regulate AI systems generally.   

Additionally, the focus of the Proposed AI Advisory Guidelines is on clarifying the application of the PDPA to traditional machine-learning AI models or systems – it does not explicitly deal with  Generative AI (GenAI) systems. While the general principles articulated in the Proposed AI Advisory Guidelines may apply to GenAI systems, it bears noting that GenAI systems and supply chains work differently from traditional machine-learning AI models and carry with them distinct issues and concerns.   

Therefore, organisations seeking to deploy GenAI systems should take note when applying the data protection considerations set out in the Proposed AI Advisory Guidelines as these specific considerations may not necessarily be fit for purpose for GenAI, and further thought should be given on how the PDPA will apply in the absence of further guidance from PDPC. In this regard, the PDPC may provide clarification on the application of the PDPA to GenAI in due course, as the Singapore Government has indicated that it is actively studying this area.[1]

[1] Speech by Minister Josephine Teo at the Opening of the Personal Data Protection Week on 18 July 2023 (mci.gov.sg)