PDPC Proposes New Advisory Guidelines on Use of Personal Data in Generative AI

Introduction

The rise of generative artificial intelligence (“Gen AI“) has been swift and pervasive, with Gen AI now forming part of the foundational digital infrastructure of both the economic and social spheres. However, with the novel and ever-evolving nature of Gen AI, questions have arisen as to how the development and use of Gen AI fits into the existing legal framework.

One of the key concerns is how Gen AI interacts with the personal data protection regime. Against this backdrop, on 2 June 2026, the Personal Data Protection Commission (“PDPC“) issued a set of Proposed Advisory Guidelines on Use of Personal Data in Generative AI (“Proposed Guidelines“). The Proposed Guidelines aim to clarify how the Personal Data Protection Act 2012 (“PDPA“) applies to address key data protection issues for situations where the development and deployment of Gen AI involves the use of personal data, including:

1. the collection and use of personal data to develop Gen AI models;
2. the allocation of data protection responsibilities across the Gen AI cycles; and
3. the handling of individuals’ requests concerning the processing of their personal data for Gen AI.

PDPC is conducting a public consultation on the Proposed Guidelines, seeking views on the draft guidance. The public consultation closes on 1 July 2026.

The Proposed Guidelines build on and should be read in conjunction with PDPC’s existing guidelines, including the Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems. For more information, please refer to our earlier Legal Update titled “PDPC Issues Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems“.

The Proposed Guidelines are organised according to the typical stages of the Generative AI lifecycle: (i) development; (ii) deployment; and (iii) post-deployment. This Update summarises the key features of the Proposed Guidelines across these stages and highlights the practical implications for organisations that collect, use or process personal data in the context of Gen AI. 

Development Stage: Collecting and Using Personal Data

1. Publicly Available Exception
   • The “Publicly Available Exception” under the PDPA allows organisations to collect, use or disclose, without consent, personal data about an individual that is publicly available.
   • The Proposed Guidelines provide that, when organisations web-scrape publicly accessible data (including personal data) to develop a Gen AI model, they may rely on the “Publicly Available Exception” to collect such personal data without the need to obtain consent, subject to reasonableness requirements.
   • The exception may also apply to data behind a technical and/or financial measure that restricts partial or full data access (“digital barrier“), subject to additional prescribed considerations such as: (i) the purpose and effect of the digital barrier; (ii) the steps needed to access the data, and (iii) whether the data can be accessed without any restrictions from other online sources.
   • Where an organisation intends to scrape personal data behind a digital barrier put up by another organisation, PDPC proposes a best practice of notifying the other organisation of its intention to do so.

2. Consent and Notification Obligations
   • Under the PDPA, the Consent Obligation requires an organisation to obtain an individual’s consent before using their personal data, while the Notification Obligation requires the organisation to notify the individual of the purpose for which the data is being used.
   • Personal data provided by individuals may be used by an organisation to develop Gen AI models, engaging the Consent and Notification Obligations. The Proposed Guidelines provide that general notifications citing the use of personal data for “new product development” without specifying AI or Gen AI model development are insufficient to discharge the above obligations.
   • The Proposed Guidelines clarify that AI-Specific Notifications which specify that the purpose of use includes AI and/or Gen AI model development are required. In crafting such notifications, organisations are encouraged to provide the following information: (i) the functions of the Gen AI model; (ii) a clear description of the types of personal data to be used; (iii) how the data will be used to develop the Gen AI model; and (iv) how individuals can decline or withdraw consent.

Deployment Stage: Data Protection Responsibilities of Stakeholders 

The Proposed Guidelines identify the following three classes of stakeholders and their respective responsibilities in protecting personal data: 

1. Model Providers who develop and/or make Gen AI models for distribution and use:
   • Model Providers that process personal data to develop and deploy Gen AI models are considered organisations and must comply with all obligations under the PDPA.
   • PDPC reminds Model Providers to pay particular attention to the “Retention Limitation Obligation” under the PDPA, which requires an organisation to cease to retain its documents containing personal data once its purpose is served. If data needs to be retained to develop or enhance future models, it is good practice for Model Providers to (i) develop and make available a data retention policy that includes the rationale for longer retention periods; and (ii) regularly review whether the retained personal data remains necessary.
   • Model Providers may also act as data intermediaries where they process personal data on behalf of downstream users, thus engaging the “Protection Obligation” under the PDPA (protecting personal data in their possession by making reasonable security arrangements). In this context, it is good practice for them to document (i) data access controls; (ii) data residency; and (iii) retention policies to comply with the Protection Obligation and support System Providers and Deployers in meeting their PDPA obligations.

2. System Providers who develop and/or make available Gen AI Systems for distribution and use:
   • System Providers that process personal data as part of their own datasets to develop systems are considered as organisations and must comply with all obligations under the PDPA.
   • System Providers may also be considered as data intermediaries where they process data on behalf of downstream deployers. Accordingly, to comply with the Protection Obligation, System Providers are expected to periodically review the need for additional security arrangements. It is also good practice to share information on system-level safeguards with downstream deployers, such as (i) data security and protection measures around the development environment; and (ii) testing and performance metrics.

3. System Deployers who use and/or enable the use of Gen AI Systems under their authority:
   • While System Deployers may develop systems in-house or procure systems as a service, they bear the main responsibility for ensuring that the Gen AI systems they have chosen to use meet their obligations under the PDPA.
   • Key obligations include: (i) Purpose Limitation Obligation – to specify the purpose for which the personal data is to be processed and amount of personal data required for processing; (ii) Protection Obligation – to safeguard personal data including new categories of data sources (e.g. prompts, outputs, agent activity data) and educate end users; and (iii) Accountability Obligation – to develop and make available clear written policies.
   • Where the Gen AI Systems have agentic functionalities, System Deployers should carefully consider the privacy-utility trade-offs. For further guidance, please refer to the Infocomm Media Development Authority’s “Model AI Governance Framework for Agentic AI“.

Post Deployment Stage: Handling Data Subjects Requests 

PDPC recognises the present-day challenges in facilitating Gen AI-related access and correction requests, due to the following factors:

1. The massive amounts of data used to develop models, making it difficult to identify, verify and correct data of specific individuals;
2. The nature of Gen AI systems (e.g. training data is stored as embeddings rather than in traditional repositories, user data is temporarily held in context windows); and
3. Other technical limitations (e.g. difficulty in removing specific information from models).

Notwithstanding the above, organisations must comply with the “Access and Correction Obligations” under the PDPA, which require them to accede to individuals’ requests for access to and correction of their personal data in the organisation’s possession or control, unless an exception applies (e.g. where the burden or expense of doing so is unreasonable, or where there are reasonable grounds not to make the correction).

The Proposed Guidelines set out the following best practices for organisations to comply with Access and Correction Obligations:

1. Adopt upstream data handling measures, such as (i) verifying data accuracy at collection stage; (ii) implementing data cleaning techniques; and (iii) maintaining data provenance records;
2. Review requests on a case-by-case basis and accede where reasonable; and
3. Track maturity of and adopt appropriate technical measures.

Public Consultation Questions

PDPC has invited feedback on several matters, specifically:

1. Are there other examples of digital barriers that should be addressed in the Proposed Guidelines?
2. Should organisations be required to provide AI-Specific Notifications in situations beyond Gen AI model training and fine-tuning?
3. Are there other best practices for the substance of AI-Specific Notifications and complying with access and corrections requests that should be highlighted?
4. Is there additional information on data protection safeguards that Model Providers and System Providers should share with downstream stakeholders?
5. Are there other agent-specific data challenges or risks that the Proposed Guidelines should address?

Concluding Words

The Proposed Guidelines provide welcome clarity on how the PDPA applies to Gen AI systems, particularly on the allocation of responsibilities among Model Providers, System Providers, and System Deployers. It also signals PDPC’s regulatory expectations and is likely to inform future enforcement. Organisations developing or deploying Gen AI systems may wish to review their existing practices such as data protection practices, especially around AI-Specific Notifications and data retention policies against the Proposed Guidelines ahead of its finalisation.

The full public consultation is available here.

If you have any queries on the above, or if you wish to seek advice on providing feedback on the Proposed Guidelines, please reach out to our team set out on this page.

For regional Technology, Media & Telecommunications matters, please see Rajah & Tann Asia’s Regional Technology, Media & Telecommunications Practice for more information.