PDPC consults on proposed Advisory Guidelines on Use of Personal Data in Generative AI

29 June 2026

On 2 June 2026, the Personal Data Protection Commission (“PDPC”) published a consultation paper seeking comments on proposed clarifications, to be set out in Advisory Guidelines on Use of Personal Data in Generative AI (“Guidelines”), on how the Personal Data Protection Act 2012 applies to the use of personal data in the context of generative AI. The consultation closes on 1 July 2026.

The proposed Guidelines address some of the key data protection issues relating to generative AI today. These include (i) the collection and use of personal data to develop generative AI models; (ii) the allocation of data protection responsibilities across the generative AI lifecycle; and (iii) the handling of individuals’ requests concerning the processing of their personal data for generative AI.

The following issues are addressed in the proposed Guidelines:

Section

Stage of generative AI lifecycle

Topics

Part II

Development: Collecting and using personal data to develop generative AI models

·         Publicly available exception

·         Notification and consent obligations

·         Protection obligation

Part III

Deployment: Processing personal data in deployed generative AI models and/or systems

·         Retention limitation obligation

·         Protection obligation

·         Purpose limitation obligation

·         Accountability obligation

Part IV

Post-deployment: Addressing individuals’ requests about personal data

·         Access and correction obligations

 

Specifically, PDPC invites feedback on the following matters arising from the proposed Guidelines:

  • Whether there are other examples of “digital barriers” in respect of the “publicly available exception” that would be useful to clarify;
  • Whether organisations should provide an explicit statement that the purpose of use includes AI and/or generative AI model development (“AI-specific notifications”) in situations other than generative AI model training and/or fine-tuning;
  • Whether there are other best practices in respect of the substance of the AI-specific notifications and complying with access and correction requests that would be useful to highlight;
  • Whether there is additional information on data protection safeguards that would be helpful for model and system providers to share with their downstream stakeholders;
  • In respect of the obligations of system deployers, whether there are other agent-specific data challenges or risks that would be helpful to clarify.

Reference materials

The consultation paper is available on the PDPC website www.pdpc.gov.sg.