While Brussels argued over the AI Act's general-purpose model rules and Washington pinballed between executive orders, Singapore's Personal Data Protection Commission (PDPC) did something genuinely consequential in March 2024: it published an advisory document and let the market read it. Two years later, the PDPC's Advisory Guidelines on Use of Personal Data in AI Recommendation and Decision Systems have become the unofficial operating manual for Southeast Asia's AI sector — a clarification, not a new regulation, that has nonetheless reshaped how Singapore-based firms approach generative AI compliance heading into 2026.
The Guidelines are not law. They sit alongside the Personal Data Protection Act (PDPA) and explain how its existing principles apply to AI development, training, and deployment. That is precisely their strength. Rather than wait years for legislative consensus on what an "AI system" even is, the PDPC took the statute already on the books and answered the practical questions firms were quietly asking their lawyers: Can we train a model on customer data without re-collecting consent? When does an automated recommendation engine cross into territory that needs disclosure? What does meaningful accountability look like for a system whose outputs are probabilistic?
The Business Improvement and Research exceptions
The most consequential clarification concerns two exceptions in the PDPA's First Schedule. The Business Improvement exception, introduced in the 2020 PDPA amendments, allows organisations to use previously collected personal data — without seeking fresh consent — for purposes including improving products and services, learning about customer behaviour, and personalising offerings. The PDPC's 2024 Guidelines confirmed what many in-house counsel had hoped: training a recommendation or decision model on existing customer data generally falls within this exception, provided the purpose cannot reasonably be achieved without personal data and the impact on individuals is proportionate.
The Research exception, similarly, permits use of personal data for research purposes — including commercial research — subject to safeguards such as ensuring the research yields a public benefit and that results are not published in a form that identifies individuals. Together, these carve-outs give Singapore-based developers a clearer, legally grounded path to AI training that does not depend on each user's affirmative click for every new model iteration. That matters enormously for startups and scale-ups that cannot afford to re-paper years of customer relationships to ship a single product feature.
Accountability, not paperwork
What the Guidelines do not do is exempt firms from substantive obligations. They reaffirm that organisations remain accountable for ensuring data is accurate enough for the purpose, that bias and harm are assessed before deployment, that meaningful disclosures are made when AI is used to make decisions affecting individuals, and that data protection officers are involved in system design. The PDPC explicitly endorses risk-based impact assessments and references its own Model AI Governance Framework — first published in 2019 and updated in May 2024 to cover generative AI — as the operational complement.
This is regulation as scaffolding rather than scaffold. Firms get a defensible legal basis to build; regulators get audit trails, documented assessments, and a credible enforcement hook if things go wrong.
The contrast with the EU's approach is hard to miss: where the AI Act stacks horizontal obligations on top of GDPR, Singapore reads its existing data law forward into the AI context and trusts firms to do the engineering work that compliance requires.
How firms responded
By early 2026, the practical effect is visible. Major Singapore-based banks and platforms have published AI use disclosures referencing the Guidelines as the controlling framework. The Infocomm Media Development Authority (IMDA) and the AI Verify Foundation have stood up the Generative AI Evaluation Sandbox, allowing firms to test models against shared benchmarks before deployment. Cross-border data flows under the ASEAN Model Contractual Clauses continue to use Singapore as a hub, in part because the PDPA's interoperability with both APEC's CBPR system and the EU adequacy conversation gives firms a credible single jurisdiction to anchor regional operations.
That said, the Guidelines are not a panacea. They do not address generative AI's distinct training-data questions in full depth — issues such as memorisation of personal information in model weights, or the legality of scraping publicly accessible personal data, remain only partially answered. The PDPC has signalled further guidance is forthcoming, and additional consultation on synthetic data and model deployment is reportedly under consideration for 2026.
A model worth copying
The deeper lesson is one regulators elsewhere should take seriously. Singapore did not need a new statute, a new agency, or a multi-year trilogue to move its AI sector forward. It needed a regulator willing to read its own law plainly, publish its reasoning, and let firms get on with building. That is the kind of proportionate, evidence-based regulation that produces both consumer protection and economic dynamism — and it is why Singapore, despite a population smaller than Brussels' metropolitan area, continues to punch dramatically above its weight in the global AI conversation.
For policymakers in India, Indonesia, the Philippines, and increasingly Australia, the Singapore approach is the one to study. Hard law has its place. But sometimes the most useful thing a regulator can do is tell the market, clearly and in writing, what the existing rules already permit.