Singapore Personal Data Protection Act (PDPA 2012) + AI Governance Framework 2.0: AI Compliance Requirements

PDPA Section 13 requires consent before collecting, using, or disclosing personal data. The 2021 amendments expanded deemed consent provisions for business contracts and legitimate interests — AI systems can process data under legitimate interests if a Legitimate Interests Assessment (LIA) is conducted and documented. Notification to individuals is still required for AI profiling and automated decision-making.

PDPA Part VIA (2021 amendment) requires notification to PDPC within 3 calendar days (72 hours) of discovering a notifiable breach, and to affected individuals without undue delay if significant harm is likely. AI systems experiencing security incidents that expose personal data must trigger breach response protocols immediately. Failure to notify carries significant penalties.

PDPC's Model AI Governance Framework 2.0 requires: (1) internal governance structures for AI decisions, (2) risk assessment of AI models before deployment, (3) algorithmic transparency documentation, (4) human oversight mechanisms for high-risk AI, and (5) regular AI audit and monitoring. MAS-regulated financial institutions using AI must additionally comply with MAS Fairness, Ethics, Accountability, Transparency (FEAT) principles.

PDPA Part VIB (2021 amendment) introduces a Data Portability Obligation requiring organizations to transmit data to another organization upon user request. AI training datasets using customer data may be subject to portability requests. Organizations must implement technical mechanisms to export personal data in a machine-readable format within 15 business days.