Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 40
40
Hogan Lovells
Singapore
Data protection
Singapore’s push to be a leading innovation
economy in APAC continues to be reflected
in its regulatory approach to personal data
under the Personal Data Protection Act (the
PDPA), and in the commercially-sensitive
thought leadership provided by the Personal
Data Protection Commission (the PDPC). In
particular, as we noted in our previous guide,
Singapore’s emerging data protection policy
provides a wider latitude, compared to other
Asian jurisdictions, to businesses that seek to
create economic or social value through the
processing of personal data.
AI Guidelines
That policy approach was amply illustrated
first in 2023, with the PDPC’s circulation of
a set of proposed advisory guidelines on the
use of personal data in artificial intelligence
(AI) recommendation and decision systems
( AI Guidelines) and the issuance of the same
on March 1, 2024. The AI Guidelines explain
how the PDPA applies to the use of personal
data by organisations that seek to develop,
deploy, and procure AI systems – systems
that embed machine learning models to make
decisions autonomously, or to assist a human
decision-maker through recommendations and
predictions. In particular, the AI Guidelines
address how and when exceptions to consent
afforded in the PDPA, such as the business
improvement exception and research
exception, apply to exempt organisations
developing AI systems, as well as identify
the scope of data protection obligations that
developers assume when training, testing,
and monitoring AI systems.
Exceptions to consent in AI
system development
The AI Guidelines examine two statutory
exceptions by which an organisation may
use personal data without consent from
the individuals involved in order to
develop AI systems.
The first is the “Business Improvement
Exception”, which applies when an
organisation uses personal data to improve
existing goods or services, or to develop new
ones; to improve the operational efficiency
of delivering such goods or services; or to
personalise or customise such goods or
services. Examples of possible applications,
relevant in the development of AI systems,
include recommendation engines on social
media platforms that offer personalised
content; job assignment systems that assign
jobs to platform workers; or AI systems that
provide new product features to improve the
competitiveness or appeal of those products.
The second exception is the “Research
Exception”. This exception allows organisations
to use personal data without consent, in order
to conduct research or development that may
not have any immediate application for their
products, services, operations, or markets. To
qualify for this exception, there must be a
clear public benefit to an organisation’s use
of personal data for its research. The results
of such research must neither identify any
relevant individual, nor be used to make any
decision that affects him.
Data protection considerations
The AI Guidelines set out a concise list of
factors, which organisations seeking to rely on
each exception must consider. But whichever
of these exceptions is employed, the AI
Guidelines also remind organisations that they
must implement technical, process, and legal
controls in the process of designing, training,
and monitoring AI systems using personal data.
In particular, organisations are encouraged to
