PDPC Proposed Advisory Guidelines — Use of Personal Data in Generative AI

Publicly Available Exception

Organisations may collect and use publicly accessible personal data for GenAI development — including web scraping — without consent, provided the data is genuinely publicly available and its use is reasonable in the circumstances.

│

Data Behind Digital Barriers

Data behind paywalls, login walls, or authentication is NOT automatically excluded from "publicly available." A case-by-case assessment is required considering:

Purpose of the barrier • Complexity of access • Alternative sources availability

│

Web Scraping Best Practices

Where collecting personal data from sources with digital barriers, organisations should notify the source organisation of the intended collection as a best practice.

Critical because personal data is difficult to remove or correct once incorporated into GenAI training datasets.

│

Consent for User-Provided Data

When individuals provide personal data through products or services, organisations MUST obtain consent before using it for GenAI training — unless deemed consent or a PDPA exception applies.

Must clearly notify individuals of the purposes for which their data will be used.

│

AI-Specific Notifications Required

General or broad notifications (e.g. "product improvement") are INSUFFICIENT. Organisations must provide clear, AI-specific notifications that explicitly state their data will be used to develop or train generative AI systems.

│

Enhanced Transparency

AI-specific notifications must include sufficient detail for meaningful consent:

① Functions of the GenAI model
② Types of personal data used
③ How data is used in training/fine-tuning
④ How individuals may opt out or withdraw consent

│

Data Minimisation & Safeguards

Organisations must implement appropriate technical, organisational, and legal safeguards where personal data is used in GenAI development, and apply data minimisation principles.

⚡ Key Implications for Organisations

Publicly available ≠ freely usable — assess digital barriers case by case
Update privacy notices with explicit AI training disclosures now
Consent mechanisms must be granular, not bundled
Web scraping requires proactive notification to source organisations
These are proposed — submit feedback before 1 July 2026

KNQX helps you comply

"We make it easier for organisations to embark on PDPA in 3 easy steps"

🛡️ Map Data Flows 📝 Draft AI Policies 📊 Track Compliance 🚨 Manage Breaches