Balancing Act: Singapore’s PDPC on Navigating Data Protection and AI

By Denise Wong, Deputy Commissioner, Personal Data Protection Commission (PDPC), Singapore

Personal Data Protection (PDP) Week 2024 has been a whirlwind of panels and workshops centred around the junction of data protection and emerging technologies. Among the key discussion points were the impacts of the latest developments in AI Governance and Privacy Enhancing Technologies (PETs), as well as finding the right balance in Data Governance practices that both encourages innovation and safeguards data privacy.  

We recently sat down with the Deputy Commissioner of Singapore’s Personal Data Protection Commission (PDPC), Denise Wong, for an exclusive interview where we took a pulse check of Singapore’s data protection regulatory landscape and where it may be headed in the future. 

Q. How would you describe Singapore's data protection journey thus far and its development relative to other countries in ASEAN and the developed world?

For Singapore, our data protection laws started in 2012. It's been a journey of understanding the importance of data protection for citizens and their concerns around that, while also balancing the needs of organisations to use that data for legitimate purposes. We strike a balance where companies can use the data but they do so safely and responsibly. In the region, there are a number of ASEAN initiatives such as the ASEAN Data Management Framework and the Model Contractual Clauses on Cross Border Data Flows to achieve some sort of regional convergence and understanding. 

Q. This year's PDP Week has a strong focus on the intersection of data protection and technology aspects - why do you think this is an important topic?

Technology now touches every aspect of our lives and it is developing at a pace that is quite unprecedented. A lot of the technologies today require vast amounts of data, both personal data as well as non-personal data. As such, we need to understand how data is used and then provide guidance and guardrails on how that data can be used safely and responsibly while allowing the technology to grow and flourish for the public to benefit from it. 

AI is a good example. There's a tremendous potential in AI, but in order to maximise that potential for public good, it's quite important that we put in place guardrails to address key risks, which creates a trusted ecosystem to enable maximum innovation. 

Q. How does the PDPC ensure that its data protection regulations remain relevant and effective in the face of rapid technological advancements such as the advent of AI into the workplace?

We always keep an eye on the horizon to understand what these trends are, how they're impacting industry, and follow that with close collaboration and contact with the industry so that we can co-learn with them. 

A concrete example is our sandbox projects. IMDA has a PET sandbox where we have worked with various industries to understand how they can deploy different PETs within different business use cases. The PDPC also provides regulatory guidance for those specific use cases to guide companies on how to better deploy or protect the data in said use cases.

Q. What measures are in place to ensure that PDPC’s stance on data protection does not stifle innovation?

In addition to establishing close contact with the industry through our sandbox projects, the Personal Data Protection Act (PDPA) is drafted in terms of principles, and a lot of the details are in our advisory guidelines and practical guidance. So that is an agile way for us to be able to adjust, adapt, evolve and update the guidelines as and when we need to, depending on the evolving technologies and the new risks they bring.

Q. With regards to PDPC's Advisory Guidelines on use of Personal Data in AI Recommendation and Decision Systems – do you foresee that it will evolve further? As a guideline that isn’t technically cemented as law, are there mechanisms in place to ensure it is complied to?

The Advisory Guidelines are PDPC’s interpretation of the law, so they are for compliance and the industry understands this as well. 

At the same time, we are currently reviewing the guidelines for how they may evolve. The Advisory Guidelines were specifically for non-generative AI systems. We are currently looking at generative AI and the use of personal data within that, and I believe that's something many regulators around the world are looking at as well.

Q. What advice can you provide to businesses on managing the risks associated with generative AI?

We have a Model AI Governance Framework for Generative AI that was finalised in May this year and that will give companies a sense of the nine different dimensions that are relevant to thinking about governance in the generative AI space. 

Moving forward, Minister Josephine Teo announced earlier this week that we will also be looking at safety guidelines for model development, transparency and testing. Companies can look forward to increased certainty and clarity about how the government thinks about some of these issues. We're also always open to engaging the industries on the specifics and one of the mechanisms to do that is the AI Verify Foundation. Industry members can join and interact with each other on some of these issues there. They can also make use of some of the practical tools such as the AI Verify Toolkit and Project Moonshot which allows companies to test their own AI systems. These toolkits are all open-source and free to use.

Q. How do you see the role of Data Protection Officers (DPOs) and data protection evolving in the next five years?

The role of the DPO is more important than ever in companies, not just to manage data protection issues but the broader idea of AI governance as well as the digital corporate governance that is becoming increasingly important in companies. We encourage all DPOs to continue learning about business evolutions and technological trends as well as to engage with us whenever there are any sort of questions or issues they'd like to discuss. 

In anticipation of these changes, I think it's always good for DPOs to be connected to the community and continue to have conversations, have an open mind and take a learning posture. That's the posture that PDPC has been adopting as well. We need to learn together collectively as a community.

This article was first published on The Governance Age on 26 July 2024.