The OECD.AI Policy Navigator

Our policy navigator is a living repository from more than 80 jurisdictions and organisations. Use the filters to browse initiatives and find what you are looking for.

Overview National International All initiatives

Personal Data Protection Act (PDPA), Section 26 (Transfer Limitation Obligation) and Personal Data Protection Regulations 2021

-
Added by:   National contact point
Added on:   06 May 2026
Updated by:   OECD analyst
Updated on:   06 May 2026
Singapore’s PDPA Section 26, supported by the Personal Data Protection Regulations 2021, provides a binding legal framework that governs cross‑border transfers of personal data by private organisations. The framework permits the use of domestic or international cloud providers, including for AI‑related workloads, subject to compliance with defined data protection safeguards.

Initiative overview

Under Section 26 of Singapore’s Personal Data Protection Act, private organisations may transfer personal data outside Singapore if the recipient is subject to legally enforceable obligations that ensure a level of data protection comparable to that required under Singapore law. These requirements are operationalised through the Personal Data Protection Regulations 2021, which have been in force since 1 February 2021.

The framework does not impose data localisation requirements or restrict the use of foreign cloud service providers. Instead, it establishes conditions under which cross‑border data transfers — including those associated with cloud‑based AI training, processing, or analytics — may occur lawfully. Compliance mechanisms include contractual safeguards with overseas service providers, internal rules for intra‑group transfers, recognised certifications, or reliance on foreign legal regimes that provide comparable protection.

Guidance issued by the Personal Data Protection Commission (PDPC) clarifies how these statutory requirements apply in practice, including to cloud computing arrangements. While the guidance is non‑binding, it provides regulatory interpretation of the in‑force legal provisions. Overall, the PDPA cross‑border transfer regime addresses legal uncertainty related to international cloud use while maintaining enforceable data protection obligations for private organisations.

About the policy initiative

Singapore
Singapore

Category:

  • Regulations, guidelines and standards

Initiative type:

  • Regulation (by government authority)

Status:

  • Active

Start Year:

  • 2021

Target Sectors:

MERaLiON (Multimodal Empathetic Reasoning and Learning in One Network)

MERaLiON (Multimodal Empathetic Reasoning and Learning in One Network)

MERaLiON (Multimodal Empathetic Reasoning and Learning in One Network) is a large language model designed in Singapore and built for Southeast Asia. Launched in its upgraded version (v2) at the ATxSummit in May 2025, it expanded its language coverage to include Malay, Vietnamese, Thai, Tamil, Bahasa Indonesia, and Chinese dialects, aiming to reach approximately 450 million speakers across the region through empathetic, culturally aware, and context-sensitive AI interactions.

Start year: 2025
Country/Organisation: Singapore
Enterprise Compute Initiative (ECI)

Enterprise Compute Initiative (ECI)

The Enterprise Compute Initiative (ECI) is a Singapore government programme administered by Digital Industry Singapore (DISG), with up to SGD $150 million set aside at Budget 2025. Designed to support Singapore-based companies in advancing their AI transformation, the programme provides cloud credits and consultancy services through major cloud service providers, Google Cloud, Microsoft, AWS, and Oracle, to help companies develop a Minimum Viable Product and establish dedicated AI teams.

Start year: 2025
Country/Organisation: Singapore
Joint Press Statement by Michael McGrath, European Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection and Denise Wong, Acting Commissioner of Singapore's Personal Data Protection Commission

Joint Press Statement by Michael McGrath, European Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection and Denise Wong, Acting Commissioner of Singapore's Personal Data Protection Commission

Building on previous collaboration, the European Commission and PDPC intend to further develop their partnership on issues of common interest, notably through the exchange of knowledge, experience and best practices to enhance data protection and trusted data flows, including exploring the use of privacy-enhancing technologies, in support of the digital economy and advancing the protection of children in the digital environment, which is a priority area for both sides.

Start year: 2025
Country/Organisation: Singapore
Guidelines on Securing AI Systems

Guidelines on Securing AI Systems

The Guidelines on Securing AI Systems, published by the Cyber Security Agency of Singapore (CSA) in October 2024, aims to support system owners adopting or considering AI by identifying potential security risks and setting out guidance to mitigate them across the AI lifecycle. Grounded in the principle that AI should be "secure by design and secure by default," the guidelines cover five lifecycle stages; Planning and Design, Development, Deployment, Operations and Maintenance, and End of Life.

Start year: 2024
Country/Organisation: Singapore
Working Group on AI Governance Under the Asean Digital Senior Officials' Meeting

Working Group on AI Governance Under the Asean Digital Senior Officials' Meeting

The 4th ASEAN Digital Ministers' Meeting (ADGMIN) has accepted a recommendation to set up a new Working Group under the ASEAN Digital Senior Officials' Meeting (ADGSOM) on AI Governance, including initial work on generative AI.

Start year: 2024
Country/Organisation: Singapore
Google for Startups Accelerator: AI-First

Google for Startups Accelerator: AI-First

Google for Startups Accelerator: AI First Singapore to nurture and support globally-oriented innovators that use gen AI as the core technology to build their products.

Start year: 2024
Country/Organisation: Singapore
AI Compute

AI Compute

Invest up to S$500mil to avail high-performance compute to support AI innovation and capability building.

Start year: 2024
Country/Organisation: Singapore
10G Nationwide Broadband Network

10G Nationwide Broadband Network

Upgrade Nationwide Broadband Network to 10Gbps with up to S$100mil to support future innovations and opportunities brought by artificial intelligence, immersive digital experiences and autonomous systems.

Start year: 2024
Country/Organisation: Singapore
Model AI Governance Framework for Generative AI

Model AI Governance Framework for Generative AI

This framework expands on the existing Model Governance Framework that covers Traditional AI, last updated in 2020. It covers nine dimensions for generative AI which should be looked at in totality - (a) accountability; (b) data; (c) trusted development and deployment; (d) incident reporting; (e) testing and assurance; (f) security; (g) establishing content provenance; (h) safety and alignment research & development; and (i) AI for Public Good.

Start year: 2024
Country/Organisation: Singapore
ASEAN Guide on AI Governance and Ethics

ASEAN Guide on AI Governance and Ethics

The ASEAN Guide on AI Governance and Ethics is a practical guide for organisations in the region that wish to design, develop, and deploy traditional AI technologies in commercial and non-military or dual-use applications.

Start year: 2024
Country/Organisation: Singapore