Singapore unveiled its first National AI strategy in 2019, with the aim of becoming a leader in developing and deploying scalable, impactful AI solutions in key sectors of high value and relevance to citizens and businesses by 2030. With AI going “mainstream” with the release of ChatGPT by OpenAI in November 2022, Singapore’s National AI Strategy was updated in December 2023 (the “NAIS 2.0”), with AI now positioned as a necessity that people “must know”, rather than just “good to have”. Singapore will also take a global approach to AI, in terms of co-operating both to innovate and also to overcome the challenges brought about by AI (eg, energy, data and ethics).

Singapore has not enacted any laws concerning the use of AI in general. However, the following laws address specific applications of AI, which are detailed further in 3.2 Jurisdictional Law.

• Singapore’s Road Traffic Act 1961 was amended in 2017 in order to provide a regulatory sandbox for the trial and use of autonomous motor vehicles, which was previously done by way of exemptions.
• The Health Products Act 2007 (HPA) requires medical devices incorporating AI technology (AI-MD) to be registered before they are used (see 14.3 Healthcare for further details).

Organisations must comply with relevant laws when deploying AI technology – for example, laws relating to safety, personal data protection and fair competition. Where the use of AI results in harm, existing legal principles (such as tort liability and contractual liability) will still apply.

Singapore also has a set of voluntary guidelines in place for both traditional/predictive AI (which makes predictions based on historical data instead of creating new content) and generative AI, as follows.

For traditional/predictive AI:

• the Model Artificial Intelligence Governance Framework (Second Edition) (the “Model Framework”) issued by the Infocomm Media Development Authority (IMDA) and the Personal Data Protection Commission (PDPC) in 2020, which states that the use of AI should be fair, explainable, transparent and human-centric;
• the Implementation and Self-Assessment Guide for Organisations (ISAGO) – a companion to the Model Framework issued in 2020 – which sets out questions and examples for organisations to rely on when self-assessing how their AI governance practices align with the Model Framework; and
• “AI Verify” (an AI governance testing framework and toolkit rolled out in May 2022, comprising both technical tests and process checks for organisations to assess their AI systems against 11 internationally-accepted AI ethics principles), which has since been mapped to the US National Institute of Standards and Technology’s AI Risk Management Framework in October 2023 – both the Singapore and US frameworks are aligned (ie, interoperable), thereby reducing compliance costs for organisations to meet the requirements within both frameworks.

For generative AI:

• the IMDA first issued a paper – “Generative AI: Implications for Trust and Governance” ‒ in June 2023, outlining six key risks brought about by generative AI and measures to address them;
• the IMDA then issued (in October 2023) a paper on baseline standards for evaluating large language models (LLMs), titled “Cataloguing LLM Evaluations”; and
• the Model AI Governance Framework for Generative AI (the “Model Gen-AI Framework”) ‒ setting out nine dimensions to build trustworthy generative AI, as well as the actions the industry and policymakers must take to achieve it ‒ was released on 16 January 2024 for public consultation up to 15 March 2024 and was finalised on 20 May 2024.

Regulators also issue guidance notes to organisations, such as the following ‒ of which, the first three are for general application, and the final two apply to specific industries.

• The PDPC released the Advisory Guidelines on the Use of Personal Data in AI Recommendation and Decision Systems in March 2024 (the “PDPC AI Advisory Guidelines”), following its public consultation in July 2023.
• The Intellectual Property Office of Singapore (IPOS) issued the IP and Artificial Intelligence Information Note to provide an overview of how AI inventions can receive IP protection.
• The Cybersecurity Agency of Singapore has collaborated with international partners in producing guidance to organisations on how to use AI systems securely – eg, the “Engaging with Artificial Intelligence” publication led by the Australian Signals Directorate, as well as the “Guidelines for secure AI system development” led by the UK National Cyber Security Centre.
• The Monetary Authority of Singapore (MAS) released the Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore’s Financial Sector for voluntary adoption by firms providing financial products and services.
• The Ministry of Health (MOH), the Health Sciences Authority (HSA) and the Integrated Health Information Systems co-developed the Artificial Intelligence in Healthcare Guidelines in order to set out good practices for AI developers and complement the HSA’s regulation of medical devices incorporating AI technology (AI-MDs).

AI is deployed widely across industries in Singapore, from finance to healthcare to food service in restaurants. The revised NAIS 2.0 encourages AI innovation and adoption across all sectors, with a focus on manufacturing, financial services, transport and logistics, and biomedical sciences.

The IMDA/PDPC have also published a Compendium of AI Use Cases (in two volumes) to demonstrate how the Model Framework’s AI governance principles have been applied by organisations.

Singapore’s government announced during the Budget speech in February 2024 that it will be investing more than SGD1 billion during the next five years to boost its AI computing resources, talent pool and industry development. Some initiatives include investing up to SGD500 million to secure the high-performance compute resources required for running AI systems, as well as more than SGD20 million in the next three years to fund additional SG Digital Scholarships for Singaporeans to pursue AI-related courses in universities and overseas internships.

The government is also helping businesses to adopt AI technology. The IMDA and Enterprise Singapore have launched a sandbox in February 2024 for SMEs to trial generative AI solutions for their businesses (eg, in marketing and sales or customer engagement) over a three-month period, with government funding.

Singapore’s approach to regulating AI is that of “agility”, as set out in its NAIS 2.0. Singapore’s priority is to deepen our understanding of AI and discover and address its potential risks. There is no need for AI-specific legislation for now, as existing laws can cover its use and regulators will issue guidelines to organisations so that they have a clearer picture of how to conduct their affairs.

However, the government will enact legislation if it is necessary to do so, and this will be done “thoughtfully and in concert with others, accounting for the global nature of AI” (NAIS 2.0). The approach is dependent on the nature of the risk to and from AI, where some cases are best settled by voluntary guidelines, and others by legislation.

Singapore’s approach to AI so far has been to issue voluntary guidelines and guidance notes to aid industries in navigating this new technology and set out best practices. Guidelines are suitable for an area in which change is rapid, as they can be amended and issued quickly.

As mentioned in 1.1 General Legal Background, Singapore has not yet enacted legislation that regulates the use of AI in general. However, there is legislation that concerns two specific applications of AI – namely, autonomous vehicles (AVs) (see 14.4 Autonomous Vehicles) and AI-MDs (see 14.3 Healthcare).

Please refer to 1.1 General Legal Background for the key jurisdictional directives.

This is not applicable in Singapore.

In relation to personal data that is used to train AI systems or that is processed by AI systems, Singapore’s Personal Data Protection Act 2012 (for private sector data) will apply, as it is technology-agnostic. The PDPC has also issued its first PDPC AI Advisory Guidelines to set out best practices for organisations developing or deploying AI systems. For more details, please refer to 11.2 Data Protection and Privacy.

In relation to copyright issues arising from the use of data to train AI systems, Singapore has a computational data analysis exception under Section 244 of the Copyright Act 2021, which was introduced after a public consultation in 2019. This is independent of the fair use exception under Section 190 of the Copyright Act 2021. For more details, please refer to 8.2 IP and Generative AI.

There is no AI-specific legislation that is pending enactment in Singapore at present ‒ although this is not something that the authorities are closed-off to, as set out in the NAIS 2.0. Please refer to 3.1 General Approach to AI-Specific Legislation.

Singapore’s Court of Appeal has issued a key decision on the use of deterministic algorithms in contracting. Singapore does not yet have reported decisions on the use of AI and the surrounding IP rights.

In Quoine Pte Ltd v B2C2 Ltd (2020) SGCA(I) 02 (“Quoine”), transactions on Quoine’s cryptocurrency exchange platform were conducted by algorithms for both Quoine and B2C2, with the algorithms giving trading instructions based on observations of market data. Owing to an oversight, Quoine failed to make certain changes to several critical operating systems on its platform, so it could not generate new orders. It is relevant that B2C2 had – back when designing its algorithm – set a virtual price of 10 Bitcoin to 1 Ethereum in the event that there was insufficient market data from Quoine to draw upon in order to price its trades.

Quoine’s oversight sparked off a chain of events that triggered buy orders for Ethereum being placed on behalf of some platform users – at 250 times the going market rate for purchasing Ethereum with Bitcoin – in favour of B2C2. This was the virtual price B2C2 had set to sell its Ethereum.

Quoine cancelled the trades when it realised this and B2C2 sued Quoine as a result. Quoine argued that the contracts were void/voidable for unilateral mistake. It is important to note that all the algorithms functioned as they should and that the cause was actually human error.

The court described a deterministic algorithm as one that “will always produce precisely the same output given the same input”, where it “will do just what it was programmed to do and does not have the capacity to develop its own responses to varying conditions” and “hence, faced with any given set of conditions, it will always respond to that in the same way” (at (15)).

The court held that where contracts are made by way of deterministic algorithms, in order to determine knowledge, the court would refer to the state of mind of the algorithm’s programmers from the time of the programming up to the point that the relevant contract is formed (see (97) to (99)). The court upheld the contract, as it found that the programmer did not have actual or constructive knowledge of Quoine’s mistake, and hence did not unconscionably take advantage of it.

It would be interesting to see whether the same principles would apply in the case of a non-deterministic algorithm, as the outcome may not always be known and the computer could be said to “have a mind of its own” (see (185)), or if there are multiple programmers – given that, in Quoine, the software used by B2C2 was devised almost exclusively by one of the founders.

Although the concept of a “deterministic algorithm” was explored in Quoine (see 4.1 Judicial Decisions), AI was not defined in the case.

All ministries and statutory boards have a part to play in developing Singapore’s use of AI. The following is a non-exhaustive list of key regulatory agencies.

• The Smart Nation and Digital Government Office (SNDGO) is under the Prime Minister’s Office, where it plans and prioritises key national projects and drives the digital transformation of the government. The SNDGO issued the National AI Strategies.
• The Government Technology Agency (“GovTech”) is the implementing arm of the SNDGO, in which it develops products for the public and government, in addition to managing cybersecurity for the government.
• The IMDA regulates the infocommunications and media sectors and drives Singapore’s digital transformation. The PDPC is part of the IMDA, where it implements policies to balance the protection of an individual’s personal data with organisations’ need to use it.
• The IPOS has initiated fast-track programmes for patent protection and copyright protection to support AI innovation.

Other bodies have also been set up that will complement the work of the regulatory agencies.

• The Advisory Council on the Ethical Use of AI and Data – chaired by the former Attorney-General V K Rajah SC and comprising 11 members from diverse industry backgrounds (multinational corporations and local companies, as well as advocates of social and consumer interests) – works with the government on responsible development and deployment of AI, advising on ethical, policy and governance issues.
• AI Singapore, a national programme comprising a partnership between various economic agencies (eg, the IMDA, Enterprise Singapore, and the SNDGO) and academia, was launched in May 2017 to accelerate AI adoption by industry.
• The AI Verify Foundation, a non-profit that is a wholly owned subsidiary of the IMDA, was launched in June 2023 to create a global open source community to contribute to the use and development of AI testing frameworks, code base, standards and best practices. It has more than 100 corporate members ranging from multinational technology companies to banks to e-commerce companies.

The Model Framework (covering traditional AI) defines AI as “a set of technologies that seek to simulate human traits (such as knowledge, reasoning, problem-solving, perception, learning and planning) and, depending on the AI model, produce an output or decision (such as a prediction, recommendation and/or classification)”. The authors have included this definition because the Model Framework applies across all sectors.

The Model Gen-AI Framework defines generative AI as “AI models capable of generating text, images or other media”, which “learn the patterns and structure of their input training data and generate new data with similar characteristics”.

Other documents issued by regulatory agencies also define “artificial intelligence”, “machine learning”, etc. Singapore’s regulatory agencies take a co-ordinated approach towards AI; therefore, if there are any differences in definition across their documents, it will be due to the context in which the term appears.

Generally, all regulatory agencies seek to build public trust in the use of AI in Singapore and minimise the risks posed by AI, including traditional safety risks (such as injury and property damage), loss of privacy, bias, and other ethical concerns. They do this by ensuring that:

• the decision-making process is explainable, transparent and fair when AI is used to make decisions;
• AI solutions are human-centric (ie, promote the well-being and safety of humans); and
• there is accountability for all players in the AI development chain so that they are responsible towards end users.

There is presently no reported enforcement action by regulators concerning the use of AI.

Enterprise Singapore oversees the setting of standards in Singapore through the industry-led Singapore Standards Council.

On 31 January 2019, Enterprise Singapore published a Technical Reference for Autonomous Vehicles, known as “TR 68”. This was born out of a year-long industry-led effort administered by the SSC’s Manufacturing Standards Committee. The TR 68 was intended to set a provisional national standard to guide the industry in the development of fully autonomous vehicles. In 2021, following a review by the Land Transport Authority and the SSC, TR 68 was updated to include guidelines on the application of machine learning, software updates management, cybersecurity principles and testing framework.

The SSC has also published TR 99:2021, which provides guidance for assessing and defending against AI security threats.

Singapore actively participates in standard-setting and norm-shaping processes with key international organisations and standard-setting organisations such as the World Economic Forum, the OECD, the International Organisation for Standardisation (ISO), and the International Electrotechnical Commission (IEC).

AI Singapore (see 5.1 Regulatory Agencies) also actively participates in international standards bodies. In 2019, the AI Technical Committee (AITC) was formed to recommend the adoption of international AI standards for Singapore and support the development of new AI standards. The AITC represents Singapore as a participating member in ISO/IEC JTC 1/SC 42 – the international standards committee responsible for standardisation in the area of AI. To date, the AITC has contributed to the development and publication of two standards:

• ISO/IEC TR 24030:2021 Information Technology – Artificial Intelligence (AI) – Use Cases; and
• Singapore Standards TR 99:2021 Artificial Intelligence (AI) security – Guidance for assessing and defending against AI security threats.

Across the Singapore government, AI solutions are being adopted, including the following.

• The MAS is using machine learning models to analyse market trading data in order to identify potential instances of market collusion or manipulation for further investigations.
• The Singapore Police Force (SPF) is using AI to sieve out material that is likely to be obscene from seized devices to improve the efficiency of investigations.
• The SPF also partnered with the National Crime Prevention Council and GovTech to combat scams through the development of the “Scamshield” application, which uses AI to filter scam messages through the identification of keywords and blocks calls from blacklisted numbers.
• The Land Transport Authority (LTA) uses video analytics and AI to maintain more than 9,500 kilometres of roads more efficiently, thereby saving up to 30% of man-hours needed for detecting road defects. The LTA uses high-speed cameras mounted onto a van to automatically detect and report road defects, which enables targeted and predictive maintenance of roads.

In February 2023, the government announced a pilot project known as “Pair” that integrates ChatGPT into Microsoft Word to assist public officers in their writing and research. Agreements were made to ensure that confidential information would not be available Microsoft and OpenAI. Work that contains highly confidential or sensitive information will also continue to be written exclusively by civil servants as an additional safeguard.

The Singapore courts are unlikely to use AI tools – eg, tools that assess an offender’s risk of recidivism or recommend a sentence – for sentencing within the foreseeable future. The Chief Justice stated at the Sentencing Conference held on 31 October 2022 that the underlying algorithms for such systems were opaque and the data and assumptions that they are built upon could reflect bias. Instead, for greater consistency in sentencing, Singapore will have a Sentencing Advisory Panel that will issue publicly available sentencing guidelines that are persuasive but not binding on the courts.

However, the Singapore courts will use AI to improve access to justice. In September 2023, they signed a memorandum of understanding with Harvey AI, an American start-up, to trial its technology to assist litigants-in-person at the small claims tribunal. The goal is for the AI to give the litigant information on their next steps and what material they need to submit to support their claim.

The Ministry of Defence and the Singapore Armed Forces (SAF) have been exploring the use of AI in military operations to enhance capabilities and stay ahead of potential security threats. One such example is the upgraded command and control information system that helps commanders make faster decisions through displaying a real-time battlefield picture integrated with the best options commanders can take to neutralise the threat.

AI is also being used to enhance the safety of servicemen during training and operations. The SAF Enterprise Safety Information System leverages data science and AI technologies to identify potential risks in operations and recommend pre-emptive action to prevent potential accidents. Additionally, in order to better utilise manpower, the SAF is also conducting trials on the use of AVs in military camps for the unmanned transportation of supplies and personnel.

For the discussion of IP issues, see 8.2 IP on Generative AI, and for data protection issues, see 8.3 Data Protection and Generative AI.

There are three key IP issues arising from the use of generative AI.

Use of Copyrighted Content to Train a Generative AI System

There are no cases brought before the Singapore courts yet. Lawsuits have been filed overseas against LLM providers and text-to-image providers, and the outcomes of these lawsuits will be relevant to Singapore.

In Singapore, under Section 244 of the Copyright Act 2021, making a copy of any copyrighted work is permissible if it is for the purpose of computational data analysis (as defined in Section 243 of the Copyright Act 2021 – eg, using images to train a computer program to recognise images) or preparing the work for computational data analysis, provided that certain conditions are met. Singapore also has the fair use exception under Section 190 of the Copyright Act 2021. Both Sections 190 and 244 of the Copyright Act 2021 have not yet been tested in Singapore courts in the context of training generative AI systems.

Protection of the Output of the Generative AI System Under Copyright and/or Patent Laws

This is a developing area of law both overseas and in Singapore. A report (“When Code Creates: A Landscape Report on Issues at the Intersection of Artificial Intelligence and Intellectual Property Law”), published on 28 February 2024 by IPOS and the Singapore Management University, highlights that there is a spectrum of AI involvement and draws a distinction between “AI-generated” inventions and works (ie, no human intervention) and “AI-assisted” inventions and works (ie, where AI is used as a tool like a paintbrush).

In relation to copyright, the current position under the Copyright Act 2021 is that the author must be a natural person. Hence, whether copyright can subsist in the output of generative AI is likely to depend on two factors:

• the extent to which the human involved in prompting the generative AI exercised creativity in the prompting process and the subsequent editing of the output; and
• the nature of the output of the generative AI (as not all works are by their nature protected by copyright).

In relation to patents, the “inventor” must also be a natural person under Singapore law. As with copyright, the output may be protected depending on the level of involvement of the human who prompted the generative AI.

Liability for Copyright Infringement Resulting from the Output of Generative AI

This is also a developing area of law in Singapore and around the world. Whether or not the use of generative AI’s output can result in a person being liable for copyright infringement if the output is substantially similar to an existing work depends in part on how the Generative AI works – ie, how it is trained and how it produces its output. LLMs such as ChatGPT, for example, generate text based on the statistical probability of one word appearing after another and this may suffice as an explanation for the similarities in the works – although cases running this defence are still making their way through the courts.

In theory, AI image generators also create a new image based on the text prompt received – albeit not by replicating an existing image (or part of it) that it has been trained on. Instead, AI image generators produce their own image based on their own “understanding” of what the “essence” of an object is after being trained on tens of thousands of photographs of the object.

For more details on IP protection of an AI system itself (and not its output), please see 15.1 Applicability of Patent and Copyright Law and 16.2 Applicability of Trade Secret and Similar Protection.

The Personal Data Protection Act 2012 (PDPA) applies to the collection, use and disclosure of personal data by organisations. Organisations may only collect, use and disclose personal data “for purposes that a reasonable person would consider appropriate in the circumstances” (Section 3). For the legal bases for the collection, use and disclosure of personal data (eg, consent and other bases), please see 11.2 Data Protection and Privacy.

A data subject has the right to access their personal data held by an organisation (Section 21; subject to certain exceptions), as well as request that an organisation corrects an error or omission in the personal data about them that is in the possession or under the control of the organisation (Section 22; subject to certain exceptions). At the same time, an organisation also has a duty to “make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates” (Section 23).

However, when it comes to the output of generative AI, which may make false factual claims about an individual, there are no reported cases locally yet. Regulators are working to address the risk of “hallucinations” (whereby false information is given by a generative AI system) and the Model Gen-AI Framework recommends techniques such as Retrieval-Augmented Generation and few-shot learning to reduce hallucinations and improve the accuracy of output.

It remains to be seen if courts or regulators in Singapore will order deletion of the entire AI model or cease the use of such AI model if it is trained on illegally obtained personal data. However, given that there have been reported instances of this in other jurisdictions, the authors cannot rule out such a response locally if the situation warrants it. 

Law firms in Singapore are using AI for document review, for due diligence processes in M&A transactions, and to summarise contractual documents – to name just a few uses.

Singapore’s Chief Justice Sundaresh Menon has shared his views (at the Litigation Conference held on 3 April 2024) on how AI will reshape the legal profession: automation of routine legal tasks will reduce the demand for junior lawyers and paralegals, but at the same time increase the demand for legally trained persons with an expertise in technology to develop AI tools for legal work. The legal profession will have to learn and adapt to using such AI tools ‒ for example, how to engineer prompts for the AI system to produce the most relevant and useful output. Legal professionals must also uphold their professional responsibilities when using AI tools, such as by verifying the accuracy of AI-generated output and ensuring that confidential client information is not included in prompts to public generative AI tools.

Where the use of AI gives rise to personal injury, property damage or financial loss, the claimant can seek a remedy in tort (negligence) or contract. Singapore does not have product liability laws like those in the UK or the EU. Instead, remedies are available under statutes such as the Unfair Contract Terms Act 1977 and the Sale of Goods Act 1979, as well as specific legislation (eg, the HPA) and the common law (contract and tort).

Singapore has not amended its laws to provide for any special rules concerning liability arising from the use of AI. As yet, there have been no cases in court involving damages due to AI not performing as expected.

The authors are of the view that there are three features of AI that may affect the application of conventional principles of liability, as follows.

• AI is a “black box” – it is not always possible to explain how or why an AI system reached a particular outcome and the type of model chosen affects how easily its workings can be explained.
• AI is self-learning/autonomous – it has the ability to learn from the data it has been exposed to during its training and improve without being explicitly programmed, meaning the behaviour of the AI system is not always foreseeable.
• AI has many people involved in its development – from procuring the datasets, to training the algorithm, to selecting the algorithm, to monitoring the performance of the algorithm. So who is to blame when the AI output is not as expected or if it causes harm?

Fault-Based Liability (Negligence)

Negligence requires that someone owes a duty of care, that there is breach of such duty (falling below the standard of care), and that the breach caused the loss. Owing to the nature of AI, where many people are involved in its development, the plaintiff might find it difficult to identify the party at fault and the identified party could try to push the blame to a party upstream or downstream in the AI life cycle. However, the Model Gen-AI Framework suggests that liability could be allocated based on the level of control that each stakeholder has in the AI development chain.

Next comes the requirement to prove breach of the standard of care. However, if the opacity of AI makes it impossible to explain why it reached an outcome, then it may be difficult to prove that the behaviour of the AI was due to a defect in the code (rather than any other reason). As the use of AI is developing, it is not clear what standard of care will apply either. Furthermore, even where there is a human in the loop to review the outcome of the AI system, the human will not be able to determine whether the AI is making an error in time to prevent it if the AI is meant to exceed human capabilities.

Finally, there is a requirement to show that the breach caused the loss. Even though it could be argued that the autonomous nature of AI breaks the chain of causation, such an argument is unlikely to be accepted on public policy grounds. In contrast with the EU’s new AI Liability Directive, Singapore has not introduced any laws that introduce a rebuttable presumption of causality between the defendant’s fault and the damage resulting from the AI system’s output (or failure to produce one).

Contract Liability

With a contract, parties negotiate to pre-allocate the risk, so this may resolve some of the issues faced in tort of who is the responsible party. However, establishing whether there is a breach will depend on what parties have agreed to in the contract – for example, whether there are specific, measurable standards the AI system must meet. The Sale of Goods Act 1979 (which provides for an implied condition that goods supplied under the contract are of satisfactory quality) will only apply to the extent that the AI system is a good if it is not embedded in hardware such as a physical disc.

Liability Independent of Fault (Strict Liability/Product Liability)

As mentioned previously, Singapore does not have product liability laws like those in the UK/EU. Nevertheless, the Singapore Academy of Law’s Law Reform Committee considered the application of those laws in its Report on the Attribution of Civil Liability for Accidents Involving Autonomous Cars (published September 2020) and found that product liability presents the same difficulties as negligence because the claimant generally still has to show some fault on the manufacturer’s part (ie, prove there is a “defect” with the software) (see (5.17)–(5.18) of the Report).

Whether there will be strict liability imposed for damage arising from the use of AI remains to be seen, as policymakers must strike a balance between ensuring that innovation is not stifled and obtaining a remedy with ease.

At present, there are no proposed regulations regarding the imposition and allocation of liability for the use of AI.

The Singapore Academy of Law’s Law Reform Committee has issued two reports that make recommendations on the application of the law to robotic and AI systems in Singapore, namely:

• Criminal Liability, Robotics and AI Systems (February 2021); and
• The Attribution of Civil Liability for Accidents Involving Autonomous Cars (September 2020).

The Model Framework highlights the risk of “bias” in the data used to train the AI model and proposes some solutions to minimise it. The IMDA/PDPC acknowledge the reality that virtually no dataset is completely unbiased; however, where organisations are aware of this possibility, it is more likely that they can take steps to mitigate it. Organisations are encouraged to collect data from a variety of reliable sources and to ensure that the dataset is as complete as possible. It is noted that premature removal of data attributes may make it difficult to identify inherent biases in the data.

In addition, the model should be tested on different demographic groups to see if any groups are being systematically advantaged or disadvantaged. Running through the questions in the ISAGO or AI Verify will also help organisations to reduce bias in the AI development process. In relation to LLMs, the IMDA’s October 2023 paper on “Cataloguing LLM Evaluations” sets out recommended evaluation and testing approaches for bias.

There have not been any reported regulatory actions or judicial decisions with regard to algorithmic bias in Singapore.

The collection, use and disclosure of personal data in Singapore is subject to the PDPA. The PDPC has also issued its AI Advisory Guidelines in March 2024.

Legal Bases for the Collection, Use or Disclosure of Personal Data

The use of AI to process personal data is prevalent because AI can generate many useful insights from data. However, regardless of whether AI technology is used in relation to the data, there first and foremost must be a legal basis for the collection, use or disclosure of personal data.

Consent is one of the bases but has its limitations, including an individual’s right to withdraw consent to their data being used or the requirement to notify the individual of a new purpose for the use of their personal data if no such consent was sought before.

Therefore, other relevant bases for the collection, use or disclosure of personal data are:

• general legitimate purposes, provided that certain conditions are met, such as:
1. identifying and articulating the legitimate interest;
2. conducting a data protection impact assessment; and
3. disclosing to the individual reliance on the legitimate interests exception;
• for the purpose of entering, managing or terminating an employment relationship with an individual, provided that the individual is notified of the purposes of such collection, use or disclosure; and
• business improvement purposes – for example, improving and enhancing any goods or services provided, or developing new goods or services, or learning or understanding the behaviour and preferences of individuals in relation to providing goods and services – provided certain conditions are met, such as:
1. the organisation is of the view that the purposes cannot reasonably be achieved without using the personal data in an individually identifiable form; and
2. the purpose would be considered appropriate in the circumstances by a reasonable person.

Anonymised Data

The PDPC encourages organisations to use anonymised data when developing, testing and monitoring AI systems as much as possible. Anonymised data is not considered personal data for the purposes of the PDPA. However, there is always a risk of re-identification in combination with other data about the individual – especially where AI makes connections between different datasets and creates a profile about the person, whereby the data that is anonymised now becomes personal data subject to the PDPA.

Generally, biometric data such as fingerprints and likeness – when associated with other information about an individual – will form personal data under the PDPA. As such, any organisation that collects, uses or discloses such data will be subject to the obligations under the PDPA.

The PDPC has released the Guide on Responsible Use of Biometric Data in Security Applications. This guide specifically addresses the use of biometric data in relation to security cameras and CCTVs for security monitoring and facial or fingerprint recognition systems for security purposes to control movement in and out of premises. It highlights certain risks of using such data and measures that organisations may implement to mitigate the risks.

First, there is a risk of identity spoofing where a synthetic object (such as a 3D mask) is used to fake the physical characteristics of the individual in order to obtain a positive match in the system. Organisations should thus consider implementing anti-spoofing measures such as liveliness detection or installing such biometric systems near a manned security post.

Second, there is a risk of error in identification through false negatives or false positives. This may occur when the threshold for matching is set either too high or too low and the system fails or wrongly identifies a person. Organisations should thus implement a reasonable matching threshold, taking into account industry practice, and/or have additional factors of authentication to complement the existing matching thresholds.

Finally, there are systemic risks to biometric templates where the uniqueness of a biometric template may be diluted (and thus vulnerable to adversaries) if the algorithm used to create the template is used multiple times by the service provider across different sets of customers. Organisations should consider encrypting the biometric template in the database or use customised algorithms.

The Model Framework encourages organisations to consider the appropriate level of human oversight in AI-augmented decision-making. Broadly speaking, there are three degrees of human oversight:

• human-in-the-loop – the human is in full control and the AI only provides a recommendation;
• human-out-of-the loop – there is no human oversight and the AI is in full control; and
• human-over-the-loop – the human is monitoring or supervising the output and can take control in the event of unexpected or unusual cases.

In determining the level of human involvement required, the Model Framework sets out the following factors:

• probability of the harm occurring (high/low);
• severity of the harm occurring (high/low) – for example, the impact of wrong medical diagnosis compared with the consequences of shopping recommendations;
• nature of the harm (whether physical or intangible in nature);
• reversibility of the harm, including the avenues for recourse of the individual; and
• whether it is feasible or meaningful for a human to be involved at all (human involvement is not feasible in high-speed financial trading as per the case of Quoine).

Lastly, the Model Framework encourages organisations to disclose their use of AI so that persons are aware that they are interacting with it and, in particular, to:

• explain how AI is used in the decision-making process and what factors are taken into account in making the decision;
• offer an option to opt out from the use of AI, if it is feasible to so; and
• allow affected persons to appeal against an AI decision that materially affects them ‒ the person should be given enough information about the reasons for the previous decision so that the person can effectively craft their appeal.

To build trust in the use of AI, the Model Framework encourages organisations to ensure that consumers are aware that they are interacting with AI (whether in the case of chatbots or other technologies that are a substitute for services rendered by natural persons). For more details on disclosures, see 11.4 Automated Decision-Making.

Singapore has also stated (in the ASEAN Guide on AI Governance and Ethics) that AI systems should not be used to manipulate consumer behaviour ‒ namely, that “AI systems should not be used for malicious purposes or to sway or deceive users into making decisions that are not beneficial to them or society”.

Pricing algorithms range from those that monitor and extrapolate trends in prices in the market to those that can weigh information such as supply and demand, customer profile and competitor’s pricing in order to make real-time adjustment to prices. Such algorithms raise three key issues of concern when it comes to competition law.

Algorithmic Collusion

The individual use of a pricing algorithm does not fall foul of competition law. However, where organisations have an explicit agreement to collude and use pricing software to implement their agreement, the Competition and Consumer Commission of Singapore (CCCS) has unequivocally stated that this will contravene Section 34 of the Competition Act 2004 as an agreement that prevents, restricts or distorts competition.

If organisations use a distinct algorithm with no prior or ongoing communication, but achieve an alignment of market behaviour, the CCCS will take a fact-centric approach to determine whether the collusive outcomes can be attributed to the organisations.

Personalised Pricing

Where an organisation with a dominant position in the market utilises AI to implement personalised pricing, it may be deemed an exclusionary abuse of dominance and infringe Section 47 of the Competition Act 2004. Specifically, if personalised pricing is used to set discounts that foreclose all or a substantial part of a market, the CCCS may find that the organisation has abused its dominance in the market.

Liability Where AI Learns Collusive Behaviour

If an AI system autonomously learns and implements collusive behaviour, the CCCS is unlikely to find no fault on the part of the organisation that deploys the AI system. Although it is non-binding, the Model Framework states that organisations should be able to explain decisions made by AI. Accordingly, organisations are unlikely to be able to disclaim responsibility for the decisions made by the AI they deploy.

The ASEAN Guide on AI Governance and Ethics recommends that deployers who procure AI systems from third-party developers should “appropriately govern their relationships with these developers through contracts that allocate liability in a manner agreed between parties”. The deployer should also require the developer to assist it in meeting its transparency and explainability obligations to both customers and regulators. The ASEAN Guide on AI Governance and Ethics also recommends that deployers and developers collaborate to conduct joint audits and assessments of the AI system, and testing frameworks such as Singapore’s AI Verify may be used for this purpose.

AI can be used to screen CVs and identify select candidates to move to the next round, thereby making the hiring process more efficient. However, an AI system is only as good as the humans who programmed it, and it is also susceptible to biases in the data it is trained on – for example, the training data may be weighted heavily in favour of one gender for a role.

The Tripartite Guidelines on Fair Employment Practices set out fair employment practices for employers to abide by. Employees must be selected on the basis of merit (ie, skills and experience), regardless of their age, race, gender, religion, marital status and family responsibilities, or disability. Therefore, automated employment screening tools must not take into account such characteristics (with the exception of gender where it is a practical requirement of the job – for example, hiring a female masseuse to do spa treatments for female customers).

The Ministry of Manpower can take action against employers who do not follow the Tripartite Guidelines by curtailing their work pass privileges, such that they may not apply for new work passes or renew the work passes of their existing employees. Singapore intends to introduce workplace fairness legislation in the second half of 2024, so as to complement the existing Tripartite Guidelines.

Although organisations will require consent to collect, use or disclose such personal data, organisations may also rely on two exceptions under the PDPA to do so without obtaining consent from the individual. However, the organisation must still act based on what a reasonable person considers appropriate in the circumstances — it does not have carte blanche to collect every single piece of personal data about an employee through its employee monitoring software. This is because the employer’s monitoring of the employee’s email account, internet browsing history, etc, can reveal very private information about the employee, including private medical information that may not be relevant to the employee’s workplace performance.

The first exception is where the collection, use or disclosure of personal data is for the purpose of managing or terminating an employment relationship between the organisation and the individual. However, to rely on this exception, the organisation must inform its employees of the purposes of such collection, use or disclosure ‒ for example, through the employment contract or employee handbooks. The second exception is where the collection, use or disclosure of personal data about an individual is necessary for evaluative purposes (ie, for determining the suitability or eligibility of the individual for employment, promotion, or continuance in employment).

Although consent may not be needed to collect such data, organisations should be aware that other obligations under the PDPA – for example, the protection obligation to prevent unauthorised access to the data – continue to apply.

A Parliamentary question of 12 September 2022 concerned whether the government will:

• consider regulating platform companies to ensure they do not encourage excessive risk-taking (eg, taking on too many jobs in an hour or riding during dangerous weather) by the workers to fulfil orders; and
• study the AI and algorithms of such companies to ensure this is not the case.

The Ministry of Manpower (MOM) responded that it will be “cautious” about regulating the incentives and algorithms of such companies. The MOM would resolve the issue through discussions with tripartite partners and strengthening protections for workers, “rather than jump to regulation and risk over-regulation”.

The government has since accepted the recommendations of the Advisory Committee on Platform Workers in November 2022, thereby strengthening protections for platform workers in terms of financial protection in case of work injury, improving housing and retirement adequacy, and enhancing representation for such workers. A legislative framework and other policies will be introduced in the second half of 2024.

Firms that use AI and data analytics to offer financial products and services should reference the Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore’s Financial Sector, which was published by the MAS in 2018. The principles align with the Model Framework and are voluntary; financial services companies must continue to comply with all other applicable laws and requirements.

The MAS also leads an industry consortium (“Veritas”) that creates frameworks for financial institutions to assess their use of Artificial Intelligence and Data Analytics (AIDA) solutions against the FEAT principles. The White Papers arising from each phase of Veritas (there have been three phases to date since 2019) are published on the MAS website.

Digital advisers (or robo-advisers) are automated, algorithm-based tools with limited or no human adviser interaction. Where such tools are used to provide advice on investment products, the MAS Guidelines on Provision of Digital Advisory Services state that they should minimally provide the client with the following information:

• assumptions, limitations and risks of the algorithms;
• circumstances under which the digital advisers may override the algorithms or temporarily halt the digital advisory service; and
• any material adjustments to the algorithms.

As mentioned in 1.1 General Legal Background, the HPA requires medical devices to be registered. AI-MDs are a type of “medical device” (as defined in the HPA) – hence they must be registered – and they are subject to further requirements for registration by the HSA’s Regulatory Guidelines for Software Medical Devices. Under those Guidelines, additional information must be submitted when registering the AI-MD – for example, information on the datasets used for training and testing and a description of the machine-learning model that is used in the AI-MD.

However, when it comes to liability for errors made by an AI-MD or by any other AI application, there are no judicial decisions yet as to who is liable (or jointly liable) for the error – ie, whether the hospital, doctor, developer of the AI system, etc, is liable.

Singapore’s Road Traffic Act 1961 provides a regulatory sandbox for the use and testing of AVs – see Sections 2(1), 6C, 6D and 6E, and the Road Traffic (Autonomous Motor Vehicles) Rules 2017 (“the Rules”). The Rules prohibit the trial or use of an AV without authorisation and, among other things, set out:

• the application process for authorisation;
• the conditions of authorisation (eg, requiring a qualified safety driver to be seated in the AV to monitor its operation and take over if necessary);
• that a data recorder must be installed in the AV;
• that there must be liability insurance or security in lieu of liability insurance; and
• that any incident or accident involving the AV must be reported to the Land Transport Authority.

When asked about liability for AV accidents in 2017, the then-Second Minister for Transport responded: “The traditional basis of claims for negligence may not work so well where there is no driver in control of a vehicle. When presented with novel technologies, courts often try to draw analogies to legal constructs in other existing technologies. In the case of AVs, the courts have autopilot systems for airplanes, autopilot navigational systems for maritime vessels, and product liability law to draw references from. As with accidents involving human-driven vehicles, it is likely that issues of liability for AVs will be resolved through proof of fault and existing common law.”

Please see 10.1 Theories of Liability, which sets out potential remedies when AI systems do not function as intended or cause harm.

Please see 9.1 AI in the Legal Profession and Ethical Considerations, where the issues across professional services are similar. Professionals must be mindful of the risks and limitations of AI and take steps to verify the accuracy of the output, critically analyse it for bias, and ensure that confidential client data is not input into an AI system where it can be accessed by unauthorised third parties.

In terms of liability, a person cannot delegate their professional responsibility (eg, a duty to provide correct information) to an AI system. Hence, if they were to rely on the output of an AI system, they would ultimately remain responsible for it.

Protecting AI Innovations Through Patent

Under Section 13 of the Patents Act 1994, an invention must fulfil the following three conditions to be patentable:

• the invention must be new;
• the invention must involve an inventive step; and
• the invention must be capable of industrial application.

However, not all inventions are eligible for patent protection (even if they meet the three conditions). The Examination Guidelines for Patent Applications of the IPOS are instructive. Neural networks, support vector machines, discriminant analysis, decision trees, k-means and other such computational models and algorithms applied in machine learning are mathematical methods in themselves and are thus not considered to be inventions by the IPOS.

However, where the claimed subject matter relates to the application of a machine-learning method to solve a specific (as opposed to a generic) problem, this could be regarded as an invention because the actual contribution of the claimed subject matter goes beyond the underlying mathematical method. Solving a generic problem by using the method to control a system, for example, is unlikely to cross the threshold. The application must be a specific one, such as using the method to control the navigation of an AV.

Protecting AI Innovations Through Copyright

Source codes and AI algorithms are protected by copyright.

Protecting Output Generated by AI

The extent to which copyright and/or patent laws protect the output of generative AI systems is discussed in 8.2 IP and Generative AI.

AI innovations may also be protected under the law of confidence, as set out in the IPOS’ IP and Artificial Intelligence Information Note. Generally, confidential information refers to non-trivial, technical, commercial or personal information that is not known to the public, whereas trade secrets usually describe such information with commercial value.

Information will possess the quality of confidence if it remains relatively secret or inaccessible to the public in comparison with information already in the public domain. Therefore, it is important to secure the confidential information by implementing non-disclosure agreements, encrypting materials, and classifying information so as to limit access to only select groups of people.

However, it is not possible to protect an AI innovation under both patent and the law of confidence because the former requires public disclosure, which destroys the quality of confidence. Therefore, when deciding which regime to use to protect their work, AI innovators should consider whether the invention constitutes patentable subject matter and if the invention is likely to be made public soon or can be easily derived by others through reverse engineering.

See the issues outlined in 8.2 IP and Generative AI.

See the issues outlined in 8.2 IP and Generative AI.

When deploying AI solutions, an organisation should adopt the good governance measures set out by the Model Framework in the following four key areas.

Internal Governance Structures and Measures

All personnel involved in the development of an AI solution should have clear roles and responsibilities, as well as sufficient expertise, resources and training to discharge their duties. A co-ordinating body should be drawn from across the organisation if necessary. The organisation should also establish a monitoring and reporting system to ensure that the appropriate level of management is aware of the performance of the AI solution.

Determining the Level of Human Involvement in AI-Augmented Decision-Making

The level of human oversight in AI-augmented decision-making will depend on how the balance is struck between the commercial objectives/advantages of using AI and the risks of using AI. For more details, please see 11.4 Automated Decision-Making.

Operations Management

As the effectiveness of an AI system is dependent on the data it is trained on, good data accountability practices should be implemented – such as understanding the lineage of the data used, ensuring its accuracy, minimising any inherent bias in the datasets, and periodically reviewing and updating the datasets.

The organisation also needs to document the process of creating the AI system, from the reasons behind decisions such as choosing the datasets for training the model (and why a particular model was selected) to the measures taken to address identified risks. In the event the AI system does not perform as expected, the organisation can then look back on its records to troubleshoot and also defend against liability.

Stakeholder Interaction and Communication

The organisation should consider how to build consumers’ trust in its use of AI. Such steps would include disclosing the use of AI in the product/service provided, explaining its benefits and risks to the consumer, and maintaining open channels of communication for consumers to raise feedback/queries or apply for a review of a decision made by the AI system.

With the abundance of AI guidelines and frameworks introduced across jurisdictions, it can be difficult for organisations to pick one to start with, especially if they intend to deploy their AI solution across multiple jurisdictions. Nevertheless, it is good to take one framework as a starting point or baseline and make improvements/adjustments from there, incorporating recommended actions from other jurisdictions that may not be found locally. Singapore’s ISAGO is useful for both developers and deployers of AI solutions (albeit more for deployers), and it is broadly aligned to the AI governance frameworks in key AI jurisdictions. Organisations may also assess their systems with AI Verify (although the ISAGO is simpler, as it is a checklist with no technical tests).

Organisations should also create a generative AI use policy to set common expectations across employees on how they may use (or not use) generative AI tools such as ChatGPT. The policy can give examples of acceptable and unacceptable prompts for clarity.