Singapore unveiled its first National AI strategy in 2019, with the aim of becoming a leader in developing and deploying scalable, impactful AI solutions in key sectors of high value and relevance to citizens and businesses by 2030. With AI going “mainstream” with the release of ChatGPT by OpenAI in November 2022, Singapore’s National AI Strategy was updated in December 2023 (the “NAIS 2.0”), with AI now positioned as a necessity that people “must know”, rather than just “good to have”. Singapore will also take a global approach to AI, in terms of co-operating both to innovate and also to overcome the challenges brought about by AI (eg, energy, data and ethics).
Singapore has not enacted any laws concerning the use of AI in general. However, the following laws address specific applications of AI, which are detailed further in 3.2 Jurisdictional Law.
Organisations must comply with relevant laws when deploying AI technology – for example, laws relating to safety, personal data protection and fair competition. Where the use of AI results in harm, existing legal principles (such as tort liability and contractual liability) will still apply.
Singapore also has a set of voluntary guidelines in place for both traditional/predictive AI (which makes predictions based on historical data instead of creating new content) and generative AI, as follows.
For traditional/predictive AI:
For generative AI:
Regulators also issue guidance notes to organisations, such as the following ‒ of which, the first three are for general application, and the final two apply to specific industries.
AI is deployed widely across industries in Singapore, from finance to healthcare to food service in restaurants. The revised NAIS 2.0 encourages AI innovation and adoption across all sectors, with a focus on manufacturing, financial services, transport and logistics, and biomedical sciences.
The IMDA/PDPC have also published a Compendium of AI Use Cases (in two volumes) to demonstrate how the Model Framework’s AI governance principles have been applied by organisations.
Singapore’s government announced during the Budget speech in February 2024 that it will be investing more than SGD1 billion during the next five years to boost its AI computing resources, talent pool and industry development. Some initiatives include investing up to SGD500 million to secure the high-performance compute resources required for running AI systems, as well as more than SGD20 million in the next three years to fund additional SG Digital Scholarships for Singaporeans to pursue AI-related courses in universities and overseas internships.
The government is also helping businesses to adopt AI technology. The IMDA and Enterprise Singapore have launched a sandbox in February 2024 for SMEs to trial generative AI solutions for their businesses (eg, in marketing and sales or customer engagement) over a three-month period, with government funding.
Singapore’s approach to regulating AI is that of “agility”, as set out in its NAIS 2.0. Singapore’s priority is to deepen our understanding of AI and discover and address its potential risks. There is no need for AI-specific legislation for now, as existing laws can cover its use and regulators will issue guidelines to organisations so that they have a clearer picture of how to conduct their affairs.
However, the government will enact legislation if it is necessary to do so, and this will be done “thoughtfully and in concert with others, accounting for the global nature of AI” (NAIS 2.0). The approach is dependent on the nature of the risk to and from AI, where some cases are best settled by voluntary guidelines, and others by legislation.
Singapore’s approach to AI so far has been to issue voluntary guidelines and guidance notes to aid industries in navigating this new technology and set out best practices. Guidelines are suitable for an area in which change is rapid, as they can be amended and issued quickly.
As mentioned in 1.1 General Legal Background, Singapore has not yet enacted legislation that regulates the use of AI in general. However, there is legislation that concerns two specific applications of AI – namely, autonomous vehicles (AVs) (see 14.4 Autonomous Vehicles) and AI-MDs (see 14.3 Healthcare).
Please refer to 1.1 General Legal Background for the key jurisdictional directives.
This is not applicable in Singapore.
This is not applicable in Singapore.
This is not applicable in Singapore.
In relation to personal data that is used to train AI systems or that is processed by AI systems, Singapore’s Personal Data Protection Act 2012 (for private sector data) will apply, as it is technology-agnostic. The PDPC has also issued its first PDPC AI Advisory Guidelines to set out best practices for organisations developing or deploying AI systems. For more details, please refer to 11.2 Data Protection and Privacy.
In relation to copyright issues arising from the use of data to train AI systems, Singapore has a computational data analysis exception under Section 244 of the Copyright Act 2021, which was introduced after a public consultation in 2019. This is independent of the fair use exception under Section 190 of the Copyright Act 2021. For more details, please refer to 8.2 IP and Generative AI.
There is no AI-specific legislation that is pending enactment in Singapore at present ‒ although this is not something that the authorities are closed-off to, as set out in the NAIS 2.0. Please refer to 3.1 General Approach to AI-Specific Legislation.
Singapore’s Court of Appeal has issued a key decision on the use of deterministic algorithms in contracting. Singapore does not yet have reported decisions on the use of AI and the surrounding IP rights.
In Quoine Pte Ltd v B2C2 Ltd (2020) SGCA(I) 02 (“Quoine”), transactions on Quoine’s cryptocurrency exchange platform were conducted by algorithms for both Quoine and B2C2, with the algorithms giving trading instructions based on observations of market data. Owing to an oversight, Quoine failed to make certain changes to several critical operating systems on its platform, so it could not generate new orders. It is relevant that B2C2 had – back when designing its algorithm – set a virtual price of 10 Bitcoin to 1 Ethereum in the event that there was insufficient market data from Quoine to draw upon in order to price its trades.
Quoine’s oversight sparked off a chain of events that triggered buy orders for Ethereum being placed on behalf of some platform users – at 250 times the going market rate for purchasing Ethereum with Bitcoin – in favour of B2C2. This was the virtual price B2C2 had set to sell its Ethereum.
Quoine cancelled the trades when it realised this and B2C2 sued Quoine as a result. Quoine argued that the contracts were void/voidable for unilateral mistake. It is important to note that all the algorithms functioned as they should and that the cause was actually human error.
The court described a deterministic algorithm as one that “will always produce precisely the same output given the same input”, where it “will do just what it was programmed to do and does not have the capacity to develop its own responses to varying conditions” and “hence, faced with any given set of conditions, it will always respond to that in the same way” (at (15)).
The court held that where contracts are made by way of deterministic algorithms, in order to determine knowledge, the court would refer to the state of mind of the algorithm’s programmers from the time of the programming up to the point that the relevant contract is formed (see (97) to (99)). The court upheld the contract, as it found that the programmer did not have actual or constructive knowledge of Quoine’s mistake, and hence did not unconscionably take advantage of it.
It would be interesting to see whether the same principles would apply in the case of a non-deterministic algorithm, as the outcome may not always be known and the computer could be said to “have a mind of its own” (see (185)), or if there are multiple programmers – given that, in Quoine, the software used by B2C2 was devised almost exclusively by one of the founders.
Although the concept of a “deterministic algorithm” was explored in Quoine (see 4.1 Judicial Decisions), AI was not defined in the case.
All ministries and statutory boards have a part to play in developing Singapore’s use of AI. The following is a non-exhaustive list of key regulatory agencies.
Other bodies have also been set up that will complement the work of the regulatory agencies.
The Model Framework (covering traditional AI) defines AI as “a set of technologies that seek to simulate human traits (such as knowledge, reasoning, problem-solving, perception, learning and planning) and, depending on the AI model, produce an output or decision (such as a prediction, recommendation and/or classification)”. The authors have included this definition because the Model Framework applies across all sectors.
The Model Gen-AI Framework defines generative AI as “AI models capable of generating text, images or other media”, which “learn the patterns and structure of their input training data and generate new data with similar characteristics”.
Other documents issued by regulatory agencies also define “artificial intelligence”, “machine learning”, etc. Singapore’s regulatory agencies take a co-ordinated approach towards AI; therefore, if there are any differences in definition across their documents, it will be due to the context in which the term appears.
Generally, all regulatory agencies seek to build public trust in the use of AI in Singapore and minimise the risks posed by AI, including traditional safety risks (such as injury and property damage), loss of privacy, bias, and other ethical concerns. They do this by ensuring that:
There is presently no reported enforcement action by regulators concerning the use of AI.
Enterprise Singapore oversees the setting of standards in Singapore through the industry-led Singapore Standards Council.
On 31 January 2019, Enterprise Singapore published a Technical Reference for Autonomous Vehicles, known as “TR 68”. This was born out of a year-long industry-led effort administered by the SSC’s Manufacturing Standards Committee. The TR 68 was intended to set a provisional national standard to guide the industry in the development of fully autonomous vehicles. In 2021, following a review by the Land Transport Authority and the SSC, TR 68 was updated to include guidelines on the application of machine learning, software updates management, cybersecurity principles and testing framework.
The SSC has also published TR 99:2021, which provides guidance for assessing and defending against AI security threats.
Singapore actively participates in standard-setting and norm-shaping processes with key international organisations and standard-setting organisations such as the World Economic Forum, the OECD, the International Organisation for Standardisation (ISO), and the International Electrotechnical Commission (IEC).
AI Singapore (see 5.1 Regulatory Agencies) also actively participates in international standards bodies. In 2019, the AI Technical Committee (AITC) was formed to recommend the adoption of international AI standards for Singapore and support the development of new AI standards. The AITC represents Singapore as a participating member in ISO/IEC JTC 1/SC 42 – the international standards committee responsible for standardisation in the area of AI. To date, the AITC has contributed to the development and publication of two standards:
Across the Singapore government, AI solutions are being adopted, including the following.
In February 2023, the government announced a pilot project known as “Pair” that integrates ChatGPT into Microsoft Word to assist public officers in their writing and research. Agreements were made to ensure that confidential information would not be available Microsoft and OpenAI. Work that contains highly confidential or sensitive information will also continue to be written exclusively by civil servants as an additional safeguard.
The Singapore courts are unlikely to use AI tools – eg, tools that assess an offender’s risk of recidivism or recommend a sentence – for sentencing within the foreseeable future. The Chief Justice stated at the Sentencing Conference held on 31 October 2022 that the underlying algorithms for such systems were opaque and the data and assumptions that they are built upon could reflect bias. Instead, for greater consistency in sentencing, Singapore will have a Sentencing Advisory Panel that will issue publicly available sentencing guidelines that are persuasive but not binding on the courts.
However, the Singapore courts will use AI to improve access to justice. In September 2023, they signed a memorandum of understanding with Harvey AI, an American start-up, to trial its technology to assist litigants-in-person at the small claims tribunal. The goal is for the AI to give the litigant information on their next steps and what material they need to submit to support their claim.
The Ministry of Defence and the Singapore Armed Forces (SAF) have been exploring the use of AI in military operations to enhance capabilities and stay ahead of potential security threats. One such example is the upgraded command and control information system that helps commanders make faster decisions through displaying a real-time battlefield picture integrated with the best options commanders can take to neutralise the threat.
AI is also being used to enhance the safety of servicemen during training and operations. The SAF Enterprise Safety Information System leverages data science and AI technologies to identify potential risks in operations and recommend pre-emptive action to prevent potential accidents. Additionally, in order to better utilise manpower, the SAF is also conducting trials on the use of AVs in military camps for the unmanned transportation of supplies and personnel.
For the discussion of IP issues, see 8.2 IP on Generative AI, and for data protection issues, see 8.3 Data Protection and Generative AI.
There are three key IP issues arising from the use of generative AI.
Use of Copyrighted Content to Train a Generative AI System
There are no cases brought before the Singapore courts yet. Lawsuits have been filed overseas against LLM providers and text-to-image providers, and the outcomes of these lawsuits will be relevant to Singapore.
In Singapore, under Section 244 of the Copyright Act 2021, making a copy of any copyrighted work is permissible if it is for the purpose of computational data analysis (as defined in Section 243 of the Copyright Act 2021 – eg, using images to train a computer program to recognise images) or preparing the work for computational data analysis, provided that certain conditions are met. Singapore also has the fair use exception under Section 190 of the Copyright Act 2021. Both Sections 190 and 244 of the Copyright Act 2021 have not yet been tested in Singapore courts in the context of training generative AI systems.
Protection of the Output of the Generative AI System Under Copyright and/or Patent Laws
This is a developing area of law both overseas and in Singapore. A report (“When Code Creates: A Landscape Report on Issues at the Intersection of Artificial Intelligence and Intellectual Property Law”), published on 28 February 2024 by IPOS and the Singapore Management University, highlights that there is a spectrum of AI involvement and draws a distinction between “AI-generated” inventions and works (ie, no human intervention) and “AI-assisted” inventions and works (ie, where AI is used as a tool like a paintbrush).
In relation to copyright, the current position under the Copyright Act 2021 is that the author must be a natural person. Hence, whether copyright can subsist in the output of generative AI is likely to depend on two factors:
In relation to patents, the “inventor” must also be a natural person under Singapore law. As with copyright, the output may be protected depending on the level of involvement of the human who prompted the generative AI.
Liability for Copyright Infringement Resulting from the Output of Generative AI
This is also a developing area of law in Singapore and around the world. Whether or not the use of generative AI’s output can result in a person being liable for copyright infringement if the output is substantially similar to an existing work depends in part on how the Generative AI works – ie, how it is trained and how it produces its output. LLMs such as ChatGPT, for example, generate text based on the statistical probability of one word appearing after another and this may suffice as an explanation for the similarities in the works – although cases running this defence are still making their way through the courts.
In theory, AI image generators also create a new image based on the text prompt received – albeit not by replicating an existing image (or part of it) that it has been trained on. Instead, AI image generators produce their own image based on their own “understanding” of what the “essence” of an object is after being trained on tens of thousands of photographs of the object.
For more details on IP protection of an AI system itself (and not its output), please see 15.1 Applicability of Patent and Copyright Law and 16.2 Applicability of Trade Secret and Similar Protection.
The Personal Data Protection Act 2012 (PDPA) applies to the collection, use and disclosure of personal data by organisations. Organisations may only collect, use and disclose personal data “for purposes that a reasonable person would consider appropriate in the circumstances” (Section 3). For the legal bases for the collection, use and disclosure of personal data (eg, consent and other bases), please see 11.2 Data Protection and Privacy.
A data subject has the right to access their personal data held by an organisation (Section 21; subject to certain exceptions), as well as request that an organisation corrects an error or omission in the personal data about them that is in the possession or under the control of the organisation (Section 22; subject to certain exceptions). At the same time, an organisation also has a duty to “make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates” (Section 23).
However, when it comes to the output of generative AI, which may make false factual claims about an individual, there are no reported cases locally yet. Regulators are working to address the risk of “hallucinations” (whereby false information is given by a generative AI system) and the Model Gen-AI Framework recommends techniques such as Retrieval-Augmented Generation and few-shot learning to reduce hallucinations and improve the accuracy of output.
It remains to be seen if courts or regulators in Singapore will order deletion of the entire AI model or cease the use of such AI model if it is trained on illegally obtained personal data. However, given that there have been reported instances of this in other jurisdictions, the authors cannot rule out such a response locally if the situation warrants it.
Law firms in Singapore are using AI for document review, for due diligence processes in M&A transactions, and to summarise contractual documents – to name just a few uses.
Singapore’s Chief Justice Sundaresh Menon has shared his views (at the Litigation Conference held on 3 April 2024) on how AI will reshape the legal profession: automation of routine legal tasks will reduce the demand for junior lawyers and paralegals, but at the same time increase the demand for legally trained persons with an expertise in technology to develop AI tools for legal work. The legal profession will have to learn and adapt to using such AI tools ‒ for example, how to engineer prompts for the AI system to produce the most relevant and useful output. Legal professionals must also uphold their professional responsibilities when using AI tools, such as by verifying the accuracy of AI-generated output and ensuring that confidential client information is not included in prompts to public generative AI tools.
Where the use of AI gives rise to personal injury, property damage or financial loss, the claimant can seek a remedy in tort (negligence) or contract. Singapore does not have product liability laws like those in the UK or the EU. Instead, remedies are available under statutes such as the Unfair Contract Terms Act 1977 and the Sale of Goods Act 1979, as well as specific legislation (eg, the HPA) and the common law (contract and tort).
Singapore has not amended its laws to provide for any special rules concerning liability arising from the use of AI. As yet, there have been no cases in court involving damages due to AI not performing as expected.
The authors are of the view that there are three features of AI that may affect the application of conventional principles of liability, as follows.
Fault-Based Liability (Negligence)
Negligence requires that someone owes a duty of care, that there is breach of such duty (falling below the standard of care), and that the breach caused the loss. Owing to the nature of AI, where many people are involved in its development, the plaintiff might find it difficult to identify the party at fault and the identified party could try to push the blame to a party upstream or downstream in the AI life cycle. However, the Model Gen-AI Framework suggests that liability could be allocated based on the level of control that each stakeholder has in the AI development chain.
Next comes the requirement to prove breach of the standard of care. However, if the opacity of AI makes it impossible to explain why it reached an outcome, then it may be difficult to prove that the behaviour of the AI was due to a defect in the code (rather than any other reason). As the use of AI is developing, it is not clear what standard of care will apply either. Furthermore, even where there is a human in the loop to review the outcome of the AI system, the human will not be able to determine whether the AI is making an error in time to prevent it if the AI is meant to exceed human capabilities.
Finally, there is a requirement to show that the breach caused the loss. Even though it could be argued that the autonomous nature of AI breaks the chain of causation, such an argument is unlikely to be accepted on public policy grounds. In contrast with the EU’s new AI Liability Directive, Singapore has not introduced any laws that introduce a rebuttable presumption of causality between the defendant’s fault and the damage resulting from the AI system’s output (or failure to produce one).
Contract Liability
With a contract, parties negotiate to pre-allocate the risk, so this may resolve some of the issues faced in tort of who is the responsible party. However, establishing whether there is a breach will depend on what parties have agreed to in the contract – for example, whether there are specific, measurable standards the AI system must meet. The Sale of Goods Act 1979 (which provides for an implied condition that goods supplied under the contract are of satisfactory quality) will only apply to the extent that the AI system is a good if it is not embedded in hardware such as a physical disc.
Liability Independent of Fault (Strict Liability/Product Liability)
As mentioned previously, Singapore does not have product liability laws like those in the UK/EU. Nevertheless, the Singapore Academy of Law’s Law Reform Committee considered the application of those laws in its Report on the Attribution of Civil Liability for Accidents Involving Autonomous Cars (published September 2020) and found that product liability presents the same difficulties as negligence because the claimant generally still has to show some fault on the manufacturer’s part (ie, prove there is a “defect” with the software) (see (5.17)–(5.18) of the Report).
Whether there will be strict liability imposed for damage arising from the use of AI remains to be seen, as policymakers must strike a balance between ensuring that innovation is not stifled and obtaining a remedy with ease.
At present, there are no proposed regulations regarding the imposition and allocation of liability for the use of AI.
The Singapore Academy of Law’s Law Reform Committee has issued two reports that make recommendations on the application of the law to robotic and AI systems in Singapore, namely:
The Model Framework highlights the risk of “bias” in the data used to train the AI model and proposes some solutions to minimise it. The IMDA/PDPC acknowledge the reality that virtually no dataset is completely unbiased; however, where organisations are aware of this possibility, it is more likely that they can take steps to mitigate it. Organisations are encouraged to collect data from a variety of reliable sources and to ensure that the dataset is as complete as possible. It is noted that premature removal of data attributes may make it difficult to identify inherent biases in the data.
In addition, the model should be tested on different demographic groups to see if any groups are being systematically advantaged or disadvantaged. Running through the questions in the ISAGO or AI Verify will also help organisations to reduce bias in the AI development process. In relation to LLMs, the IMDA’s October 2023 paper on “Cataloguing LLM Evaluations” sets out recommended evaluation and testing approaches for bias.
There have not been any reported regulatory actions or judicial decisions with regard to algorithmic bias in Singapore.
The collection, use and disclosure of personal data in Singapore is subject to the PDPA. The PDPC has also issued its AI Advisory Guidelines in March 2024.
Legal Bases for the Collection, Use or Disclosure of Personal Data
The use of AI to process personal data is prevalent because AI can generate many useful insights from data. However, regardless of whether AI technology is used in relation to the data, there first and foremost must be a legal basis for the collection, use or disclosure of personal data.
Consent is one of the bases but has its limitations, including an individual’s right to withdraw consent to their data being used or the requirement to notify the individual of a new purpose for the use of their personal data if no such consent was sought before.
Therefore, other relevant bases for the collection, use or disclosure of personal data are:
Anonymised Data
The PDPC encourages organisations to use anonymised data when developing, testing and monitoring AI systems as much as possible. Anonymised data is not considered personal data for the purposes of the PDPA. However, there is always a risk of re-identification in combination with other data about the individual – especially where AI makes connections between different datasets and creates a profile about the person, whereby the data that is anonymised now becomes personal data subject to the PDPA.
Generally, biometric data such as fingerprints and likeness – when associated with other information about an individual – will form personal data under the PDPA. As such, any organisation that collects, uses or discloses such data will be subject to the obligations under the PDPA.
The PDPC has released the Guide on Responsible Use of Biometric Data in Security Applications. This guide specifically addresses the use of biometric data in relation to security cameras and CCTVs for security monitoring and facial or fingerprint recognition systems for security purposes to control movement in and out of premises. It highlights certain risks of using such data and measures that organisations may implement to mitigate the risks.
First, there is a risk of identity spoofing where a synthetic object (such as a 3D mask) is used to fake the physical characteristics of the individual in order to obtain a positive match in the system. Organisations should thus consider implementing anti-spoofing measures such as liveliness detection or installing such biometric systems near a manned security post.
Second, there is a risk of error in identification through false negatives or false positives. This may occur when the threshold for matching is set either too high or too low and the system fails or wrongly identifies a person. Organisations should thus implement a reasonable matching threshold, taking into account industry practice, and/or have additional factors of authentication to complement the existing matching thresholds.
Finally, there are systemic risks to biometric templates where the uniqueness of a biometric template may be diluted (and thus vulnerable to adversaries) if the algorithm used to create the template is used multiple times by the service provider across different sets of customers. Organisations should consider encrypting the biometric template in the database or use customised algorithms.
The Model Framework encourages organisations to consider the appropriate level of human oversight in AI-augmented decision-making. Broadly speaking, there are three degrees of human oversight:
In determining the level of human involvement required, the Model Framework sets out the following factors:
Lastly, the Model Framework encourages organisations to disclose their use of AI so that persons are aware that they are interacting with it and, in particular, to:
To build trust in the use of AI, the Model Framework encourages organisations to ensure that consumers are aware that they are interacting with AI (whether in the case of chatbots or other technologies that are a substitute for services rendered by natural persons). For more details on disclosures, see 11.4 Automated Decision-Making.
Singapore has also stated (in the ASEAN Guide on AI Governance and Ethics) that AI systems should not be used to manipulate consumer behaviour ‒ namely, that “AI systems should not be used for malicious purposes or to sway or deceive users into making decisions that are not beneficial to them or society”.
Pricing algorithms range from those that monitor and extrapolate trends in prices in the market to those that can weigh information such as supply and demand, customer profile and competitor’s pricing in order to make real-time adjustment to prices. Such algorithms raise three key issues of concern when it comes to competition law.
Algorithmic Collusion
The individual use of a pricing algorithm does not fall foul of competition law. However, where organisations have an explicit agreement to collude and use pricing software to implement their agreement, the Competition and Consumer Commission of Singapore (CCCS) has unequivocally stated that this will contravene Section 34 of the Competition Act 2004 as an agreement that prevents, restricts or distorts competition.
If organisations use a distinct algorithm with no prior or ongoing communication, but achieve an alignment of market behaviour, the CCCS will take a fact-centric approach to determine whether the collusive outcomes can be attributed to the organisations.
Personalised Pricing
Where an organisation with a dominant position in the market utilises AI to implement personalised pricing, it may be deemed an exclusionary abuse of dominance and infringe Section 47 of the Competition Act 2004. Specifically, if personalised pricing is used to set discounts that foreclose all or a substantial part of a market, the CCCS may find that the organisation has abused its dominance in the market.
Liability Where AI Learns Collusive Behaviour
If an AI system autonomously learns and implements collusive behaviour, the CCCS is unlikely to find no fault on the part of the organisation that deploys the AI system. Although it is non-binding, the Model Framework states that organisations should be able to explain decisions made by AI. Accordingly, organisations are unlikely to be able to disclaim responsibility for the decisions made by the AI they deploy.
The ASEAN Guide on AI Governance and Ethics recommends that deployers who procure AI systems from third-party developers should “appropriately govern their relationships with these developers through contracts that allocate liability in a manner agreed between parties”. The deployer should also require the developer to assist it in meeting its transparency and explainability obligations to both customers and regulators. The ASEAN Guide on AI Governance and Ethics also recommends that deployers and developers collaborate to conduct joint audits and assessments of the AI system, and testing frameworks such as Singapore’s AI Verify may be used for this purpose.
AI can be used to screen CVs and identify select candidates to move to the next round, thereby making the hiring process more efficient. However, an AI system is only as good as the humans who programmed it, and it is also susceptible to biases in the data it is trained on – for example, the training data may be weighted heavily in favour of one gender for a role.
The Tripartite Guidelines on Fair Employment Practices set out fair employment practices for employers to abide by. Employees must be selected on the basis of merit (ie, skills and experience), regardless of their age, race, gender, religion, marital status and family responsibilities, or disability. Therefore, automated employment screening tools must not take into account such characteristics (with the exception of gender where it is a practical requirement of the job – for example, hiring a female masseuse to do spa treatments for female customers).
The Ministry of Manpower can take action against employers who do not follow the Tripartite Guidelines by curtailing their work pass privileges, such that they may not apply for new work passes or renew the work passes of their existing employees. Singapore intends to introduce workplace fairness legislation in the second half of 2024, so as to complement the existing Tripartite Guidelines.
Although organisations will require consent to collect, use or disclose such personal data, organisations may also rely on two exceptions under the PDPA to do so without obtaining consent from the individual. However, the organisation must still act based on what a reasonable person considers appropriate in the circumstances — it does not have carte blanche to collect every single piece of personal data about an employee through its employee monitoring software. This is because the employer’s monitoring of the employee’s email account, internet browsing history, etc, can reveal very private information about the employee, including private medical information that may not be relevant to the employee’s workplace performance.
The first exception is where the collection, use or disclosure of personal data is for the purpose of managing or terminating an employment relationship between the organisation and the individual. However, to rely on this exception, the organisation must inform its employees of the purposes of such collection, use or disclosure ‒ for example, through the employment contract or employee handbooks. The second exception is where the collection, use or disclosure of personal data about an individual is necessary for evaluative purposes (ie, for determining the suitability or eligibility of the individual for employment, promotion, or continuance in employment).
Although consent may not be needed to collect such data, organisations should be aware that other obligations under the PDPA – for example, the protection obligation to prevent unauthorised access to the data – continue to apply.
A Parliamentary question of 12 September 2022 concerned whether the government will:
The Ministry of Manpower (MOM) responded that it will be “cautious” about regulating the incentives and algorithms of such companies. The MOM would resolve the issue through discussions with tripartite partners and strengthening protections for workers, “rather than jump to regulation and risk over-regulation”.
The government has since accepted the recommendations of the Advisory Committee on Platform Workers in November 2022, thereby strengthening protections for platform workers in terms of financial protection in case of work injury, improving housing and retirement adequacy, and enhancing representation for such workers. A legislative framework and other policies will be introduced in the second half of 2024.
Firms that use AI and data analytics to offer financial products and services should reference the Principles to Promote Fairness, Ethics, Accountability and Transparency (FEAT) in the Use of Artificial Intelligence and Data Analytics in Singapore’s Financial Sector, which was published by the MAS in 2018. The principles align with the Model Framework and are voluntary; financial services companies must continue to comply with all other applicable laws and requirements.
The MAS also leads an industry consortium (“Veritas”) that creates frameworks for financial institutions to assess their use of Artificial Intelligence and Data Analytics (AIDA) solutions against the FEAT principles. The White Papers arising from each phase of Veritas (there have been three phases to date since 2019) are published on the MAS website.
Digital advisers (or robo-advisers) are automated, algorithm-based tools with limited or no human adviser interaction. Where such tools are used to provide advice on investment products, the MAS Guidelines on Provision of Digital Advisory Services state that they should minimally provide the client with the following information:
As mentioned in 1.1 General Legal Background, the HPA requires medical devices to be registered. AI-MDs are a type of “medical device” (as defined in the HPA) – hence they must be registered – and they are subject to further requirements for registration by the HSA’s Regulatory Guidelines for Software Medical Devices. Under those Guidelines, additional information must be submitted when registering the AI-MD – for example, information on the datasets used for training and testing and a description of the machine-learning model that is used in the AI-MD.
However, when it comes to liability for errors made by an AI-MD or by any other AI application, there are no judicial decisions yet as to who is liable (or jointly liable) for the error – ie, whether the hospital, doctor, developer of the AI system, etc, is liable.
Singapore’s Road Traffic Act 1961 provides a regulatory sandbox for the use and testing of AVs – see Sections 2(1), 6C, 6D and 6E, and the Road Traffic (Autonomous Motor Vehicles) Rules 2017 (“the Rules”). The Rules prohibit the trial or use of an AV without authorisation and, among other things, set out:
When asked about liability for AV accidents in 2017, the then-Second Minister for Transport responded: “The traditional basis of claims for negligence may not work so well where there is no driver in control of a vehicle. When presented with novel technologies, courts often try to draw analogies to legal constructs in other existing technologies. In the case of AVs, the courts have autopilot systems for airplanes, autopilot navigational systems for maritime vessels, and product liability law to draw references from. As with accidents involving human-driven vehicles, it is likely that issues of liability for AVs will be resolved through proof of fault and existing common law.”
Please see 10.1 Theories of Liability, which sets out potential remedies when AI systems do not function as intended or cause harm.
Please see 9.1 AI in the Legal Profession and Ethical Considerations, where the issues across professional services are similar. Professionals must be mindful of the risks and limitations of AI and take steps to verify the accuracy of the output, critically analyse it for bias, and ensure that confidential client data is not input into an AI system where it can be accessed by unauthorised third parties.
In terms of liability, a person cannot delegate their professional responsibility (eg, a duty to provide correct information) to an AI system. Hence, if they were to rely on the output of an AI system, they would ultimately remain responsible for it.
Protecting AI Innovations Through Patent
Under Section 13 of the Patents Act 1994, an invention must fulfil the following three conditions to be patentable:
However, not all inventions are eligible for patent protection (even if they meet the three conditions). The Examination Guidelines for Patent Applications of the IPOS are instructive. Neural networks, support vector machines, discriminant analysis, decision trees, k-means and other such computational models and algorithms applied in machine learning are mathematical methods in themselves and are thus not considered to be inventions by the IPOS.
However, where the claimed subject matter relates to the application of a machine-learning method to solve a specific (as opposed to a generic) problem, this could be regarded as an invention because the actual contribution of the claimed subject matter goes beyond the underlying mathematical method. Solving a generic problem by using the method to control a system, for example, is unlikely to cross the threshold. The application must be a specific one, such as using the method to control the navigation of an AV.
Protecting AI Innovations Through Copyright
Source codes and AI algorithms are protected by copyright.
Protecting Output Generated by AI
The extent to which copyright and/or patent laws protect the output of generative AI systems is discussed in 8.2 IP and Generative AI.
AI innovations may also be protected under the law of confidence, as set out in the IPOS’ IP and Artificial Intelligence Information Note. Generally, confidential information refers to non-trivial, technical, commercial or personal information that is not known to the public, whereas trade secrets usually describe such information with commercial value.
Information will possess the quality of confidence if it remains relatively secret or inaccessible to the public in comparison with information already in the public domain. Therefore, it is important to secure the confidential information by implementing non-disclosure agreements, encrypting materials, and classifying information so as to limit access to only select groups of people.
However, it is not possible to protect an AI innovation under both patent and the law of confidence because the former requires public disclosure, which destroys the quality of confidence. Therefore, when deciding which regime to use to protect their work, AI innovators should consider whether the invention constitutes patentable subject matter and if the invention is likely to be made public soon or can be easily derived by others through reverse engineering.
See the issues outlined in 8.2 IP and Generative AI.
See the issues outlined in 8.2 IP and Generative AI.
When deploying AI solutions, an organisation should adopt the good governance measures set out by the Model Framework in the following four key areas.
Internal Governance Structures and Measures
All personnel involved in the development of an AI solution should have clear roles and responsibilities, as well as sufficient expertise, resources and training to discharge their duties. A co-ordinating body should be drawn from across the organisation if necessary. The organisation should also establish a monitoring and reporting system to ensure that the appropriate level of management is aware of the performance of the AI solution.
Determining the Level of Human Involvement in AI-Augmented Decision-Making
The level of human oversight in AI-augmented decision-making will depend on how the balance is struck between the commercial objectives/advantages of using AI and the risks of using AI. For more details, please see 11.4 Automated Decision-Making.
Operations Management
As the effectiveness of an AI system is dependent on the data it is trained on, good data accountability practices should be implemented – such as understanding the lineage of the data used, ensuring its accuracy, minimising any inherent bias in the datasets, and periodically reviewing and updating the datasets.
The organisation also needs to document the process of creating the AI system, from the reasons behind decisions such as choosing the datasets for training the model (and why a particular model was selected) to the measures taken to address identified risks. In the event the AI system does not perform as expected, the organisation can then look back on its records to troubleshoot and also defend against liability.
Stakeholder Interaction and Communication
The organisation should consider how to build consumers’ trust in its use of AI. Such steps would include disclosing the use of AI in the product/service provided, explaining its benefits and risks to the consumer, and maintaining open channels of communication for consumers to raise feedback/queries or apply for a review of a decision made by the AI system.
With the abundance of AI guidelines and frameworks introduced across jurisdictions, it can be difficult for organisations to pick one to start with, especially if they intend to deploy their AI solution across multiple jurisdictions. Nevertheless, it is good to take one framework as a starting point or baseline and make improvements/adjustments from there, incorporating recommended actions from other jurisdictions that may not be found locally. Singapore’s ISAGO is useful for both developers and deployers of AI solutions (albeit more for deployers), and it is broadly aligned to the AI governance frameworks in key AI jurisdictions. Organisations may also assess their systems with AI Verify (although the ISAGO is simpler, as it is a checklist with no technical tests).
Organisations should also create a generative AI use policy to set common expectations across employees on how they may use (or not use) generative AI tools such as ChatGPT. The policy can give examples of acceptable and unacceptable prompts for clarity.
10 Collyer Quay
10th Floor Ocean Financial Centre
Singapore 049315
+65 6535 0733
+65 6535 4906
mail@drewnapier.com www.drewnapier.comSingapore’s Approach to AI Adoption and AI Governance
Singapore has a highly supportive climate for the development and use of AI, both in terms of funding and policies. Singapore has also developed a comprehensive AI governance testing framework for traditional AI systems (AI Verify) and is working hard to ensure its AI governance frameworks are interoperable/aligned with the international community’s. By way of example, Singapore actively participates in international fora and recently mapped the AI Verify framework to the USA’s National Institute of Standards and Technology AI Risk Management Framework, declaring them interoperable (a mapping exercise with the EU will happen in the future). This will help organisations that offer AI systems in multiple markets, as the idea of interoperability is that if an organisation complies with country A’s governance framework, it will also comply with country B’s.
In relation to generative AI, which is a more recent development with the public release of ChatGPT in November 2022, Singapore released a draft Model AI Governance Framework for Generative AI (the “Model Gen-AI Framework”) to seek public feedback internationally from 16 January to 15 March 2024, and has published the finalised version on 30 May 2024.
When it comes to regulating the use of AI, Singapore takes a measured approach, examining the use cases of AI first to see what risks arise that cannot be adequately addressed or mitigated by existing laws on areas such as data protection, IP protection and consumer protection. Singapore does not have legislation governing the general use of AI. However, it does have legislation in relation to AI-enabled medical devices, as medical devices (whether AI-enabled or not) are regulated under the Health Products Act 2007. Like most countries, Singapore also has legislation concerning the use/testing of autonomous vehicles (AVs) – given that its road traffic laws were premised on there being a human driver.
Nevertheless, in order to guide industries with regard to deploying AI, regulators in Singapore have issued guidelines for both traditional and generative AI, such as:
The strength of Singapore’s approach to AI lies in its adaptability. Guidelines can be amended (or new guidelines issued) quickly to adapt to any changes. The technology, its use cases, and the issues arising from the use cases can be carefully studied before making any legislative changes that are more permanent in nature. Singapore also ensures that guidelines are formulated in close consultation with the industry, taking into account any feedback.
In the meantime, the IMDA and the PDPC are also working on testing methodologies in order to ensure that the use of AI is in line with the governance principles. This will also prevent Singapore enacting legislation that cannot be enforced.
Approaches to Regulating the Use of AI
With legislation and guidelines on the use of AI being issued across the world at such a rapid pace, is it possible to anchor knowledge about AI? The authors are of the view that it is helpful to consider the AI landscape in terms of the following four key questions.
Accordingly, recent trends and developments in Singapore will be discussed in this context.
Definition of AI and how this affects the way existing laws are applied
Many countries are aligning their definition of AI systems with the OECD’s, which defines AI by its unique traits of autonomy and adaptiveness, and ASEAN (a political and economic union of ten South-East Asian nations, including Singapore) is no exception. The ASEAN Guide on AI Governance and Ethics defines an AI system as “a machine-based system that is capable of influencing the environment by producing an output (predictions, recommendations or decisions) for a given set of objectives”, which “uses machine and/or human-based data and inputs to (i) perceive real and/or virtual environments; (ii) abstract these perceptions into models through analysis in an automated manner (eg, with machine learning), or manually; and (iii) use model inference to formulate options for outcomes” – further noting that “AI systems are designed to operate with varying levels of autonomy”.
What the authors would like to share is based on their understanding of AI and how training is undertaken. In their view, three unique features require a closer look at how existing laws (especially those concerning fault-based liability) might apply to AI, as follows.
How the use of AI should be governed
In relation to traditional AI systems, this is covered by the second edition of the above-mentioned Model Framework issued by the IMDA/PDPC in January 2020 (the first edition was issued in January 2019). This Model Framework is sector-agnostic, meaning regulators can also issue guidance relevant to their sector as needed.
What are the key features of the Model Framework?
The Model Framework sets out ethics and governance principles for the use of AI, alongside practical recommendations that organisations can adopt to fulfil these principles. It is based on two high-level guiding principles that aim to promote public trust in and understanding of the use of AI, as follows.
The Model Framework also sets out the following four key areas in which organisations should follow its recommendations so as to promote the responsible use of AI:
It is recommended that these measures are explored throughout the development and deployment of AI – the life cycle of which can be summarised as follows.
As regards general governance principles, the organisation must ensure it has robust oversight over its use of AI. This means that all persons involved in AI development and deployment should have clear roles and responsibilities, adequate training and resources, and the organisation’s top management/board of directors must also play an active role in setting AI governance policies.
Organisations also need to keep records of the AI development process, starting with a data provenance record to track the origin/source of the (training) data and any changes made to it. The model training and selection process should be documented – along with the reasons why certain decisions were made and measures taken to address any risks identified. These records might be used in the future to troubleshoot where the AI system does not perform as expected or to defend against liability.
Finally, strong personal data protection and cybersecurity practices are required to be in place when using AI. However, given that such requirements are not unique to the use of AI, they are not discussed in this article.
In relation to generative AI systems, as previously mentioned, the Model Gen-AI Framework sets out the following nine areas to focus on in order to achieve trustworthy generative AI, along with the recommended actions to take for both industry and regulators.
Does Singapore take a different approach to the regulation of AI use?
There are two issues to consider when comparing Singapore’s approach towards regulating the use of AI with approaches taken by other jurisdictions. The first looks at what kind of AI governance principles should apply and the second concerns how to implement those principles (ie, whether by means of legislation or guidelines only).
Singapore broadly resembles countries around the world in terms of the principles it believes should apply to the use of AI. A survey by the authors reveals there is growing international consensus between the EU, the USA, Japan, Australia, China and the UK in respect of the following principles.
However, when it comes to implementing these principles, approaches vary. The EU and Canada have introduced legislation – the EU AI Act and the Artificial Intelligence and Data Act, respectively – that regulates high-risk uses of AI and imposes certain obligations (generally) on the developers of such AI systems. However, Singapore, the UK, Japan and Australia have yet to take legislative steps and instead have issued guidelines and notices – while monitoring the industry to see if further action is necessary.
Each approach has its own strengths. Ultimately, it is up to each country to find the right balance between encouraging innovation and ensuring safety in the use of AI. However, the one consistent thing that countries are moving towards is interoperability in their AI governance, so as to remain attractive to foreign companies wishing to operate in their jurisdiction and also so that local companies can easily export their AI technology.
How compliance with AI governance principles is measured
Testing is a very important component of AI governance, as it enables various parties – including regulators, the organisation deploying the AI system, and the persons who are subject to decisions made by the AI system – to find out whether or not the AI system does indeed conform to the governance principles. In other words, it lets people see if the expectation matches up to the reality.
Testing matters because, if the use of AI is to be regulated through legislation (with sanctions for non-compliance), there needs to be a reliable and objective method to ascertain that it does indeed live up to the standards. Testing can be by way of self-assessment, or conducted by a third party, and it can be done by a series of process checks – for example, reviewing documentation – or technical tools (or a combination of both).
In Singapore, the Model Framework is to be read in tandem with the Implementation and Self-Assessment Guide for Organisations (ISAGO), which sets out a series of questions for organisations to review in order to self-assess their compliance with the principles contained within the Model Framework.
May 2022 saw the launch of AI Verify, which consists of technical tests and process checks that let AI developers validate their claims about their AI systems against a set of 11 internationally accepted principles. The test results are not pass/fail, and do not guarantee that the AI system is free from bias or is completely safe, but confer the following positives:
Liability when AI does not perform as expected
The use of AI carries two types of risks – namely, safety risks (eg, death, bodily injury, or property damage) and “fundamental rights risks” (to borrow the EU’s description of rights risks such as discrimination, manipulation, or loss of privacy). The type of risk presented depends on how the AI system is used – for example, whether it is controlling an AV or screening CVs for recruitment.
Whether in the form of guidelines or legislation, the AI governance principles are there to ensure that the use of AI is as safe as possible and thereby minimise the likelihood of a risk occurring. An organisation can reduce the likelihood of a decision with discriminatory effects occurring by, for example, ensuring that the datasets used to train its AI model are representative of the population for which it is intended. The output produced by the AI system will be more accurate a result and therefore less likely to have an incorrect outcome and cause loss or damage.
However, despite every effort to ensure that the datasets are representative and testing is sufficient, there will still be adverse outcomes sometimes. It is worth bearing in mind that the same risks come with decisions or actions carried out by humans, who of course have their own unconscious bias. Hence, when the harm sought to be prevented arises, the focus must switch to compensating – or restoring – the affected party.
There is no quick or easy solution to this issue. In September 2022, an EU AI Liability Directive introduced a presumption of causality and powers to order disclosure of evidence to aid plaintiffs in bringing claims. Meanwhile, on 29 March 2023, the UK stated that it would not be making any changes to its current liability rules without prior industry consultation.
Singapore has not yet announced plans to introduce any legislation on liability. However, the authors are confident that the Singapore courts will be able to apply existing legal principles to this AI technology. Parliament has expressed similar confidence when discussing liability for AV accidents in 2017:
“The traditional basis of claims for negligence may not work so well where there is no driver in control of a vehicle. When presented with novel technologies, courts often try to draw analogies to legal constructs in other existing technologies. In the case of AVs, the courts have autopilot systems for airplanes and autopilot navigational systems for maritime vessels, and product liability law to draw references from. As with accidents involving human-driven vehicles, it is likely that issues of liability for AVs will be resolved through proof of fault, and existing common law.”
Liability for AI-generated content
This is something that every country will have to grapple with, following the advent of generative AI. Singapore has not had a reported case yet – although the Chief Justice has mentioned that courts have had self-represented persons use ChatGPT to write their submissions, which contained non-existent case law (however, no sanctions were reported). To the extent a person publishes AI-generated content, they can be liable as though they had generated the content themselves if the content is false, defamatory or harmful/toxic (eg, content that is an offence to post publicly under Singapore’s laws).
However, when stepping back to look at the developer/deployer of the generative AI system, whether liability arises for AI-generated content may depend on whether the person deploying the AI system had a duty to provide correct information to the recipient of information from the AI system (such as in a company-customer relationship – eg, an airline providing information to its customers on special airfare rates – or if there was a professional duty to provide correct information), as they cannot delegate that duty to a generative AI system and then blame the developer. It may also turn on whether the output that is wrong is so harmless or trivial that reliance on it would not affect the recipient’s rights (eg, the right to claim compensation).
To the extent that the output is toxic (eg, identity attacks, sexually explicit content, or language that incites violence) – as set out in the IMDA’s Generative AI: Implications for Trust and Governance paper of June 2023 – it is arguable that the developer of the generative AI system will not be liable for the output if the developer had:
Conclusion
AI is definitely here to stay, as Singapore now sees it as a necessity – rather than something just “good to have” – and champions its responsible use. While countries decide what regulatory levers are most appropriate to shape its use (legislation or voluntary guidelines), they are all striving towards interoperability of their AI governance frameworks, given how easily the technology flows across geographical borders.
10 Collyer Quay
10th Floor Ocean Financial Centre
Singapore 049315
+65 6535 0733
+65 6535 4906
mail@drewnapier.com www.drewnapier.com