Singapore, ranked as the world’s third most digitally competitive country by IMD, is committed to advancing its digital economy. The digital economy contributed 17.3% to Singapore’s GDP in 2022, increasing from 13% in 2017, according to the Infocomm Media Development Authority. The government’s efforts to enhance digitalisation include its Digital Enterprise Blueprint and workforce support through skill development programs. 

On the international stage, Singapore spearheads digital trade. It has concluded several bi- and plurilateral digital trade agreements and leads initiatives at the World Trade Organization, the Asia-Pacific Economic Cooperation, and the Association of Southeast Asian Nations.

But what do Singapore’s domestic digital policies stand for? This Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Singapore-specific points of emphasis.

• Data governance: Singapore has updated its Personal Data Protection Act and expanded cybersecurity regulations.

• Content moderation: Singapore has enacted several laws to address harmful online content, including content regarding elections, harassment, and falsehoods.

• Competition policy: Singapore has updated guidelines to consider digital market dynamics and enforce consumer protection laws.

• Artificial Intelligence: Singapore has advanced sectoral frameworks for AI governance, as well as voluntary guidelines.

• Singapore’s points of emphasis include digital trade and the regulation of cryptocurrencies.

Jump directly to the section that interests you most:

Discover the details of Singapore's regulatory approach on our dedicated country page.

Remain up-to-date on new and upcoming developments with our free notification service. 

Written by Maria Buza and Luc Zufferey. Edited by Tommaso Giardini.

The Personal Data Protection Act (PDPA), in force since 2014, is Singapore's primary framework for personal data protection. In February 2021, an amendment expanded the legal bases for processing personal data to include legitimate interest and business improvement purposes. Additionally, the amendment established mandatory notification requirements for data breaches and increased penalties for non-compliance. 

The Cybersecurity Act, enacted in 2018, establishes a regime to protect critical information infrastructure. In May 2024, the Act was amended. A ministerial decree will specify when the changes take effect. The scope was expanded to virtual systems to address increased reliance on cloud and third-party services. The Cyber Security Agency was granted the authority to designate and regulate three new categories of entities: systems of temporary cybersecurity concern, entities of special cybersecurity interest, and major foundational digital infrastructure service providers. The reporting obligation was expanded to incidents impacting interconnected systems.

Singapore does not require data localisation. Organisations can transfer personal data based on individuals' informed and explicit consent or based on legally enforceable obligations. These include obligations imposed on the data recipient under national data privacy laws, contracts, binding corporate rules or other legally binding instruments. Since 2021, based on the regulations amending the PDPA, organisations that hold a specified certification are considered to meet legally enforceable obligations. The recognised certifications include the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules and Privacy Recognition for Processors.

The Personal Data Protection Commission (PDPC) is the primary enforcer of PDPA and has the authority to issue secondary legislation and advisory guidelines. 

• In March 2024, the PDPC adopted the advisory guidelines on children's data protection. 

• In July 2022, the PDPC released guides on data protection in the blockchain and the cloud. 

• Previously, the PDPC issued guidelines on biometric data use in security applications, anonymisation and data breaches. 

• In July 2022, the PDPC and the Infocomm Media Development Authority launched the Privacy Enhancing Technologies Sandbox and Data Protection Trustmark pilot programs.

 The PDPC’s enforcement focuses on security measures and legal bases for data processing. 

• In April 2024, the PDPC fined Payroll2U SGD 4,000 (approx. USD 2,952) due to insufficient security measures. In March 2024, the PDPC fined Whiz Communications SGD 9,000 (approx. USD 6,649) and Carousell SGD 58,000 (approx. USD 42,784) for failing to implement adequate security measures, providing directives on how to improve their systems. 

• In January 2023, PDPC ruled that RedMart could rely on the legitimate interest exception for collecting images without suppliers' consent to deter food safety risks, despite not informing suppliers of the purpose.

Singapore has adopted several laws to address different types of harmful content, including manipulated election content, criminal activities, egregious content, foreign influence operations, online harassment, and online falsehoods.

In October 2024, Singapore adopted a bill which bans advertisements containing manipulated or digitally generated content about election candidates. Under the proposal, the "returning officers" will have the power to order takedowns of such content.

The Online Criminal Harms Act (OCHA), effective since February 2024, grants enforcement agencies the authority to address online criminal activities. Several agencies can require platforms to disable access, block users, and remove apps to mitigate criminal activities on their services. Additionally, the Police Force can issue binding codes of practice. In June 2024, the Police Force issued a code for online communication service providers Facebook, Instagram, Telegram, WeChat, and WhatsApp to implement anti-scam measures. A second code requires Carousell and Facebook (Marketplace, Ads, and Pages) to implement the same measures and additionally verify business users and provide payment protection. 

In February 2023, Singapore enacted the Online Safety (Miscellaneous Amendments) Act. The Act requires providers of online communication services to remove "egregious content," such as posts that promote violence and terrorism or incite racial and religious disharmony, upon request by the Infocomm Media Development Authority (IMDA). Additionally, IMDA can issue binding codes. The online safety code, in force since July 2023, requires social media services designated by IMDA to limit the spread of harmful and inappropriate content, foster a safe environment, and protect vulnerable users, such as children. 

The Foreign Interference (Countermeasures) Act, in force since July 2022, empowers the Minister for Home Affairs to request information from social media and internet service providers to determine whether foreign entities are responsible for harmful content. The Minister can then mandate the blocking, removal, or correction of such content if foreign interference is determined.

In April 2020, the Protection from Harassment (Amendment) Act was enacted to address online harassment, including cyberbullying and doxxing. The Act authorises a specialised court to direct internet intermediaries to block access to false content that leads to harassment, notify users who have viewed the material about its inaccuracies, and issue general correction orders. 

The Protection from Online Falsehoods and Manipulation Act (POFMA), in force since October 2019, addresses online falsehoods. POFMA criminalises the communication of falsehoods that could harm national security, international relations or public confidence in the government. 

• Designated digital advertising and internet intermediaries must take reasonable steps to prevent paid content that directs users to online locations containing false statements. Other designated intermediaries must comply with binding codes to promote credible online sources, ensure the transparency of political advertisements, and counter abuse of online accounts. 

• When ministers identify online falsehoods within their domain, they can issue directions for targeted correction, general correction, disabling access or account restriction. The POFMA Office then issues orders to internet intermediaries, publications, and users.

• Websites that repeatedly spread false information and ignore correction directives can be designated as Declared Online Locations (DOLs). DOLs must inform visitors of their history of spreading falsehoods. Advertisers are required to stop working with DOLs, while internet access providers may be ordered to block DOLs.

Singapore issued several directions to correct falsehoods and designations under POFMA:

• In October 2024, Meta and X were required to notify users of false claims in a post about government actions on executions and drug trafficking.

• In August 2024, LinkedIn was required to place a correction notice on a post addressing false information regarding the treatment of prisoners awaiting capital punishment.

• In June 2024, the Ministry of Communications and Information added Gutzy Asia's website and social media pages to the list of DOLs. Previously, the Ministry issued directions to block Asia Sentinel, Lawyers for Liberty, and East Asia Forum due to non-compliance with correction orders. 

• In December 2023, Kenneth Jeyaretnam's website, “The Ricebowl Singapore,” and his social media pages on Facebook, Instagram, X, and LinkedIn were designated as DOLs.

• In July 2023, Online Citizen Asia’s website, Facebook page, Twitter account page, and LinkedIn were designated as DOLs.

In July 2024, Singapore's Ministry of Home Affairs issued the first enforcement order under the Foreign Interference (Countermeasures) Act. Specifically, the platforms X, Facebook, Instagram, YouTube and TikTok were required to block access to 95 accounts linked to individuals and groups undermining Singapore's political leadership. 

Under the Competition Act, the Competition and Consumer Commission of Singapore (CCCS) has the power to enforce rules and issue binding guidelines to address emerging market challenges. In February 2022, the CCCS updated its guidelines with a focus on addressing digital competition challenges:

• Regarding market definition, the CCCS now considers developments in the digital economy, including multi-sided platforms. It now evaluates network effects, changes in price structure, and non-monetary aspects such as data security and innovation to assess competition.

• Regarding abuse of dominance, the CCCS now has dedicated criteria to determine market power and identify potentially abusive behaviour in digital markets.

In November 2020, the CCCS’s rules on price transparency entered into force following an inquiry into the online travel booking sector. The rules establish measures to prevent drip pricing, facilitate price comparison, and regulate the use of the term "free."

The CCCS’s enforcement efforts focus on merger control in platform markets:

• In April 2024, the CCCS closed its investigation into Grab’s proposed acquisition of Delivery Hero after the parties abandoned the merger. In February 2024, the CCCS prohibited the parties from sharing confidential business information and taking actions that could impair the ability of either party to compete independently.

• In July 2024, the CCCS expressed concerns that Grab's acquisition of Trans-Cab could reduce competition in the ride-hailing market by entrenching Grab's dominant position. The final decision will be issued after the parties reply to the concerns raised. 

Since 2018, the CCCS also enforces the Consumer Protection (Fair Trading) Act, which prohibits unfair practices and establishes consumer rights. The CCCS closed several investigations after accepting commitments from parties involved in unfair practices:

• In April 2022, the CCCS closed the investigation into Lenovo and Want Join IT after both committed to cease unfair practices. 

• In November 2020, the CCCS concluded its investigation into BEX Travel Asia, operator of Expedia Singapore, after the company agreed to address allegations of unfair promotions.

Singapore has not adopted a specific law or regulation to directly govern artificial intelligence (AI). The National AI Strategy (2.0) emphasises the government’s commitment to supporting innovation, protecting consumers, and establishing a global reference framework. 

The focus on innovation is further supported by the Copyright Bill, enacted in November 2021. The Bill allows the use of copyrighted material for computational data analysis, including text and data mining, without permission from copyright owners. The exception only applies if the material is accessed lawfully, is used solely for computational data analysis, and is not repurposed or shared.

In the absence of primary and secondary legislation, Singapore has advanced the AI Verify framework, issued sectoral frameworks and guidelines, and engaged in international cooperation.

In June 2023, Singapore launched AI Verify, an AI governance testing framework and toolkit to enable AI providers and policymakers to collaborate on developing trustworthy AI systems and promote interoperability. 

• In May 2024, the Ministry of Communications and Information announced the launch of AI Verify Project Moonshot, an open-source testing toolkit to improve the security and safety of large language models. 

• In May 2024, the IMDA and the AI Verify Foundation adopted the Model AI Governance Framework for Generative AI. The framework expands on the existing guidelines for traditional AI governance to address new challenges posed by generative AI.

• In October 2023, the IMDA and the United States National Institute of Standards and Technology (NIST) published a crosswalk between AI Verify and the NIST AI Risk Management Framework. The crosswalk analyses similarities and differences between the frameworks to clarify the existing requirements and guidelines in both jurisdictions. 

Sectoral AI frameworks and guidelines span across policy areas.

• Concerning content, in March 2024, the Cyber Security Agency issued an advisory on deep fake scams, followed by guidelines and a companion guide for securing AI systems. 

• Regarding data protection, in 2024, the PDPC released guidelines on synthetic data generation and the use of personal data in AI. In 2020, the IMDA and the PDPC provided a self-assessment guide to support the Model AI Governance Framework.

• In June 2023, the Monetary Authority of Singapore published an open-source toolkit for responsible AI use based on its 2018 principles of fairness, ethics, accountability and transparency. The Authority is currently developing a generative AI risk framework. 

• In December 2020, the Intellectual Property Office adopted a note on intellectual property and AI detailing how patents, copyrights, trade secrets, and open-source software can protect various AI inventions.

In July 2024, the US-Singapore Digital Economic Cooperation Roadmap was adopted to advance collaboration in emerging technologies and develop AI governance frameworks. Additionally, Singapore launched dialogues with China, the United Kingdom, South Korea and Japan.

Singapore leads international digital trade efforts on all levels. At the plurilateral level, Singapore co-convened the World Trade Organization (WTO)’s Joint Initiative on E-commerce. In addition, Singapore promotes digital trade within regional frameworks such as the Asia-Pacific Economic Cooperation, the Asia-Europe Meeting, and the Association of Southeast Asian Nations.

Additionally, Singapore has concluded five Digital Economy Agreements. The flagship Digital Economy Partnership Agreement with Chile, New Zealand was recently expanded as South Korea acceded in May 2024. Singapore further entered agreements with Australia, the United Kingdom, the European Union and South Korea. Additionally, in July 2023, Singapore launched digital trade negotiations with the European Free Trade Association. 

In December 2023, Singapore incorporated rules on the digital economy in its Free Trade Agreement with China. Also, in December 2023, Singapore signed a Free Trade Agreement with MERCOSUR member states, which includes provisions related to e-commerce and online consumer protection. 

In April 2024, Singapore enacted the Financial Institutions (Miscellaneous Amendments) Bill. It amended the primary legal framework for regulating cryptocurrency-related activities, the Payment Services Act (PSA). The Bill granted the Monetary Authority of Singapore additional powers, such as issuing directions to licence holders engaging in unregulated activities, including trading bitcoin futures and other payment token derivatives overseas. 

Under the PSA framework, payment service providers engaging in account issuance, domestic and cross-border money transfer, and e-money issuance must obtain a licence. In April 2024, the Monetary Authority of Singapore amended the PSA regulations to expand licensing requirements and investor protection measures to include digital payment token services.