By James Konstantin Galvez ( July 1, 2026, 02:04 GMT | Comment) -- Singapore's privacy regulator is broadening its role beyond traditional data protection as AI adoption accelerates, with responsible data use becoming a central theme of its engagement with businesses. In an interview with MLex, Denise Wong, the country's privacy commissioner, said privacy and AI innovation should reinforce rather than compete with each other. The commission is expanding technical guidance through initiatives such as its Privacy-Enhancing Technologies Sandbox, helping organizations design AI systems that comply with privacy rules before deployment while supporting trusted cross-border data flows.Every year in July, Singapore hosts a four-day conference focused on how to protect personal data. But not this year. In its place, the country’s data-protection regulator is instead holding a “data festival,” reflecting a broader emphasis on how organizations can use data responsibly in an artificial intelligence economy.Alongside data protection, the event now emphasizes AI governance, privacy-enhancing technologies, technical demonstrations and business case studies, underscoring the commission's effort to engage with engineers, developers and business leaders as well as privacy professionals.The shift in emphasis is subtle but significant, particularly as governments around the world continue to grapple with how to balance privacy with AI ambitions. For Denise Wong, who became commissioner of the Personal Data Protection Commission, or PDPC, on April 1 after serving for years as deputy commissioner, that’s not an issue. "I don't really see it as needing to balance," she said in an interview with MLex. "They come hand in hand."The shift reflects the PDPC's broader conception of its role. Rather than focusing solely on protecting personal data, the commission increasingly argues that responsible data use and data protection should reinforce rather than constrain each other as AI becomes central to business operations.— Expansion, evolution —The shift will not come as a surprise to those familiar with how the Singapore regulator works. It has been talking about “responsible data use” for a number of years now. But this year, the PDPC is making that broader scope more evident and intentional. What has changed is not the underlying policy but the context in which it is being communicated."It's very much about an intentional expansion and evolution to look at data use and that broad sense of harnessing the value of data in a responsible way," Wong said.Wong is careful to stress that the commission's mandate has not changed. Data protection remains "very much at the core" of its work. But as Singapore accelerates AI adoption across its economy, the regulator is broadening how it thinks about its role, in line with the country’s broader National AI Strategy 2.0.AI is creating new questions for organizations that already understand Singapore's privacy law. Companies are no longer asking simply whether the Personal Data Protection Act applies. They want to know how existing obligations apply to AI models, AI agents and increasingly complex data-driven systems before products reach the market.“Businesses… are excited about harnessing some of these new technologies, for example, Gen AI or AI agents or chatbots,” Wong said, but adding that they “are looking for guidance and certainty.”— From guidance to implementation —Organizations generally understand that privacy obligations continue to apply. The harder question is how regulators will interpret those obligations as AI technologies evolve. The PDPC increasingly sees reducing that uncertainty as part of its role.No initiative illustrates that evolution more clearly than the commission's Privacy-Enhancing Technologies, or PET, Sandbox.The sandbox allows companies developing AI and other data-driven systems to work directly with the PDPC before deployment, testing whether proposed technical designs satisfy Singapore's privacy requirements.Depending on the project, those discussions extend well beyond legal interpretation. Wong said the commission reviews technical architecture, engineering safeguards and privacy-enhancing technologies ranging from anonymization and encryption to trusted execution environments and secure multiparty computation."We're not just regulatory and compliance checkers," she said.In some cases, the regulator works alongside engineering teams, discussing detailed implementation issues. "Maybe you need to add a salt to your hash," Wong said, illustrating the level of technical engagement.For businesses, perhaps, the biggest value is certainty. The sandbox allows them to test both technical architecture and compliance assumptions before products reach the market (see here).The approach reflects the broader role the PDPC now envisages for itself. Rather than waiting for complaints or enforcement cases, the PDPC is helping organizations operationalize privacy principles during product development.The same philosophy underpins the commission's work on PETS more broadly. Its PET Adoption Guide (see here) helps organizations identify which technologies are appropriate for different business processes, while recent case studies increasingly focus on production-scale AI deployments rather than proof-of-concept projects.— A model for other regulators? —The same thinking extends to Singapore's position on cross-border data, championing trusted cross-border data flows through initiatives such as the Global Cross-Border Privacy Rules system and ASEAN Model Contractual Clauses. Wong said trusted cross-border data flows remain essential if businesses are to build and deploy AI across multiple markets while maintaining accountability for personal data.Whether other jurisdictions follow Singapore's approach remains an open question. The model depends on sustained engagement with industry and technical expertise that many privacy regulators may struggle to develop. Other governments may conclude that AI-specific legislation or stronger enforcement powers offer a more practical response.Wong argues that the objective is to ensure "consumers are well protected, their data is well protected, and they also have the ability to use AI and the technology with confidence." That confidence, she said, creates "a trusted ecosystem where everyone can thrive."The broader question is whether Singapore's model can travel. The PDPC's evolution is rooted in the country's AI strategy and its conviction that privacy and innovation reinforce rather than compete with each other. Other jurisdictions may share that ambition, but not all have regulators with the technical expertise — or the mandate — to engage with businesses in the way Singapore increasingly does....