Singapore PDPA for scrapers: a 2026 practical guide

PDPA Singapore scraping rules are the most pragmatic in the ASEAN region, and that pragmatism has made Singapore one of the most attractive jurisdictions for data-driven businesses operating across Asia. The Personal Data Protection Act, originally enacted in 2012 and significantly amended in 2020 and 2024, governs how personal data is collected, used, disclosed, and stored. Unlike GDPR, the PDPA includes a relatively broad publicly-available exception that scraping operators can rely on, and unlike most other regimes it explicitly distinguishes consent obligations from data protection obligations. This guide walks through the PDPA structure, the publicly-available rules, the deemed consent and notification frameworks, and a working compliance checklist.

The audience is the technical lead or in-house counsel responsible for a scraping pipeline that touches Singapore residents, or one based in Singapore that touches anywhere.

What the PDPA actually covers in scraping context

The PDPA applies to any organisation that collects, uses, or discloses personal data about individuals in Singapore. It applies regardless of whether the organisation is in Singapore. Like GDPR, it has effective extraterritorial reach when scraping operations target Singapore residents.

Personal data under Section 2 is data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access. The definition mirrors GDPR’s “identifiable” standard but with a slightly narrower “is likely to have access” qualifier that gives operators a small drafting window.

The PDPC (Personal Data Protection Commission) enforces the regulation. Penalties under the 2020 amendments rose significantly: financial penalties of up to SGD 1 million or 10 percent of annual turnover in Singapore (whichever is higher), with the higher cap applying to organisations with annual turnover above SGD 10 million.

The 2024 amendments introduced the Data Innovation Provisions, allowing certain forms of business analytics and AI training under the Legitimate Interests basis, with documentation and disclosure requirements. This is the most operator-friendly addition in the region.

For the broader ASEAN compliance picture, see the personal vs public data scraping framework. For comparison with GDPR, see the GDPR compliance guide.

The publicly-available exception, properly read

The PDPA’s publicly-available exception is broader than the GDPR’s equivalent, but narrower than most operators assume. Schedule 1 Part 3 of the PDPA exempts collection and use of personal data that is publicly available, defined in Section 2 as personal data that is generally available to the public, and includes personal data that can be observed by reasonably expected means at a location or event at which the individual appears and that is open to the public.

Three operational implications.

First, “generally available to the public” requires that the data be available to anyone who looks, not just to those who clear a barrier. A profile behind a paywall is not publicly available. A profile behind a free signup is debatable.

Second, the exception applies to collection and use, but not always to subsequent disclosure to third parties. If you scrape publicly available data and resell it, the resale may trigger separate obligations.

Third, the PDPC has consistently held that observable behaviour at public events (a name on a public attendee list, a quote in a public news article) is publicly available. Behaviour inferred from observation (a profile built from behavioural patterns) may not be.

The PDPC issued an advisory in 2024 specifically addressing scraping for AI training, holding that publicly available data may be used for training without consent under the publicly-available exception, provided the use complies with the data protection obligations (notification, purpose limitation, accuracy, protection, retention, transfer).

Consent and the notification obligation

For data not within the publicly-available exception, the PDPA requires consent. Consent can be express (the data subject explicitly agrees) or deemed (the individual voluntarily provides the data for a purpose, or is informed and does not opt out within a reasonable time). The 2020 amendments expanded deemed consent significantly.

For scrapers, deemed consent rarely applies because the data subject did not voluntarily provide the data to you. The relevant alternative bases are:

Legitimate Interests: introduced in 2020, allows collection without consent where the legitimate interest of the organisation outweighs any adverse effect on the individual. Requires a documented assessment.

Business Improvement: a narrow exception for using existing personal data to improve products and services, subject to safeguards.

Research: a research exception for non-commercial research purposes.

Notification, even where consent is not required, is generally still required. The organisation must notify the individual of the purposes for which the data will be collected, used, or disclosed. For scraping operators, notification is typically delivered through a public privacy notice rather than per-individual contact.

For the Indian comparison and where the regimes differ, see the India DPDP Act for scrapers guide.

The Do Not Call provisions

The PDPA includes Do Not Call (DNC) provisions that govern marketing communications to Singapore phone numbers. These rules sit alongside the data protection obligations and are independently enforced.

Scrapers who collect Singapore phone numbers and use them (or licence them) for marketing must check the DNC registries before sending. The PDPC operates three registers (No Voice Call, No Text Message, No Fax). Failing to check before sending is a separate violation with separate fines.

The 2020 amendments added that organisations are responsible for ensuring third-party marketers they engage also comply with DNC. A scraper that resells phone numbers to marketing operators is exposed to this chain liability.

Compliance checklist for scraping operators

Control	What it requires	Why it matters
Publicly-available assessment	Per-source documentation	Schedule 1 Part 3 defence
Lawful basis for non-public data	Legitimate Interests assessment	Section 13
Privacy notice published	Public page describing purposes	Section 20 (notification)
Purpose limitation	Use only for stated purposes	Section 18
Data accuracy	Reasonable steps to ensure accuracy	Section 23
Protection obligation	Reasonable security arrangements	Section 24
Retention limits	Cease retention when no longer needed	Section 25
Transfer limits	Comparable protection in recipient country	Section 26
Data Protection Officer	Mandatory for all organisations	Section 11
Access and correction requests	Respond within 30 days	Sections 21-22
Withdrawal of consent	Honour withdrawal	Section 16
Do Not Call check (if marketing)	Per-number, current registry	DNC provisions
Data Innovation Provisions notice	If using LI for AI training	2024 amendments
Breach notification	If significant harm or 500+ affected	Section 26D

Most scrapers can tick most rows in a fortnight of work. The DPO requirement (Section 11) is the most-missed obligation.

Decision tree: is this scrape PDPA-compliant?

Q1: Is the source publicly available (general access, no barrier)?
    ├── Yes -> Q1a: Is the use for AI training or aggregation?
    │           ├── Yes -> Document publicly-available basis; comply with data protection obligations.
    │           └── No  -> Document publicly-available basis; standard obligations apply.
    └── No  -> Q2
Q2: Have you obtained express or deemed consent?
    ├── Yes -> Document; standard obligations apply.
    └── No  -> Q3
Q3: Can you rely on Legitimate Interests?
    ├── Yes -> Conduct LI assessment; publish notice; standard obligations apply.
    └── No  -> Stop or restructure.

The Data Innovation Provisions and AI training

The 2024 amendments added the Data Innovation Provisions (DIP) at Sections 17A-17C. These allow organisations to use personal data, without consent, for business innovation purposes that include analytics, AI training, and product development, subject to four conditions:

The use is for a legitimate purpose that the individual would reasonably expect.
The organisation has conducted a risk assessment.
The organisation publishes a clear notice describing the use.
The organisation provides an opt-out mechanism that is honoured.

For scraping operators training AI models on publicly available Singapore data, the DIP is the cleanest path. Document the assessment, publish the notice, run the opt-out inbox.

Cross-border transfer obligations

Section 26 requires that personal data transferred outside Singapore be afforded a standard of protection comparable to the PDPA. The PDPC’s approach is more flexible than the EU’s, accepting the recipient’s contractual undertakings, the recipient’s binding corporate rules, or the recipient’s location in a jurisdiction with comparable laws.

The PDPC has not published a formal adequacy list. Instead, scraping operators evaluate each recipient case-by-case. Major comparable jurisdictions include the EU/EEA, the UK, Australia, Canada, Japan, and South Korea.

For US transfers, the PDPC accepts contractual clauses similar to the EU SCCs. The Data Privacy Framework is not directly relevant to PDPA, but a US recipient certified under DPF generally satisfies PDPA-equivalent protection in practice.

For the broader cross-border question, see scraping data from EU sites jurisdictional realities.

How PDPA enforcement shifted in 2024 and 2025

Two trends. First, the PDPC moved from advisory-heavy to fine-active. Multiple seven-figure fines in 2024-2025 against organisations that failed to implement reasonable security arrangements (Section 24) following data breaches. Scraping operators with unprotected storage are exposed.

Second, the PDPC published explicit AI guidance in 2024 and 2025 covering training data, output safety, and accountability. The guidance is non-binding but shapes enforcement expectations. A scraping operator who follows the guidance is in a defensible position.

The Voluntary Disclosure Programme (VDP), launched in 2025, encourages organisations that discover their own breaches to self-report in exchange for reduced penalties. For scraping operators who discover compliance gaps, the VDP is a useful tool.

External references

The PDPA full text is at pdpc.gov.sg/legislation/personal-data-protection-act. The PDPC advisories and guidelines are at pdpc.gov.sg/Guidelines-and-Consultation. The PDPC enforcement decisions library is searchable at pdpc.gov.sg/Commissions-Decisions.

Comparison: PDPA vs GDPR vs DPDP

Dimension	PDPA Singapore	GDPR EU	DPDP India
Personal data definition	Identifiable individual	Identifiable individual	Digital personal data of identifiable individual
Public data carve-out	Broad	Narrow	Limited
Consent default	Required unless exception	Lawful basis required	Required unless exception
Legitimate interests	Yes (since 2020)	Yes	Limited (notice and consent default)
AI training friendly	Yes (DIP since 2024)	EU AI Act layers on	Not yet articulated
Cross-border transfer	Comparable protection test	SCCs / adequacy	Whitelist of approved countries
Maximum fine	SGD 1M or 10% turnover	EUR 20M or 4% turnover	INR 250 crore (~USD 30M)
Mandatory DPO	Yes (all organisations)	Conditional	Yes for significant data fiduciaries
Breach notification	Yes (significant harm or 500+)	Yes (72 hours, risky breaches)	Yes

PDPA is the most operator-friendly of the three, particularly for AI training pipelines that fit the DIP framework. DPDP is the strictest on consent default. GDPR remains the strictest overall.

A worked example: scraping Singapore property listings

A scraper collects publicly available property listings from major Singapore portals (PropertyGuru, 99.co, EdgeProp). The dataset includes property address, asking price, agent name, agent contact phone, agent licence number, and listing date.

Classification: agent name and contact details are personal data. Property address is not personal data unless linked to an owner. Asking price is not personal data.

Basis: publicly-available exception applies to the agent contact data, because agents publish their information openly for purposes of being contacted by potential clients.

Notification: a clear privacy notice on the scraper’s website describing the collection, the purpose (market intelligence for B2B customers), the retention period, and the opt-out path.

Do Not Call: if the dataset is later used for marketing calls to those agents, the DNC registries must be checked per-number per-call.

Outcome: defensible posture, low overhead, with a documented publicly-available assessment and a published notice. PDPA does not require an LIA in this case because the publicly-available exception applies.

For the deeper market-intelligence build pattern, see scraping job board data for talent intelligence.

Mandatory Data Protection Officer

Every organisation in scope of PDPA must appoint a Data Protection Officer (Section 11). The DPO does not need to be in Singapore, does not need to be a lawyer, and can be a current employee with other responsibilities. Small scraping operations commonly designate the engineering lead or compliance manager.

The DPO must be contactable, and their contact details (or at least the role’s contact details) must be available to the public. A common implementation is a dpo@yourcompany.com inbox listed on the privacy notice page.

Failing to appoint a DPO is itself a violation. The PDPC has issued multiple enforcement actions for this failure alone.

FAQ

Is publicly available data exempt from PDPA?
Partially. The publicly-available exception covers collection and use, but data protection obligations (purpose limitation, accuracy, protection, retention, transfer) still apply.

Do I need consent to scrape?
Not always. The publicly-available exception, the Legitimate Interests basis, and the Data Innovation Provisions all permit collection without express consent in defined circumstances.

Does PDPA apply if I am outside Singapore?
Yes if your processing covers individuals in Singapore. The PDPA has effective extraterritorial reach.

Do I need a Singapore representative?
No. Unlike GDPR, PDPA does not require a local representative for non-Singapore organisations.

What is the typical fine under PDPA in 2026?
Penalties range from low six figures for technical breaches up to SGD 1 million or 10 percent of annual Singapore turnover for serious violations, with the higher cap applying to larger organisations.

Extended PDPA enforcement analysis 2024-2026

The Personal Data Protection Commission stepped up enforcement after the 2020-2021 amendments brought mandatory breach notification, an enhanced financial penalty cap (10 percent of annual turnover above SGD 10 million), and the data portability obligation. The 2024-2026 window saw three notable directions.

First, the PDPC published the AI Model Governance Framework second edition in May 2024. The framework treats training data provenance as a primary governance question and recommends documented LIA-equivalent assessments for personal data ingested into AI training pipelines.

Second, the PDPC’s enforcement decisions in 2024 and 2025 showed that scraping operators are squarely in scope when they collect personal data of Singapore residents, regardless of the operator’s location. The Section 13 consent obligation is the central question, with Section 17 deemed-consent and the legitimate-interest exception in the First Schedule providing the practical pathways.

Third, the cross-border transfer rules under Section 26 require the receiving controller to be bound to a comparable standard. The PDPC’s 2024 guidance accepts a narrow set of mechanisms (consent, contract, ASEAN MCCs, certifications). Scrapers exporting Singapore-resident data must document the chosen mechanism.

Implementation patterns for a PDPA-clean pipeline

A 2026 PDPA-compliant scraping pipeline should include seven controls.

Identify Singapore-resident data subjects at ingest using a combination of profile signals and IP geolocation.
Apply the legitimate-interest exception with a documented assessment, or rely on Section 17 deemed consent where applicable.
Honour withdrawal of consent requests with a measured response time.
Provide a do-not-call workflow for any phone numbers collected.
Apply transfer-limitation safeguards for data leaving Singapore.
Maintain a data protection officer designation and contact.
Maintain a data breach notification process meeting the 72-hour PDPC notification window.

Code pattern: Singapore identification at ingest

import re

SG_PHONE = re.compile(r"\+?65[\s-]?\d{4}[\s-]?\d{4}")
SG_DOMAINS = {"sg", "com.sg", "edu.sg", "gov.sg", "org.sg"}

def is_singapore_subject(record):
    if SG_PHONE.search(record.get("text", "")):
        return True
    email = record.get("email", "")
    if any(email.endswith("." + d) for d in SG_DOMAINS):
        return True
    if record.get("country_iso") == "SG":
        return True
    return False

Comparison: PDPA vs neighbouring regimes for scrapers

Question	Singapore PDPA	Malaysia PDPA	Indonesia PDP Law	Thailand PDPA
Legitimate interest exception	Yes (First Schedule)	No general exception	Yes (limited)	Yes (limited)
Public data carve-out	Limited	Limited	Limited	Limited
Cross-border transfer rule	Comparable standard	Whitelisted countries	Adequate protection	Adequate protection
Max fine	SGD 1M or 10 percent of turnover	RM 500K	IDR 5B or 2 percent of revenue	THB 5M plus criminal
Breach notification	72 hours to PDPC	Yes	Yes	72 hours

Additional FAQ

Does PDPA apply to scraping operators outside Singapore?
Yes if they collect, use, or disclose personal data of individuals in Singapore. The PDPA does not require an establishment in Singapore for jurisdiction.

Is the legitimate-interest exception identical to GDPR Article 6(1)(f)?
Functionally similar but procedurally different. Singapore requires a prescribed assessment and notification. The substantive balancing test is comparable.

What is the do-not-call obligation?
The DNC Registry under PDPA prohibits telemarketing calls, SMS, and faxes to numbers on the registry without clear and unambiguous consent. Scraped phone numbers must be checked.

How does PDPA treat AI training data?
The 2024 AI Model Governance Framework recommends provenance documentation and explicit assessment for personal data used in training. Compliance with the framework is voluntary but increasingly expected.

The PDPA’s deemed consent and legitimate interest pathways

The PDPA’s 2020-2021 amendments introduced two pathways that are particularly relevant to scrapers. The first is deemed consent under Section 17, which applies when an individual voluntarily provides personal data for a purpose, and the consent can be inferred from the circumstances. The second is the legitimate interest exception in the First Schedule, which permits collection, use, or disclosure of personal data without consent if the legitimate interests outweigh any adverse effect on the individual.

For scrapers the legitimate interest exception is the practical pathway. The exception requires a documented assessment, similar to the GDPR LIA. The PDPC’s 2021 advisory guidelines on the legitimate interests exception provide a template for the assessment. Scrapers should follow the template and maintain the documentation.

Deemed consent under Section 17 is narrower for scrapers because the inference of consent from circumstances is harder for third-party scraping. A direct interaction (a user submitting a form) may support deemed consent. A scrape of a third-party website typically does not.

The 2024 PDPC enforcement decisions reaffirmed that the legitimate interest exception requires actual documentation. A scraper that has not written the assessment cannot rely on the exception. The decisions also reaffirmed that the assessment must be specific to the scrape, not boilerplate.

The PDPC AI Model Governance Framework

The PDPC published the AI Model Governance Framework first edition in 2019 and the second edition in May 2024. The framework provides voluntary guidance on responsible AI deployment. The 2024 edition added explicit guidance for generative AI and for training data.

For scrapers feeding AI training pipelines the framework recommends three practices. First, document the training data sources and the lawful basis for each. Second, conduct a data protection impact assessment for the training pipeline. Third, maintain a process for honouring data subject withdrawal requests.

Compliance with the framework is voluntary. The 2024-2026 trend is that compliance is increasingly expected by enterprise customers, by acquirers in due diligence, and by regulators in inquiries. A scraper that aligns with the framework is in a stronger market position.

Cross-border transfer under Section 26

Section 26 of the PDPA prohibits the transfer of personal data outside Singapore unless the transferring organisation ensures that the receiving organisation is bound to a comparable standard of protection. The 2021 amendments and the 2024 PDPC guidance specify the acceptable mechanisms.

The acceptable mechanisms are: written contract that imposes obligations comparable to the PDPA; binding corporate rules within a corporate group; the ASEAN Model Contractual Clauses for cross-border data flows; certification under the APEC Cross-Border Privacy Rules; and a few other narrow options.

For scrapers the contract pathway is the workhorse. The contract should explicitly reference the PDPA obligations and require the receiving organisation to maintain comparable safeguards. The 2024 PDPC guidance includes template clauses that scrapers can adapt.

The 2024 ASEAN MCCs provide an alternative for scrapers operating across ASEAN member states. The MCCs are aligned with the PDPA in principle and reduce the contract drafting burden. Adoption is voluntary and growing.

Next steps

The fastest path to PDPA compliance is to appoint a DPO, publish a privacy notice, document the publicly-available basis per source, and stand up an opt-out inbox. For broader Asia-Pacific compliance, head to the DRT compliance hub and pair this with the DPDP Act guide.

This guide is informational, not legal advice.