Singapore’s light-touch approach to PETs regulation

Privacy Enhancing Technologies (PETs) refer to cryptographic techniques that allow the processing, analysis and extraction of insights from data without revealing underlying personal or commercially sensitive data.

Previously regarded as necessary to address privacy and data protection risks during data sharing, PETs have received renewed interest as central to unlocking the full value of data both within and outside organisations.

Several jurisdictions have proactively encouraged PETs adoption, opting for little to no additional regulation in addition to existing data protection laws. We set out Singapore’s regulatory approach, through the recent publication of a PETs adoption guide and practical guidance notes by the authorities.

PETs today

Based on cryptography, PETs give data providers the ability to either disclose data for analysis but not in its original form (in techniques like differential privacy (DP) or homomorphic encryption), or allow insights to be pulled from data which remains undisclosed at all times. Useful insights can be gained without exposing personal data unnecessarily.

The pervasiveness of PETs depends on the type of PET and the industry in question. For instance, technologies like DP and federated learning are growing in popularity but not yet universal. Emerging PETs like zero-knowledge proofs are making waves in blockchain and digital identity projects, while secure multi-party computation is seeing growing use in finance and banking.

PETs Adoption Guide

Since 2022, the Infocomm Media Development Authority of Singapore (IMDA) has worked with industry participants such as Mastercard, Meta, Ant International and TikTok to pilot their PET solutions in its PETs Sandbox. Proof-of-concepts that have been tested in the Sandbox include the generation of synthetic data for research use, as well as the use of Trusted Execution Environments to enable data collaboration between publishers and advertisers without accessing each other’s raw data.

On 7 July 2025, the IMDA released a draft PETs Adoption Guide, which “captures key practical lessons from real-world implementations” in the PETs Sandbox and aims to “support companies in adopting PETs to unlock greater business value”.

Targeted at C-suite and senior decision-makers in organisations considering the adoption of PETs, the Guide is educational and non-binding in nature. The Guide includes two resources for organisations: a “PETs Use Case Evaluation Tool” and an “Implementation Checklist”. The latter resource contains general recommendations for organisations throughout the PETs deployment journey.

IMDA intends for the Guide to be “constantly refined” through new proof-of-concepts from the PETs Sandbox and from industry feedback, with no timeline for a finalised version.

Regulatory guidance on PETs

Singapore’s Personal Data Protection Commission (PDPC), a division of the IMDA, has also worked in parallel with participants of the Sandbox to issue practical guidance notes setting out how each participant’s proof-of-concept implementation would be analysed under Singapore’s personal data protection regime. The latest set of notes were released in July 2025.

The guidance notes suggest that in the event of a data breach investigation, the PDPC will review the substance and not the form of the PET in question. For instance, in assessing if individuals can be re-identified from the output of different stages of a PET solution, the regulator examined whether technical measures (such as hashing and secure multi-party computing) were implemented correctly, as well as whether contractual and process controls existed to prevent disparate data sources from being combined to identify people.

The PDPC has previously also released guides addressing related topics, such as a “Guide to Basic Anonymisation” in March 2022, and a “Proposed Guide to Synthetic Data Generation” in July 2024. PDPC’s Advisory Guidelines on the Personal Data Protection Act (PDPA) for Selected Topics also dedicates a chapter to anonymisation. Several of these guides are directly cited or applied in PDPC’s practical guidance notes.

Relationship between IMDA’s Guide and PDPC’s regulatory guidance

IMDA’s Guide deals with business, technical and legal considerations at a high level, as it is intended for executives responsible with planning to implement PETs within an organisation

In contrast, as PDPC’s practical guidance notes and guides are intended for legal, compliance and data protection officers, they are written more granularly and with a view to compliance with Singapore’s PDPA.

Arguably, both the Guide and PDPC's regulatory guidance are instructive as benchmarks for compliance purposes. However, the material directly published by PDPC is intended to be more authoritative and informative as to how Singapore's data protection legislation will be applied to PETs.

Regulatory approaches in other jurisdictions

The Guide and PDPC’s regulatory guidance are largely natively developed, but mention or acknowledge earlier publications by foreign regulators.

For instance, Korea’s Personal Information Protection Commission had published its own “Guidelines on Generating and Utilizing Synthetic Data” in December 2024. These guidelines are voluntary and not intended to “regulate the generation and [use] or standardize methodologies and metrics”.

In the UK, the Information Commissioner’s Office released its PETs Guidance in June 2023, which is likewise explanatory in nature.

The non-binding nature of Singapore’s guidance on PETs, designed to encourage organisations to integrate PETs across business use cases, largely mirrors the light-touch approach in other jurisdictions.

Even so, in the event of an investigation, Singapore’s regulators will look beyond the form of PET solutions and review their implementation for substantive compliance with data protection laws.