- within Strategy, International Law and Tax topic(s)
Singapore Issues Draft Guidance on Personal Data Use in Generative AI
Singapore’s Personal Data Protection Commission proposed non-binding guidelines applying the Data Protection Act across the entire generative AI supply chain. The proposed framework addresses web scraping, consent, transparency, data minimisation, and accountability, while clarifying that organisations relying on personal data for AI development must adopt appropriate safeguards and provide AI-specific privacy notices where required. The consultation reflects Singapore’s continued efforts to promote responsible AI innovation alongside strong data protection standards.
Brazil introduces sector-specific AI governance rules for healthcare
Brazil’s Federal Council of Medicine (“CFM”) has adopted Resolution No. 2,454/2026, establishing a sector-specific governance framework for the use of AI in medical practice. The resolution requires that AI systems remain subject to meaningful human oversight, mandates transparency regarding AI use, and imposes safeguards for data protection, cybersecurity, documentation, and risk management. It also reinforces that physicians remain ultimately responsible for clinical decisions, even when AI tools are used. While Brazil has not yet enacted a comprehensive AI law, the resolution creates a binding governance standard for healthcare providers and AI vendors operating in the medical sector.
US House passes the KIDS Act
The U.S. House of Representatives passed the Kids Internet and Digital Safety Act on 29 June 2026, advancing a broad online child safety package covering social media platforms, AI chatbots and parental control mechanisms. The bill, approved by a 267-117 bipartisan vote, combines 14 digital safety proposals, including a revised version of the Kids Online Safety Act. If enacted, the framework would introduce new obligations for online platforms, including safeguards against harmful design features, protections for minors, and enhanced parental controls. However, the bill’s future remains uncertain, as Senate negotiations are expected, particularly around whether stronger “duty of care” obligations should apply to platforms.
US state Attorneys General increase enforcement of late data breach notifications
A growing number of U.S. state Attorneys General are treating late breach notifications as standalone violations, separate from the underlying data breach itself. Recent enforcement actions demonstrate that organizations may face penalties solely for failing to meet statutory notification deadlines, even where the underlying cybersecurity incident is adequately addressed. The development reflects an increasing enforcement focus on timely incident response, breach assessment, and regulatory reporting, underscoring the need for organizations to integrate legal notification requirements into their incident response plans.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.