Last updated on November 5, 2025
No. Under Singapore’s Personal Data Protection Act (PDPA), organisations must obtain informed consent before collecting, using, or disclosing biometric data such as facial images. Deploying an AI-driven ATM that records facial data without explicit consent would breach PDPA obligations and expose the organisation to enforcement actions and significant financial penalties.
Why Consent Is Non-Negotiable
Singapore’s PDPA, first enacted in 2012 and updated through amendments in 2020, is the cornerstone of personal data protection in the country. It governs how organisations collect, use, and disclose personal data, including biometric identifiers like facial images. Biometric data is considered highly sensitive because, unlike passwords, it cannot be changed once compromised. This immutable nature makes misuse particularly damaging, which is why the law imposes strict requirements on organisations handling such data.
Under the PDPA, consent is the foundation of lawful data collection. Organisations must inform individuals of the purpose for collecting their data and obtain clear, voluntary agreement before proceeding. This applies to all sectors, including financial services, where ATMs equipped with facial recognition technology are increasingly common. Without explicit consent, recording biometric data is a violation of the Act.
The Regulatory Framework
The Personal Data Protection Commission (PDPC) enforces the PDPA and issues guidelines to help organisations comply. In May 2022, the PDPC published the Guide on Responsible Use of Biometric Data in Security Applications, outlining best practices for safeguarding biometric information. These include implementing robust security measures, limiting data retention, and ensuring transparency in data handling.
For AI-driven systems, additional governance principles apply. Singapore’s Model AI Governance Framework, launched under the National AI Strategy, emphasizes fairness, accountability, and transparency in AI deployment. Financial institutions, regulated by the Monetary Authority of Singapore (MAS), must also adhere to sector-specific AI risk management guidelines, which require clear oversight and ethical use of technology.
Cultural and Practical Context
Singapore positions itself as a global leader in digital trust. The government actively promotes innovation while maintaining strong safeguards for privacy and security. Public confidence in AI and biometric technologies depends on responsible practices, and breaches can erode trust rapidly. High-profile cases involving misuse of biometric data have prompted stricter enforcement and public education campaigns, such as the annual Personal Data Protection Week.
What Happens If You Ignore the Law?
Non-compliance with the PDPA carries severe consequences. Organisations can face financial penalties of up to 10% of annual turnover for large entities, alongside reputational damage and potential civil claims. The PDPC has the authority to investigate, issue directions, and impose sanctions on organisations that fail to meet their obligations.
The Bigger Picture
Biometric technology offers convenience and security, but it also introduces significant privacy risks. Singapore’s regulatory approach balances these factors by requiring consent and accountability. For businesses, compliance is not just a legal requirement—it is a competitive advantage in a market that values trust and transparency.
The Bottom Line
Deploying an AI-driven ATM that records facial data without explicit consent is not allowed in Singapore. Organisations must secure informed consent, implement strong data protection measures, and align with both PDPA and AI governance principles. Doing so ensures legal compliance and reinforces public trust in emerging technologies.
See more on Singapore
Sources
Guide on Responsible Use of Biometric Data in Security Applications – PDPC
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Biometric_17May2022.pdf
Ongoing
Personal Data Protection Act 2012 – Singapore Statutes Online
https://sso.agc.gov.sg/Act/PDPA2012
Ongoing