31 August 2020
Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the Personal Data Protection Commission.
The Singapore Personal Data Protection Act (PDPA)1 has long stood out as an example of Singapore’s pragmatic approach to legislation, creating an effective framework for the protection and enforcement of consumer privacy while ensuring the flexibility necessary to allow innovative, data-intensive applications and business models to flourish.
Creating a framework that protects the personal data of individuals, supports consumer trust in the digital economy, and enables innovation in data-intensive solutions is critical for economic growth and recovery. Such policies underpin the application of advanced technologies, such as cloud computing, data analytics, and artificial intelligence, to some of societies’ most significant challenges, from tackling climate change to responding to public health emergencies and many others. Countries throughout the Asia Pacific, and indeed the globe, may glean important lessons from Singapore’s experience, including the recent amendments to the PDPA.
Singapore enacted the PDPA on 20 November 2012. However, a lot has happened in the world since the law was enacted in 2012. The fundamental role of information technology in all aspects of human life has only accelerated. Software-enabled solutions, such as cloud computing, data analytics, and artificial intelligence have enhanced the capabilities and benefits of this technology in astounding ways. Both the growth and value of data driving this transformation has exploded.2 The country has accordingly sought to update the law to reflect these new circumstances.
On 14 May 2020, Singapore’s Personal Data Protection Commission (PDPC)3 and the Ministry of Communications and Information (MCI)4 released proposed amendments to the PDPA for public feedback.5 This followed on a multi-year process, beginning in 2017, in which the PDPC released no less than three public consultations,6 soliciting input from interested stakeholders on a range of issues including: exceptions and expansions regarding consent and legitimate interest, data breach notification, and data portability.
One important lesson from Singapore’s experience is the need for stakeholder input in updating laws. Among citizens and policymakers alike, awareness of the risks associated with data has risen.
Moreover, the legal landscape around privacy has also shifted worldwide. The General Data Protection Regulation (GDPR) replaced the European Data Protection Directive in 2018.7 Japan amended its personal data protection law (the Act on the Protection of Personal Information) in 20168 and the Government of Japan and the European Commission recognised each jurisdiction’s laws and practices as satisfying the requirements of the other’s in 2019.9 In the Asia Pacific region alone, numerous countries have introduced, are introducing, or are revising their personal data protection regimes.10
In this context, it is critical for regulators to hear from citizens and companies not only about the risks involved in processing data, but about how other privacy laws worldwide address those risks and whether those approaches work in their own jurisdiction.
The proposed amendments to the PDPA represent the culmination of years of consultation with citizens, academia, foreign government counterparts, and industry. It is an example of policy making that other countries should consider.
According to the PDPC’s website, the proposed amendments “aim to strengthen public trust, enhance business competitiveness, and provide greater organisational accountability and assurance to consumers, in support of Singapore’s Digital Economy.”11
To achieve these goals, the PDPC has proposed to amend the PDPA.
It is important to acknowledge how the proposed amendments to Singapore’s PDPA can contribute to the international dialogue to drive further convergence and interoperability among personal data protection laws throughout the Asia Pacific region and the world.
Because so much commerce is conducted on a transnational or global basis, it is essential for governments to work together to develop effective systems that both support consumer rights and trust in the digital economy and enable innovation and investment in bold new data-intensive solutions to address the world’s increasingly complex challenges.
Three elements of Singapore’s proposed amendments to the PDPA should become a foundational basis for international approaches to privacy and personal data protection.
In the interconnected world of technology and global commerce, ensuring rules designed to protect the citizens of one country are interoperable with those imposed on organisations by other countries is paramount. As countries design, implement, or reform personal data protection systems, it is critical they conduct meaningful consultations with industry and other stakeholders and inform themselves of how similar such laws and rules are applied in other markets.
Beyond this, countries should commit to substantive international discussions amongst themselves to identify privacy best practices and areas of legal and regulatory convergence to enhance consumer protections while enabling organisations to benefit from cutting edge data-intensive solutions. Countries throughout Southeast Asia and the Asia Pacific have an opportunity build a regional approach to effective data protection policies that could form the basis for global norms.
Singapore can provide an excellent model both in the conduct of its consultations with stakeholders and in the substantive provisions the PDPC is proposing to introduce into the PDPA.
Realising such aspirations or regional cooperation and convergence would enhance customer trust, which is essential for sustained development of innovative new data-intensive solutions. This would establish a firm basis for the rapid economic recovery and growth on which people and nations are now so desperately depending.
1 Personal Data Protection Act 2012 (No. 26 of 2012) at: https://sso.agc.gov.sg/Act/PDPA2012
2 The Cross-Border Movement of Data: Creating Jobs and Trust in Every Sector available at https://www.globaldataalliance.org; Casalini, F. and J. López González (2019), "Trade and Cross-Border Data Flows", OECD Trade Policy Papers, No. 220, OECD Publishing, Paris, https://doi.org/10.1787/b2023a47-en
5 Public Consultation Paper Issued by the Ministry of Communications and Information and the Personal Data Protection Commission,14 May 20 at: https://www.mci.gov.sg. See the Personal Data Protection (Amendment) Bill 2020 at: https://www.mci.gov.sg
6 Public Consultation for Approaches to Managing Personal Data in the Digital Economy, 27 July 2017 at: www.pdpc.gov.sg; Public Consultation for Managing Unsolicited Commercial Messages and the Provision of Guidance to Support Innovation in the Digital Economy, 27 April 2018 at: https://www.pdpc.gov.sg; Public Consultation on Review of the Personal Data Protection Act 2012 – Proposed Data Portability and Data Innovation Provisions, 22 May 2019 at: https://www.pdpc.gov.sg
10 E.g. India, Indonesia, South Korea, Malaysia, the Philippines, and Thailand, to name a few.
12 Public Consultation Paper, op. cit., para 13.
13 Public Consultation Paper, op. cit., para 20.
14 The Organisation for Economic Cooperation and Development (OECD) Privacy Framework at: http://www.oecd.org
15 The Asia Pacific Economic Cooperation (APEC) Privacy Framework at https://www.apec.org
16 PIPEDA, 4.1 – “Principle 1: Accountability: An organisation is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organisation’s compliance with the following principles” at https://laws-lois.justice.gc.ca
17 General Data Protection Regulation (GDPR), Article 5.2: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”at https://gdpr-info.eu
18 Singapore Now Recognises APEC CBPR and PRP Certifications Under PDPA, 02 June 2020 at https://www.pdpc.gov.sg