Singapore’s Review of the PDPA and its Opportunity for Leadership in the Region

31 August 2020

Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the Personal Data Protection Commission.

The Singapore Personal Data Protection Act (PDPA)¹ has long stood out as an example of Singapore’s pragmatic approach to legislation, creating an effective framework for the protection and enforcement of consumer privacy while ensuring the flexibility necessary to allow innovative, data-intensive applications and business models to flourish.

Creating a framework that protects the personal data of individuals, supports consumer trust in the digital economy, and enables innovation in data-intensive solutions is critical for economic growth and recovery. Such policies underpin the application of advanced technologies, such as cloud computing, data analytics, and artificial intelligence, to some of societies’ most significant challenges, from tackling climate change to responding to public health emergencies and many others. Countries throughout the Asia Pacific, and indeed the globe, may glean important lessons from Singapore’s experience, including the recent amendments to the PDPA.

Background

Singapore enacted the PDPA on 20 November 2012. However, a lot has happened in the world since the law was enacted in 2012. The fundamental role of information technology in all aspects of human life has only accelerated. Software-enabled solutions, such as cloud computing, data analytics, and artificial intelligence have enhanced the capabilities and benefits of this technology in astounding ways. Both the growth and value of data driving this transformation has exploded.² The country has accordingly sought to update the law to reflect these new circumstances.

On 14 May 2020, Singapore’s Personal Data Protection Commission (PDPC)³ and the Ministry of Communications and Information (MCI)⁴ released proposed amendments to the PDPA for public feedback.⁵ This followed on a multi-year process, beginning in 2017, in which the PDPC released no less than three public consultations,⁶ soliciting input from interested stakeholders on a range of issues including: exceptions and expansions regarding consent and legitimate interest, data breach notification, and data portability.

One important lesson from Singapore’s experience is the need for stakeholder input in updating laws. Among citizens and policymakers alike, awareness of the risks associated with data has risen.

Moreover, the legal landscape around privacy has also shifted worldwide. The General Data Protection Regulation (GDPR) replaced the European Data Protection Directive in 2018.⁷ Japan amended its personal data protection law (the Act on the Protection of Personal Information) in 2016⁸ and the Government of Japan and the European Commission recognised each jurisdiction’s laws and practices as satisfying the requirements of the other’s in 2019.⁹ In the Asia Pacific region alone, numerous countries have introduced, are introducing, or are revising their personal data protection regimes.¹⁰

In this context, it is critical for regulators to hear from citizens and companies not only about the risks involved in processing data, but about how other privacy laws worldwide address those risks and whether those approaches work in their own jurisdiction.

The proposed amendments to the PDPA represent the culmination of years of consultation with citizens, academia, foreign government counterparts, and industry. It is an example of policy making that other countries should consider.

Proposed Amendments

According to the PDPC’s website, the proposed amendments “aim to strengthen public trust, enhance business competitiveness, and provide greater organisational accountability and assurance to consumers, in support of Singapore’s Digital Economy.”¹¹

To achieve these goals, the PDPC has proposed to amend the PDPA.

• Mandatory breach notification: The PDPC recognises personal data breach notification requirements are “central to organisational accountability because they encourage organisations to establish risk-based internal monitoring and reporting systems to detect data incidents.”¹²
  
  In the event of a data breach, an organisation’s first priority must be to understand the nature of the breach and take measures to stop any ongoing harm and prevent further data leakage. Under the proposed amendments, an affected organisation is required to provide notice to individuals “as soon as practicable” upon determining they have suffered a notifiable data breach.¹³ To ensure an organisation suffering from a data breach can devote the necessary resources to the investigation and mitigation of the breach, applying the same “as soon as practicable” standard to notifications to the PDPC, rather than requiring such notification within three days as proposed, could be considered.
  
  Also, it is critical that a mandatory data breach notification system is designed so that the obligation to report to consumers and regulators applies only to meaningful notifications. Accordingly, the proposed data breach notification system exempts an organisation’s obligation to notify consumers when the organisation has taken remedial action or when the organisation has implemented technological protections, such as encrypting the data. The same limitations could be applied to an organisation’s obligation to notify the PDPC to avoid diluting meaningful breach notifications and causing an influx of reports about breaches for which there is little or no material risk of harm to consumers.


• Consumer Rights: Data protection laws worldwide provide consumers with rights over their personal data. In amending the PDPA, the PDPC is introducing a new consumer right, allowing data subjects to request personal data be transferred from one organisation to another. As with all rights and obligations, several factors need to be considered for the purpose of the policy to be achieved without imposing unintended costs or other unnecessary burdens on consumers or organisations.
  
  The PDPC recognises the need to limit an organisation’s data portability obligations to individuals with whom the organisation has an existing direct relationship and to user provided and user activity data, excluding “derived personal data” from the obligations. These are important distinctions and need to be carefully defined to avoid confusion.


• Enforcement: Effective enforcement mechanisms are essential for the implementation of any personal data protection system. However, it should be carefully considered whether the proposed introduction of criminal liability for knowing or reckless unauthorised disclosure of personal data is necessary. This is out of step with global norms, as criminal penalties are not proportionate remedies for violation of data protection laws. Furthermore, the imposition of a 10% revenue cap on civil penalties also risks excessive or disproportionate penalties for violations of the PDPA.

International Leadership

It is important to acknowledge how the proposed amendments to Singapore’s PDPA can contribute to the international dialogue to drive further convergence and interoperability among personal data protection laws throughout the Asia Pacific region and the world.

Because so much commerce is conducted on a transnational or global basis, it is essential for governments to work together to develop effective systems that both support consumer rights and trust in the digital economy and enable innovation and investment in bold new data-intensive solutions to address the world’s increasingly complex challenges.

Three elements of Singapore’s proposed amendments to the PDPA should become a foundational basis for international approaches to privacy and personal data protection.

• Accountability Principle: A central tenant of the proposed amendments is to more explicitly align the PDPA with the Accountability Principle, as articulated in Organisation for Economic Cooperation and Development (OECD) Privacy Framework¹⁴ and the Asia Pacific Economic Cooperation (APEC) Privacy Framework,¹⁵ and implemented in domestic laws and other regulations including Canada’s Personal Protection and Electronic Documents Act (PIPEDA)¹⁶ and the GDPR.¹⁷ Under the accountability principle, the data controller’s obligations and commitment remain, even when the personal data is in the custody of a personal data processor.


• Grounds for Processing Beyond Explicit Consent: The proposals to 1) expand the scope of deemed consent for handling personal data to include contractual necessity and notification and 2) introduce additional legal bases for collecting, using, and disclosing personal data, including the legitimate interests of an organisation, benefits to the public, and specific business improvement purposes will facilitate greater data utilisation while effectively protecting the privacy and related interests of consumers.


• International Data Transfers: Singapore’s approach to personal data protection should also be a foundation for regional and international convergence around international data transfers. Personal data protection regimes should enable and encourage global data flows, which underpin the global economy and should prohibit data localisation requirements for both the public and private sectors, which can frustrate efforts to implement security measures, impede business innovation, and limit services available to consumers. Organisations that transfer data globally should implement procedures to ensure the data transferred outside of the country continues to be protected and be accountable no matter where the data is stored or processed, or by whom.
  
  In this regard, it is exciting the PDPC is explicitly recognising (APEC) Cross Border Privacy Rules (CBPR) System and Privacy Recognition for Processors (PRP) System certifications as an additional valid mechanism to transfer data internationally.¹⁸

Conclusion

In the interconnected world of technology and global commerce, ensuring rules designed to protect the citizens of one country are interoperable with those imposed on organisations by other countries is paramount. As countries design, implement, or reform personal data protection systems, it is critical they conduct meaningful consultations with industry and other stakeholders and inform themselves of how similar such laws and rules are applied in other markets.

Beyond this, countries should commit to substantive international discussions amongst themselves to identify privacy best practices and areas of legal and regulatory convergence to enhance consumer protections while enabling organisations to benefit from cutting edge data-intensive solutions. Countries throughout Southeast Asia and the Asia Pacific have an opportunity build a regional approach to effective data protection policies that could form the basis for global norms.

Singapore can provide an excellent model both in the conduct of its consultations with stakeholders and in the substantive provisions the PDPC is proposing to introduce into the PDPA.

Realising such aspirations or regional cooperation and convergence would enhance customer trust, which is essential for sustained development of innovative new data-intensive solutions. This would establish a firm basis for the rapid economic recovery and growth on which people and nations are now so desperately depending.

¹ Personal Data Protection Act 2012 (No. 26 of 2012) at: https://sso.agc.gov.sg/Act/PDPA2012

² The Cross-Border Movement of Data: Creating Jobs and Trust in Every Sector available at https://www.globaldataalliance.org; Casalini, F. and J. López González (2019), "Trade and Cross-Border Data Flows", OECD Trade Policy Papers, No. 220, OECD Publishing, Paris, https://doi.org/10.1787/b2023a47-en

³ https://www.pdpc.gov.sg

⁴ https://www.mci.gov.sg

⁵ Public Consultation Paper Issued by the Ministry of Communications and Information and the Personal Data Protection Commission,14 May 20 at: https://www.mci.gov.sg. See the Personal Data Protection (Amendment) Bill 2020 at: https://www.mci.gov.sg

⁶ Public Consultation for Approaches to Managing Personal Data in the Digital Economy, 27 July 2017 at: www.pdpc.gov.sg; Public Consultation for Managing Unsolicited Commercial Messages and the Provision of Guidance to Support Innovation in the Digital Economy, 27 April 2018 at: https://www.pdpc.gov.sg; Public Consultation on Review of the Personal Data Protection Act 2012 – Proposed Data Portability and Data Innovation Provisions, 22 May 2019 at: https://www.pdpc.gov.sg

⁷ https://gdpr-info.eu/

⁸ https://www.ppc.go.jp

⁹ https://eur-lex.europa.eu/legal-content/EN/

¹⁰ E.g. India, Indonesia, South Korea, Malaysia, the Philippines, and Thailand, to name a few.

¹¹ https://www.pdpc.gov.sg

¹² Public Consultation Paper, op. cit., para 13.

¹³ Public Consultation Paper, op. cit., para 20.

¹⁴ The Organisation for Economic Cooperation and Development (OECD) Privacy Framework at: http://www.oecd.org

¹⁵ The Asia Pacific Economic Cooperation (APEC) Privacy Framework at https://www.apec.org

¹⁶ PIPEDA, 4.1 – “Principle 1: Accountability: An organisation is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organisation’s compliance with the following principles” at https://laws-lois.justice.gc.ca

¹⁷ General Data Protection Regulation (GDPR), Article 5.2: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”at https://gdpr-info.eu

¹⁸ Singapore Now Recognises APEC CBPR and PRP Certifications Under PDPA, 02 June 2020 at https://www.pdpc.gov.sg