Opening Remarks by Commissioner, Mr Lew Chuen Hong, at International Association of Privacy Professionals (IAPP) Asia Privacy Forum 2022, on 18 July 2022

18 Jul 2022

1. A very good morning. It is a real pleasure to be here at the IAPP Asia Privacy Forum 2022, and of course to see everybody gathered here face-to-face once again.

2. Firstly, I would like to extend a very warm welcome to all our distinguished guests, in particular, my counterparts – Mr Leandro Aguirre, Deputy Commissioner for the Philippines National Privacy Commission, Mr Haji Jailani bin Haji Buntar, Chief Executive of Brunei’s Authority for Info-Communications Technology Industry, who are here in person. And of course, a welcome to Dr. Jong In Yoon, Chairperson, Personal Information Protection Commission from the Republic of Korea and Ms. Ada Chung Lai-ling, the Privacy Commissioner for Personal Data of Hong Kong, who are attending this event virtually.

Building Back Better after the global pandemic

3. We’re living in a really interesting time right now. It has been more than two years since the onset of the COVID-19 pandemic, and that has obviously been a great disruptor. As we sit here, perhaps it’s only clear on hindsight that data plays an extremely key role in some of the simplest things. We saw very clearly how data, and trusted use of data, was critical to enable contact tracing. In Singapore, PDPC was at the forefront in the early days to try to establish some trust related to the collection, use and disclosure of personal data, to manage this crisis. It was important to issue clear directions to support that broader collaboration, to assuage the general population, and to allow the proper use of sharing of personal data. As we emerged from lock down, we also issued advisories to support employers who had to implement safe management measures to ensure a safe working environment for all our employees returning to the workplace.

4. The COVID-19 had a direct impact of a much larger underlying structural trend, which is the rapid acceleration of the digital economy. The digital economy has always been growing strongly, perhaps exponentially. I think all of us realise that what COVID did over the past few years has sensitised people to the digital and the importance of data, probably achieved in a very short period of time that would have taken 10 times as long.

5. Opportunities really abound in this much larger, growing digital economy. It is not constrained by any physical land or geographical boundaries. The world, including Singapore, has seen a corresponding and exponential increase in data generation and data flows. We all know data is non-rivalrous. In many ways, we liken it to capital. And the increase velocity of that data, just as the velocity of capital and the re-use of data, generates even greater benefits for the overall society.

6. As PDPC, we always think of ourselves as an innovative regulator. The term “innovative regulator” is not an oxymoron. We are here to help our businesses maximise the benefits from data innovations and seizing those opportunities while ensuring their data is well-protected.

7. We did a few things. I’m just going to highlight two. First, we enhanced our personal data protection law and implemented programmes to support the use by businesses, while strengthening enforcement to ensure that we protect the data. Second, we continued to support Singapore’s businesses to grow and expand into global markets, as well as to push the frontiers as far as technology is concerned in this space.

Enhancements made to our laws and programmes in the midst of the COVID-19 pandemic

A. Amendments to the Personal Data Protection Act (“PDPA”)

8. It is the 10th anniversary of the PDPA. Last year, we introduced amendments to strengthen that. Prior to the latest amendments, our law provided organisations with some limited exceptions where they could use personal data without consent. This included situations where the use was clearly in the interest of the individual, or response to emergencies or investigations. We heard businesses when they asked for greater clarity to use personal data. This include improving their business operations, conducting research & development and understanding customer preferences better. So, in November of 2020, during the height of the pandemic, we moved the PDPA amendments to allow businesses to use personal data for business improvement purposes and providing them exceptions.

9. Businesses also expressed the need to use personal data for legitimate purposes such as detecting fraud and ensuring the security of their systems. The PDPA was therefore amended to allow that use for legitimate interests.

10. To support data sharing for organisations where there are many layers of outsourcing, the PDPA was amended to include deemed consent for contractual necessity.

11. All of these, while they enable businesses to make use of data with greater clarity and certainty, we also strengthened the need for businesses to be responsible and accountable for these added exceptions. Accountability is now an explicit principle under the PDPA, and a key obligation. Through introduction of tools such as data protection management programmes and data protection impact assessments, we helped organisations get ready for this change. Organisations are required to demonstrate accountability. If they have good practices in place, they will be able to detect breaches first, and be able to deal with that either in their operations or to file a mandatory data breach notification.

12. Finally, amendments made to the PDPA has enhanced the Commission’s enforcement powers. We can resolve cases through voluntary undertakings. From 1 October this year, there will be an increase in the maximum financial penalty that may be imposed from the existing cap of $1 million to 10% of an organisation’s annual turnover in Singapore, when this exceeds $10 million.

B. Enhancing our programmes to help businesses reap the benefits

13. Ultimately, it goes beyond just data protection in Singapore. It is really about making Singapore a business hub, and facilitating data flows in Singapore and around the region. As a regulator, it is important that we put in place programmes that translate all of these to enable SMEs to use personal data, not just in a local context but regionally.

14. Firstly, to help businesses use personal data, PDPC supported IMDA in introducing the Better Data Driven Business Programme. The BDDB Programme, as we call it, provides businesses with an easy-to-use and free business intelligence tool to analyse and use data in a meaningful way, and these tools are open source and readily available on our website. The thesis is that if you come at it purely from an enforcement or compliance perspective, there will be a certain limit to what you can do, but if you translate that data protection as far as business needs are concerned, and it’s baked into what the businesses would like to see, I think it will increase the overall level of data protection. These tools cover many of these business areas, from growing product sales, improving HR planning, to identifying top performing customer segments. And because they are built in with data protection practices, they ensure that personal data is protected even while businesses innovate and grow.

15. To help businesses acquire a basic level of data protection, we also recently introduced the Data Protection Essentials (DPE) Programme, or the DPE as we call it. Embarking on the DPE Programme will ensure that SMEs can cover the core basics: for example, helping them with default configurations, to disabling things like auto-forwarding of emails to the ability to back up your data and even keeping your data encrypted. The DPE Programme ensures that the data that is used is always protected, even in the event of a personal data breach.

C. Supporting more advanced users of data

16. Even as we seek to support SMEs in the use and protection of personal data, the PDPC is supportive of the more advanced users of personal data who have embraced the latest technologies ranging from cloud services, anonymization, biometric data and blockchain technology. A key part of our work involves identifying the issues that may arise when organisations seek to use these new technologies, and to enable them to use that well.

17. I am pleased to share that we are releasing two such guides today. First, our Guide to Data Protection Considerations for Blockchain Design will highlight how organisations can implement personal data protection by design for their applications when they use blockchain technology. Second, we are also releasing an easy-to-follow infographic guide for SMEs that use cloud services for apps. We have seen from the personal data breaches that some of the issues lie in the app layer under the control of the app owners, and not necessarily the platform or infra layers that cloud service providers take care of. We have therefore set out some basic safeguards in this infographic guide.

18. In March this year, we released an updated version of our Guide to Basic Anonymisation to promote and encourage anonymisation when using personal data. This updated Guide provides a more practical perspective providing use cases and examples. In addition, we also provided a free tool for organisations to start to perform basic anonymisation on their data. Recently, we were pleasantly surprised that our Spanish counterpart, which we collaborate with closely, wished to translate our Guide and tool into Spanish to use within their local context, and the PDPC was most happy to support.

Supporting SMEs to reach consumers and markets overseas

19. Finally, I wish to share about PDPC’s efforts to support growing that global presence in the digital economy.

20. There is great diversity in the personal data protection laws globally. This means that PDPC has to pursue multiple initiatives to support our businesses in cross-border transfers of data, including personal data.

21. Singapore is a supporter and co-convener of the WTO Joint Statement Initiative on E-Commerce. The e-commerce chapters of many of our Digital Economy and free trade agreements affirmed the mutual obligation on parties to allow the free flow of data. They also affirmed the need on parties to avoid imposing the use or location of local computing facilities or data as a condition for conducting businesses. Singapore has also signed several Digital Economy Agreements, most recently, with the United Kingdom. We have implemented APEC CBPR and is also one of the pioneers in supporting its expansion into the Global CBPR.

22. Singapore is also a key part of ASEAN. The data protection maturity in ASEAN is developing and diverse. Some countries have different data protection regulations in place and others rely on sectoral regulations. In the face of this diversity, contracts are an easy way to ensure a common baseline standard of protection. PDPC has led the efforts within ASEAN to develop the ASEAN Model Contractual Clauses. The main beneficiaries are SMEs in the region. Some SMEs may not be able to afford comprehensive legal advice can use these ASEAN MCCs as a template. I am also pleased that apart from Singapore, the Philippines have recognised the ASEAN MCCs as meeting our respective obligations to allow the transfers of data.

Conclusion

23. In conclusion, PDPC and Singapore will continue to collaborate with other data protection authorities globally to promote and enhance personal data protection. We aim to keep our data protection regime at the forefront and, at the same time, we aim to translate them into bite-sized pieces that enable businesses to use the PDPA to advance business and advance innovation. Finally, we aim to build a much broader and encompassing international ecosystem both within ASEAN, the Asia-Pacific as well as around the world to enable the free flow of data that is fundamentally the core of the digital economy.

24. With that, it remains for me to thank you for your kind presence today, and it is a great pleasure to see everybody back in Singapore again. Thank you very much.

Tags: