Speech by PDPC Commissioner Tan Kiat How at the Data Protection Seminar and Book Launch on Thursday, 4 October 2018, at NUS Law Bukit Timah Campus
05 Oct 2018
1. Good evening all, it is my pleasure to be able to attend this book launch and data protection seminar, and address this gathering of legal and data protection professionals.
The Driver Behind the 4th Industrial Revolution
2. Since the release of the first edition of “Data Protection Law in Singapore: Privacy and Sovereignty in an Interconnected World” five years ago, much has changed in the technology landscape. Digital has become the driving force of the 4th industrial revolution, and the importance of data has stepped into the forefront in discussions amongst policy makers, legislators and trade negotiators.
3. The promise of increased productivity in business operations, as well as opportunities in the form of new services are just a couple of ways in which data has become the key piece of the puzzle in Singapore’s progression as a digital economy. With new services come new opportunities for jobs and growth. This promise extends beyond the traditional retrospection of data analytics, that focuses utilising historical trends to inform design decisions. With the advent of technologies such as artificial intelligence, technology enables the translation of historical data into opportunities for organisations to enhance the way they interact and serve their customers interactively through recommender engines and such like.
4. In harnessing the value of data through analytics and even artificial intelligence, the ability to use and share personal data innovatively can translate to a competitive advantage for businesses.
5. From Lazada to Grab to Netflix, we see positive signs from organisations in their embrace of digital opportunities. Organisations are beginning to improve their products and services to customers, such as using AI to offer recommendations as a dynamic, targeted feature that understands and predicts their customers’ purchasing behaviour.
A Progressive Data Protection Regime
6. This sea change in how data is generated and utilized affects both citizens and businesses in ways that are clearly changing business models and approaches to personal data.
7. In this increasingly complex digital world, personal data protection concerns are understandable and inevitable. While users may enjoy the benefits of emerging technologies, the extent of personal data being gathered or shared is not so transparent.
8. From our geo-location, to our online and real world activities, the majority of personal data being collected and used has changed drastically with emerging technologies, where user activity and observable data are much more useful and their volume is eclipsing traditionally-declared and user provided data.
9. Unanticipated technological improvements highlight the impracticality for organisations to obtain consent, where new uses of personal data that are afforded by technologies cannot be foreseen and organisations are restricted by consent obtained in the past.
10. To respond to the evolving digital landscape five years on, it is a timely and necessary effort for a progressive data protection regime. Through progressive policies and standards, we will seek to meet the legitimate needs of organisations to collect, use and share personal data, and at the same time, promote increased accountability in organisations to safeguard consumer interest and trust.
11. We are currently reviewing the PDPA, and proposed enhancements to address these shifts are enhancements to the current consent-based framework through the introduction of “consent through notification” and “legitimate interest” as a basis for collection, use and disclosure of personal data, where benefits to the public are significant.
12. We are also encouraging organisations in their data-driven innovations by providing regulatory sandboxes and a guide to data sharing, which outlines the circumstances, exceptions and exemptions for organisations to share personal data in compliance with the PDPA. These efforts will allow organisations to have more flexibility in their data sharing-related activities and operations.
13. In the same vein, this book release of the second and updated edition of “Data Protection Law in Singapore” is opportune, as it examines how the legislation has kept pace with technological change, and how individual rights have been balanced against business interests in the course of enforcing the law.
14. The book also includes new chapters on two important topics: accountability and cross border data flows.
Our Pivot from Compliance to Accountability
15. We firmly believe that advanced technologies and new uses of data would be pointless without trust.
16. A lack of consumer trust in the collection and use of personal data would become a huge challenge to the successful adoption of technologies and related products. Without trust, organisations would not be able to leverage on data as a strategic asset, and reap the full benefits of technologies without consumer trust and consent. The findings from last year’s PDPC survey is a testament to this, where 66% of people surveyed indicated that they will lose trust in an organisation when personal data is being shared with other companies without consent.
17. While a nimble, balanced and forward-looking approach to tech regulations will provide an environment to build trust and facilitate innovation, organisational compliance to data protection laws will be necessary but no longer a sufficient condition in today’s competitive and data-driven landscape.
18. Accountability is an organisation’s promise to customers that their personal data will be handled respectfully and carefully. It is a demonstration that an organisation has put in place measures which pre-emptively identifies and addresses personal data risks.
19. Besides the adoption of accountability tools like risk assessments, data protection management programmes and consent registers, we see the pivot from compliance to accountability to also include a dialogue between corporate and consumer.
20. One of the channels for this dialogue would be a data protection trustmark, which will be both a statement and a promise to customers. Four in five of those we surveyed earlier this year indicated that they would be more willing and confident to share personal data with data protection trustmark certified companies.
21. For this, we are developing the Data Protection Trustmark certification scheme. This scheme will be an organisation’s insignia that it has put in place accountability and data protection by design practices. Organisations that have obtained the data protection trustmark will have that competitive advantage to gain consumer trust and loyalty
22. We have begun piloting the data protection trustmark certifications this year, working with organisations from diverse sectors to fine-tune the process and ensure the rigour of the certification processes before its official launch. We hope for more companies to come on board with this when we release the full certification process by early next year.
Safeguarding Cross Border Data Flows
23. In charting Singapore’s progression as a digital economy, let me now pivot to how the inflow and outflow of data also plays a crucial role and how as a trading economy, it is in our interest to facilitate cross border data flows.
24. According to McKinsey, over the past decade, international data flows have increased global GDP by about 10%. Between 2005 and 2015, global flows of data grew 45 times, and by the end of 2016, the raw volume of global data flows reached 400 terabits per second. The flow of data across borders will not slow down, and only set to increase exponentially, especially with the advent of disruptive technologies.
25. Many of these emerging technologies thrive on data and will require the movement of data across borders. For many organisations, especially global multi-national corporations, cross border data flows would prove vital for business operations, as regional offices may need data from other parts of the world.
26. As the ability of organisations to share data across borders becomes more seamless, the international marketplace naturally becomes more accessible, thereby facilitating global trade.
27. While digital trade and e-commerce provide unprecedented opportunities for organisations to enter the global market, there are still existing barriers to a free flow of data across borders.
28. For businesses operating in multiple geographical locations, there lies a need to comply with various countries’ data protection laws. Regulatory restrictions such as data localisation requirements is also a concerning trend in the region, as it leads to significant business costs and impedes competitiveness, especially for the small and medium enterprises (SMEs).
29. To tackle these challenges, we need to work with like-minded countries to safeguard the free movement of data. This includes supporting multilateral platforms that proactively facilitate the flow of data among countries, such as the APEC Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) system.
30. Organisations joining these systems gain manifold advantages. Firstly, APEC CBPR is recognised and enables cross-border data flow across APEC member countries. And secondly, as more organisations join the network, growing mutual trust will generate multiplier effects.
31. We have plans to integrate the Trustmark application with both the APEC CBPR and PRP registrations, to encourage and assure the flow of data between trusted companies both domestically and globally.
32. The landscape is ever-evolving, and in order for us to remain as nimble custodians of personal data, we urge the industry to continue working together with PDPC to stay relevant and competitive.
33. It is thus heartening for me to see the industry, PDPC and our communities of practice publish updated resources and organise events such as today’s seminar to discuss and share knowledge.
34. The “Data Protection Law in Singapore” book is a fine example of a useful material for organisations to step up their knowledge and capability development. I am certain that the book will be not just of interest to the business communities, but also the academic and legal spheres, as it highlights data protection issues that are being worked out in practice, and also the lessons that Singapore can learn from other jurisdictions, and vice versa.
35. We encourage you to think critically, share experiences and learn best practices on the use of emerging technologies, and work with us to continue building a robust, trusted data ecosystem that will drive this digital economy.
36. I wish you all a fruitful event, thank you.