In early 2019, Singapore’s data
privacy regulators proposed that the country’s data privacy law could use two
new updates—a data breach notification requirement and a right of data
portability for the country’s residents.
The proposed additions are
commonplace in several data privacy laws around the world, including, most
notably, the European Union General Data Protection Regulation, or GDPR, a sweeping
set of data protections that came into effect two years ago.
If Singapore approves its two updates, it would be the latest country in a long line of other countries to align their own data privacy laws with GDPR.
The appeal is clear: Countries
that closely hew their own data privacy laws to GDPR have a better shot at
obtaining what is called an “adequacy determination” from the European
Commission, meaning those countries can legally transfer data between themselves
and the EU.
Such a data transfer regime is key
to engaging in today’s economy, said D. Reed Freeman Jr., cybersecurity and
privacy practice co-chair at the Washington, D.C.-based law firm Wilmer Cutler
Pickering Hale and Dorr. If anything, the proposed appeal to GDPR is as much an
economic decision as it is one of data privacy rights.
“The world’s economy depends on data flows, and the more restrictive the data flows are, the better,” Freeman said. “Multinational [organizations] in Singapore would like to have an adequacy determination.”
Singapore’s Personal Data Protection Act
On October 15, 2012, Singapore passed its data protection law, the Personal Data Protection Act (PDPA), putting into place new rules for the collection, use, and disclosure of personal data. The PDPA did two other things. It created a national “Do Not Call” register and it established the country’s primary data protection authority, the Personal Data Protection Commission.
For years, the Personal Data Protection Commission has issued warnings to organizations that violate the country’s data protection law, publishing their decisions for the public to read. It is the same commission responsible for the current attempts to update the law.
Today, Singaporeans enjoy some of the same data protection
rights found in the European Union and even in California.
For starters, Singaporeans have the right to request that an
organization hand over any personal data that belongs to them. Further,
Singaporeans also have the right to correct that personal data should they find
any errors or omissions.
Singapore’s data privacy law also includes restrictions for how
organizations collect, use, or disclose the personal data of Singaporeans.
According to the PDPA, organizations must obtain “consent” before
collecting, using, or disclosing personal data (more on that below). Organizations
must also abide by “purpose” limitations, meaning that they can “collect, use
or disclose personal data about an individual only for purposes that a
reasonable person would consider appropriate in the circumstances and, if
applicable, have been notified to the individual concerned.” Organizations must
notify individuals about planned collection, use, and disclosure of personal
data, and collected personal data must be accurate.
Further, any personal data in an organization’s possession
must be protected through the implementation of “reasonable security
arrangements to prevent unauthorized access, collection, use, disclosure,
copying, modification, disposal or similar risks.” And organizations also have
to “cease to retain” documents that contain personal data, or “remove the means
by which the personal data can be associated with particular individuals” after
the purpose for collecting personal data ends.
While these rules sound similar to GDPR, there are discrepancies—including
how Singapore and the EU approach “consent.” In Singapore’s PDPA, consent is
not required to collect personal data when that data is publicly available, is
necessary for broadly defined “evaluative purposes,” or collected solely for “artistic
or literary purposes.” In the EU, there are no similar exceptions.
Two other areas where the laws differ are, of course, data portability
and data breach notification requirements. Singapore’s law has none.
Proposed data privacy additions
On February 25, 2019, Singapore’s Personal Data Protection Commission published a “discussion paper” on data portability, explaining the benefits of adding a data portability requirement to the PDPA.
“Data portability, whereby users are empowered to authorize
the movement of their personal data across organizations, can boost data flows
and support greater data sharing in a digital economy both within and across
sectors,” the PDPC said in a press release.
With a right data portability, individuals can request that
organizations hand over their personal data in a format that lets them easily move
it to another provider and basically plug it in for immediate use. Think of it
like taking your email contacts from one email provider to another, but on a
much larger scale and with potentially less value—it’s not like your Facebook status
updates from 2008 will do you much good on Twitter today.
Less than one week after publishing its data portability discussion paper, the Personal Data Protection Commission also announced plans to add a data breach notification requirement to the PDPA.
The Personal Data Protection Commission proposed that if organizations
suffered a data breach that potentially harmed individuals, those individuals
and the PDPC itself would need to be notified. Further, even if a data breach
brought no potential harm to individuals, organizations would need to notify
the PDPC if more than 500 people’s personal data was affected.
Following public consultations, the data portability requirement was well-received.
Why attempt data privacy updates now?
Aligning a country’s data protection laws with the protections provided in GDPR is nothing new, and in fact, multiple countries around the world are currently engaged in the same process. But Singapore’s timing could potentially be further pinned down to another GDPR development in early January of 2019—an adequacy determination granted by the European Commission to another country, Japan.
Wilmer Hale’s Freeman said it is likely that Singapore looked to Japan and wanted the same.
“[Singapore] is competing in the Asia market and in the
global market, and I would suspect that the leaders in Singapore saw what
happened in Japan, asked the relevant people at the Commission, ‘What do we
need to do to get that?’ and were told ‘If you line up [PDPA] pretty close, we
have a good chance of getting an adequacy determination.’” Freeman said.
Freeman explained that, in recent history, obtaining an
adequacy determination relies on whether a country’s data protection laws are similar
“Over time, it’s been sort of short-hand thought of as ‘adequacy’
means something close to ‘equivalent,’” Freeman said.
As to the importance, Freeman explained that any
multinational business that wants to move data between its home country and the
EU must, per the rules of GDPR, obtain an adequacy determination. No
determination, no legal opportunity to engage in the world’s economy.
“If you’re a multinational company and you have employees and customers in Europe, and you want to store the data at the home office in Singapore, you need a lawful basis to do that,” Freeman said. An adequacy determination is that legal basis, Freeman said, and it’s far more difficult to “undo” an adequacy determination than it is a bilateral agreement, like the one struck down by the Court of Justice for the European Union between the EU and the United States.
Don’t reinvent the data privacy wheel
Singapore has not proposed a time frame for when it wants to
finalize the data portability rights and data breach notification requirements.
Nor has it specified the actual regulations it would put in place—including how
long before the Personal Data Protection Commission would enforce the new
requirements, or what those enforcement actions would entail.
Freeman suggested that when the Singaporean government clarifies
its proposals, it look to its neighbors across the world who have grappled with
the same questions on data breach notifications and data portability.
For data portability, Freeman explained that many large corporations have already struggled to comply with the rules both in GDPR and in the California Consumer Privacy Act, not because of an inability to do so, but because providing such in-depth data access to individuals requires understanding all the places where an individual’s personal data can live.
“Is it stored locally? On servers in different places? Is it in email? In instant messaging? On posts?” Freeman said.
For data breach notification requirements, Freeman also said
that it makes little sense to create something “out of whole cloth” that will
create new burdens on multinational businesses that already have to comply with
the data breach notification requirements in GDPR and in the 50 US states.
It’s better to find what currently works, Freeman said, and