Data protection in Singapore

I. Introduction

In the previous post, we examined the data governance framework in Australia. In this post, we examine the data governance framework of another country in the APAC region, namely Singapore, from the perspective of: data processing obligations (II);rights guaranteed to individuals (III); rules governing cross-border data flows (IV);the penal and enforcement framework (V); and the exemptions given to public agencies and law enforcement agencies (VI). Part VII concludes.

The Personal Data Protection Act, 2012 (“PDP Act”) governs data collection and use by the private sector in Singapore.[1] The PDP Act is administered by the Personal Data Protection Commission (“PDPC”). The Info‑communications Media Development Authority (“IMDA”), a statutory body under Singapore’s Ministry of Communications and Information, has been designated as the PDPC.[2]

Apart from governing the collection, use, and disclosure of personal data (collectively referred to as “processing” for the purpose of this post) by organisations, the PDP Act also establishes and regulates the Do Not Call Register.

II. Data processing obligations

Scope of the Act

The PDP Act does not apply to any public agency (including the government, ministries, departments or organs of the State, tribunals and statutory bodies); individuals acting in personal or domestic capacity; employees in the course of their employment; or business contact information.[3]

Unlike the EU General Data Protection Regulation (“GDPR”) and other regimes that follow it, the PDP Act does not use the language of data controllers and processors. It instead refers to “organisations”[4] and “data intermediaries”.

Obligations

Under the Act, organisations must develop and implement policies and practices necessary to meet their obligations under the law, including to respond to complaints arising in relation to the Act. In doing so, they must consider what a reasonable person would consider appropriate in the given circumstances.[5]

Notice and consent

Organisations must follow collection and purpose limitation principles while processing personal data.[6] They must also de-identify individuals or remove personal data that is no longer needed for the purpose for which it was collected, nor is it necessary for any legal or business purpose.[7]

The basis of collection, use, and disclosure of personal data under the PDP Act is consent, which comprises both express and deemed consent, and is given after an individual is notified about the original/revised purpose of collection of their personal data. Consent is deemed to have been given for a purpose when an individual voluntarily provides personal data to the organization for that purpose, or when it is reasonable that the individual would voluntarily provide such data.[8] Consent can also be withdrawn by an individual after giving reasonable notice to the organisation, and after being informed of the likely legal consequences of the withdrawal of such consent.[9]

In certain specific circumstances, personal data can be processed by organisations without consent, including:[10]

If it is necessary for any purpose that is clearly in the interest of the individual and consent cannot be obtained in a timely manner, or if the individual would not reasonably be expected to withhold consent;
If it is necessary to respond to an emergency that threatens the life, health, or safety of a person;
If the personal data is publicly available;
If the processing is in national interest;
If it is necessary for any investigation or proceedings;
If it is necessary for evaluative purpose;
If it is processed for the organization to recover a debt owed to the organization; and
If it is necessary for the provision of legal services.

III. Individual rights

The PDP Act grants individuals the right to access and correct data, subject to certain exceptions.[11] Apart from this, it also mandates organisations to make reasonable efforts to ensure that the personal data collected by or on their behalf is accurate and up to date, if it is likely to be used to make a decision affecting the concerned individual or is likely to be disclosed to another organisation.[12]

Organisations must also put in place reasonable security arrangements to protect the unauthorized access, collection, use, disclosure, or disposal of personal data in their possession or control.[13] The Act also regulates marketing activities that involve the processing of personal data.[14]

At present, the Act does not recognize a right to data portability, a right to be forgotten, right to data breach notification, or a right to object to automatic processing. Currently, there are only guidelines for the voluntary notification of data breaches.[15] In 2019, the PDPC had indicated[16] that it plans to introduce a mandatory data breach notification regime, although no amendment has been introduced so far.

IV. Cross-border data flows

Cross border data flows are permitted if they are in accordance with the requirements under the Act, and organisations ensure that the transferred personal data is subject to a similar standard of protection overseas.[17] However, organisations can apply to the PDPC for an exemption from complying with such requirements. The PDPC can approve such requests, subject to the conditions specified by it.[18]

The Personal Data Protection Regulations, 2014 provide further details on the mechanism of cross-border data flow, by requiring transferring organisations to take appropriate steps to ascertain and ensure that the recipient of the personal data outside Singapore is bound by “legally enforceable obligations” to provide a comparable standard of protection to the transferred personal data. The transfer of data overseas has to either have the consent of the individual; be necessary for the performance of a contract; be necessary in the national interest or the individual’s interest; be necessary to respond to an emergency that threatens the life, safety, or health of the individual or a third party; constitute data in transit; or be publicly available personal data.[19]

In 2019, the PDPC released an advisory guideline with various illustrations on how to interpret the transfer limitation obligations under the PDP Act, 2012.[20] For instance, cloud service providers (“CSP”) are data intermediaries and organisations engaging them are responsible for complying with the law for overseas transfer of data, regardless of the CSP’s location.[21]

V. Enforcement framework

Powers of the PDPC

Individuals can file complaints against an organisation with the PDPC against their refusal or delayed response in providing access to, or the correction of personal data, or the fee charged for such a request. The PDPC has the following powers:

To review such a complaint and decide whether the organisation’s decision was correct or requires modification.[22]
To issue directions to organisations if they are violating the Act, such as stopping the processing of personal data, destroying the data collected, or paying a financial penalty.[23]
To enforce its directions through the District Courts, which can pass orders to ensure compliance with the law.[24]
To refer disputes to mediation with the consent of the parties; or direct the parties to resolve the complaint in the manner directed by it.[25]
To conduct an investigation to determine an organisation’s compliance with the law.[26]

Reconsideration

As a first step, all decisions of the PDPC are subject to a review (or “reconsideration”) by the PDPC itself, which can affirm, revoke, or vary its earlier direction.[27] Appeals against the decision of the PDPC go to the government appointed Data Protection Appeal Panel,[28] and appeals against that go to the High Court, and eventually the Court of Appeal.[29]

After the decision of the PDPC has attained finality, an individual still retains the right of private action and can approach a civil court for relief against an organisation in the form of injunctions, damages, or any other relevant relief.[30]

Advisory guidelines

The PDPC can issues advisory guidelines, indicating its favoured interpretation to a provision of law.[31] For instance, in 2018, it released revised guidelines on selected topics such as anonymization; use of CCTV cameras and drones; online activities and photography, video, and audio recordings.[32]

Offences

The enforcement framework described above relate to complaints against organisations for their non-compliance with provisions of the Act. The Act also creates various offences for individuals responsible for making unauthorized access and correction requests relating to third parties; and for organisations who alter, falsify, conceal, or dispose off personal data records in response to an access or correction request.[33] There is a residual penalty provision as well.[34]

VI. Exemptions available to public agencies and law enforcement agencies

Data sharing by public sector agencies

The PDP Act, 2012 does not apply to government agencies, who are instead bound by the Public Sector (Governance) Act, 2018, (“PSG Act”)[35] which provides directions for the sharing of information[36] or re‑identification of anonymised information under the control of a Singapore public sector agency. Data protections standards under the PDP and PSG Act are broadly aligned.[37]

Under the terms of such a data sharing direction, a Singapore public sector agency may be authorised to share information within its control with another Singapore public sector agency. While this data sharing direction does not override confidentiality obligations arising out of legal privilege or contract, it does override confidentiality obligations under common law. The Act expressly clarifies that it is “not intended to prevent or discourage” inter-agency sharing of information, as permitted or mandated by this, or other laws.[38] The unauthorised disclosure, improper use of information, or unauthorised re-identification of anonymised information by any public official in a Singapore public sector agency to any third party has been criminalised under the law. A limited exception is made for generally available information or inferences drawn from readily observable matter.[39]

Powers of law enforcement

The PDP Act and the PSG Act do not specifically deal with the actions of law enforcement agencies. These are governed by a patchwork of different legislations,[40] which do not require prior judicial authorization for the conduct of surveillance/interception activities.[41]

Under the Criminal Procedure Code, if police officers reasonably suspect that a computer has been used in connection with an arrestable offence, they can access and inspect a computer; search for, and copy, the data on it; prevent others from gaining access to it (such as by changing the login credentials); or order an individual to stop using it.[42] Suspects can be required to provide reasonable technical and other assistance to decrypt the information stored on a digital device.[43] Similar powers exist to deal with cybersecurity threats.[44]

The Minister for Communications and Information can also issue directions to the IMDA or the telecom licensee to prohibit the use of telecommunications; take control of telecommunication systems; stop/delay/censor messages, on grounds such as public security, public interest, public emergency. They can then be directed to conceal the issuance of such directions.[45]

VII. Conclusion

In general, Singapore has a strong data protection framework applicable to private organisations, which is constantly evolving. For instance, the PDPC recently issued a Proposed Model Artificial Intelligence Governance Framework while the IMDA launched a Data Protection Trustmark Certification for organisations to demonstrate accountable data protection practices.[46] However, law enforcement agencies have some leeway in accessing and decrypting computers when it comes to national security concerns.

Singapore has also been an active player in the APAC region, by becoming the sixth[47] country to participate in the APEC Cross Border Privacy Rules System,[48] alongside Japan, South Korea, U.S.A, Canada, and Mexico. It has also participated in the APEC Privacy Recognition for Processors System.[49] The success of the Osaka Declaration, as discussed in our first post, will depend on other countries taking similar steps. Hence, in our next post, we will look at the data governance framework adopted by Japan.

Authored by the Ikigai team.

[1] Personal Data Protection Act, available at https://sso.agc.gov.sg/Act/PDPA2012

[2] Section 2 and 5, PDP Act.

[3] Section 4, PDP Act.

[4] Organisations have been defined to include any individual, company, association or body of persons, corporate or unincorporated, whether or not (a) formed or recognised under the law of Singapore; or (b) resident, or having an office or a place of business, in Singapore;

[5] Sections 11 and 12, PDP Act.

[6] Section 14(2) read with 18(a), PDP Act.

[7] This storage limitation principle is recognised in Section 25, PDP Act. However, the Act does not define ‘business purpose’.

[8] Section 15, PDP Act.

[9] Section 16, PDP Act.

[10] Non-consensual collection, use, and disclosure of person data is governed by the Second, Third, and Fourth Schedule of the PDP Act respectively.

[11] Sections 21 and 22 read with Fifth and Sixth Schedule, PDP Act.

[12] Section 23, PDP Act

[13] Section 24, PDP Act.

[14] All telemarketing activities must abide by Part IX of the Act (“Do Not Call” Registry)

[15] PDPC, Guide to Managing Data Breaches 2.0, available at https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Breaches-2-0.pdf.

[16] PDPC, Plan to Make Data Breach Notification Regime Mandatory (March 2019), available at https://www.pdpc.gov.sg/news-and-events/press-room/2019/02/plan-to-make-data-breach-notification-regime-mandatory.

[17] Section 26(1), PDP Act.

[18] Section 26(2), PDP Act. Further information regarding the format for application, advisory guidelines etc. see PDPC, Exemption Requests, available at https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Exemption-Requests.

[19] Regulation 9, Personal Data Protection Regulations, 2014, available at https://sso.agc.gov.sg/SL/PDPA2012-S362-2014?DocDate=20140519.

[20] PDPC, Advisory Guidelines on Key Concepts in the PDP Act (October 2019), available at https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-9-Oct-2019.pdf?la=en.

[21] PDPC, Advisory Guidelines on Select Topics: Cloud Services (October 2019), available at https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Chapter-8-9-Oct-2019.pdf.

[22] Section 28, PDP Act.

[23] Section 29(2)-(3), PDP Act.

[24] Section 30, PDP Act.

[25] Section 27, PDP Act.

[26] Section 50, PDP Act.

[27] Section 31(1), PDP Act.

[28] Sections 33 and 34, PDP Act.

[29] Section 35, PDP Act.

[30] Section 32, PDP Act.

[31] Sections 49 and 50, PDP Act.

[32] PDPC, Advisory Guidelines on PDP Act for Select Topics (August 2018), available at https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Legislation-and-Guidelines/FINAL-Advisory-Guidelines-on-PDPA-for-Selected-Topics-31-August-2018.pdf.

[33] Section 51, PDP Act.

[34] Section 56, PDP Act.

[35] PSG Act, available at provides directions for the sharing of information[35] or re‑identification of anonymised information under the control of a Singapore public sector agency.

[36] Information has been defined under the PSG Act as including data sets and facts, statistics, instructions that are capable of being communicated, analysed, and processed.

[37] PDPC, supra note 16.

[38] Section 6, PSG Act, 2018.

[39] Sections 7 and 8, PSG Act, 2018

[40] This includes the Criminal Procedure Code, the Telecommunications Act, and the Computer Misuse and Cybersecurity Act. (amended in 1997),

[41] Privacy International, UPR Submission: Right to Privacy in Singapore, available at https://privacyinternational.org/sites/default/files/2017-12/Singapore_UPR_PI_submission_FINAL.pdf

[42] Section 39, Criminal Procedure Code, 2012.

[43] Section 40, Criminal Procedure Code, 2012.

[44] Section 23, Cybersecurity Act, 2018.

[45] Section 58, Telecommunications Act.

[46] See PDPC, Model Artificial Intelligence Governance Framework and IMDA, Data Protection Trustmark Certification.

[47] ICLG, Singapore: Data Protection 2019, available at https://iclg.com/practice-areas/data-protection-laws-and-regulations/singapore

[48] IMDA, APEC Cross Border Privacy Rules (CBPR) System, available at https://www.imda.gov.sg/programme-listing/Cross-Border-Privacy-Rules-Certification.

[49] IMDA, APEC Privacy Recognition for Processors (PRP) Certification, available athttps://www.imda.gov.sg/programme-listing/Privacy-Recognition-for-Processors-Certification.

RELATED WRITING

On DAOs and don’ts

Nigerians Defy Central Bank, Flock to Bitcoin

Our comments on the Abu Dhabi Global Market’s Data Protection Regulations, 2020

Cryptocurrency Regulation in Singapore: Challenges and Opportunities Ahead

Comments to the Abu Dhabi Global Market’s Electronic Transactions Regulations

Net Neutrality Regulation in South Africa

Data Governance in APAC: Findings

An Overview of Internet Shutdowns in Africa

Analysis of the data protection regulations in South Asia: ‘regional interoperability’ as a way forward

Protection of Personal Information Act – An Overview of South Africa’s Data Privacy Law

Challenge the status quo

Challenge
the status quo