Singapore’s critical data privacy law is The Personal Data Protection Act 2012 (PDPA). The legislation establishes the Personal Data Protection Commission (PDPC) and outlines regulations for the collection, use, disclosure, and transfer of personal data. The PDPA was recently amended on Nov. 2, 2020, and took effect in phases from Feb. 1, 2021.
Compared to regulations within other jurisdictions, the PDPA is certainly more business-friendly. However, the PDPC has continued to take an active role in ensuring the accountability of organizations to protect the privacy and security of personal data in the face of growing cybersecurity threats. Since Singapore is emerging as a regional business hub in Southeast Asia, it is imperative to understand the implications of regulations on data-driven activities.
Here are the highlights:
The PDPA applies to organizations collecting personal data from individuals in Singapore, regardless of whether the company is within the jurisdiction.
The PDPC recently issued advisory guidelines that prohibit the collection, use, disclosure, and replication of a special class of data—National Registration Identification Card numbers and other national identification numbers (ie. passports, FIN, Work Permit, and Birth Certification numbers)—unless it is deemed necessary per special circumstances.
The recent amendment builds on the large, existing body of exemptions for the consent requirement, including two new exemptions for legitimate interests that outweigh any potential adverse effects and business improvements that require using personal data. The PDPA also accepts deemed consent (when an individual voluntarily provides personal data to the organization for an expressed purpose) as valid consent. As long as data processing is not required by law, individuals can withdraw any consent given, or deemed to have been given, causing the company and its data intermediaries to cease all processing.
The PDPA grants individuals the limited right to access and correct information collected by the organization. Data subjects can also access information concerning the data’s usage and disclosure within the last year.
The updated PDPA includes a “portability obligation”. Organizations must transmit the individual’s data to another organization in a machine-readable format.
The PDPC has been particularly adamant about enforcing guidance on implementing reasonable security arrangements to protect personal data. Data encryption is an important technical safeguard that they advise can and should be leveraged. They emphasize a risk-based approach to meeting security requirements, matching the nature of the personal data and the possible harm that might result from a security breach.
Following a data breach, organizations must notify the PDPC no later than three calendar days from the breach and the affected individuals.The administrative fine for data breaches under the PDPA, which is up to 10% of an organization’s annual turnover in Singapore (if annual turnover exceeds SGD 10 million) took effect on 1 October 2022 pursuant to amendments set out in the Personal Data Protection (Amendment) Act 2020..
Cross-border data transfer is permissible if the data is provided a comparable level of protection to the PDPA. Singapore relies on accountability frameworks and certifications through the Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems to demonstrate an adequate level of protection. Companies that comply with these systems of internationally recognized data privacy protections are given a data privacy certification backed by the 21 member countries of APEC: Australia, Brunei Darussalam, Canada, Chile, People’s Republic of China, Hong Kong, Indonesia, Japan, Republic of Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Chinese Taipei, Thailand, the United States, and Vietnam.
Singapore’s PDPA outlines many obligations for companies to abide by in their data-driven activities, even though it is comparatively less stringent than data regulations in other jurisdictions. As the gateway to business in the Asian Pacific region, compliance efforts in the jurisdiction are critical.
Singapore’s data privacy laws are flexible in permitting the collection of personal data. However, with a new classification of national identification numbers as sensitive data, companies should closely examine the types of data they are collecting and denote its purposes. Depending on the nature of the data, companies should assess the appropriate levels of security arrangements to be made, which includes seeing where in the data flow should encryption be used as standard practice. This practice is important as the PDPC furthers its enforcement of data protection obligations. Furthermore, companies should outline the flow of data to serve Singaporeans’ rights of access, correction, and portability. It will also assist companies in being able to manage security breaches. With limitations on cross-border data transfers, companies should examine their data flow and ensure overseas recipients are certified under the Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System and Privacy Recognition for Processors (PRP) System.