Jurisdiction - Singapore
Reports and Analysis
Asia Pacific – Developing Data Protection Laws.

26 October, 2012

 

Legal News & Analysis – Asia Pacific – Singapore – TMT

 

Singapore's Personal Data Protection Bill ("Bill") has, following its second and third reading in Parliament on 15 October 2012, been passed in an amended form. The Personal Data Protection Act ("PDPA") is expected to come into force in January 2013.
 
Organisations will be given 18 months from its enactment to comply with the requirements of the PDPA. Singapore's Ministry of Information, Communications and the Arts ("MICA") is expected to publish guidelines to assist organisations with their compliance obligations although the timing for the release of the guidelines has not yet been confirmed. MICA has also assured the public that it will be conducting education sessions to build awareness amongst stakeholders on their rights and obligations under the PDPA.
 
  • Purpose: The PDPA is intended to protect personal data through regulating the collection, use and disclosure of personal information. According to MICA, the PDPA's primary purpose is to protect consumer data against misuse whilst balancing the needs of organisations to obtain and process data for legitimate and reasonable purposes.
  •  Application: The proposed data protection regime will apply to all organisations, whether or not resident or having a place of business in Singapore. Notably, the PDPA will cover organisations that are engaged in data collection, processing or disclosure within Singapore, even if such organization has no physical presence in Singapore.The PDPA catches all electronic and non-electronic data about a natural person where the person can be identified from the data and other information to which the organization has access. The Bill, as amended, did not include the previous draft's requirement that personal data have a "Singapore link", i.e. that the personal data be either collected from an individual physically present in Singapore, the data be located in Singapore at the time of collection, the organization uses the data in Singapore, or the data are disclosed in Singapore.
  • Exempt persons: Public agencies and certain persons, such as those collecting data as employees or in a purely personal capacity, are excluded from the ambit of the PDPA. However, unlike in certain other jurisdictions there is no exemption for small companies with low annual turnover; MICA being wary of organisations seeking to circumvent the PDPA through setting up smaller entities.
  • Obligations: Generally, the obligations under the PDPA pertaining to the use of personal data under the original draft PDPA have been retained as follows:
    • an individual's consent, whether express or implied, must be obtained before an organisation can collect, use or disclose personal data, unless certain exceptions apply;
    • the collection, use or disclosure by an organisation must be for purposes which a reasonable person would consider appropriate and which was informed to the individual at the time of collection, failing which fresh consent is required;
    • organisations should ensure that personal data are accurate and complete;
    • organisations are required to protect personal data within their custody through reasonable security arrangements; and
    • individuals have the right to request access to personal data held by an organisation and the right to request the correction of any inaccurate data unless an organization has reasonable grounds for refusing such a request.
  • Exceptions to consent: The Bill was amended to extend and clarify the list of exemptions from the requirement to obtain consent. Schedule 2 to the PDPA has now, for example, been extended to exclude data which is publicly available and to clarify the exemptions for news activities, health care providers and credit agencies.
  • Transfers: The introduction of Section 26 requires organisations to ensure that any transfer of personal data outside of Singapore meets the minimum standards prescribed under the PDPA.
  • Narrowing of certain obligations: Following the various public consultation processes, the amended Bill has narrowed the scope of certain obligations. For instance, the amended Bill has removed the requirement that an organisation which uses an individual’s personal data to make a decision that directly affects the individual should retain that personal data for at least one year after using it. Also, the obligation to provide information to individuals on the ways in which their personal data may have been used or disclosed by the organization has been limited to a year prior to the date of the request.
  • Enforcement: The Data Protection Commission has been given various investigative and enforcement powers under the PDPA, including to issue directions for non-compliance and to impose financial penalties of up to S$1,000,000 against non-compliant organisations. Notably, the amended Bill has extended the right to appeal decisions of the Data Protection Commission to include individuals who are aggrieved by any direction or decision of the Commission.
  • Do not call: No marketing will be permitted unless within 30 days of the marketing, companies have confirmed the number is not on the do not call register or obtained explicit consent from the subscriber. The authorizing sender must be identified and contact information provided. Caller line identification must not be hidden.The Bill works in conjunction with the Spam Control Act of 2007 which regulates email spam and the use of address harvesting software.
 
Other Data Protection Laws in South East Asia
 
  • Malaysia: The Personal Data Protection Act 2010 Bill passed in May 2010, but its effective date is yet to be announced.
  • Philippines: The Data Privacy Act 2011 was approved by the Senate in March 2012.
  • Thailand: There is no specific statutory law governing data protection or privacy but the Council of State in the process of drafting the Personal Information Protection Act.
 
How Singapore and South East Asia Compare in Key Areas with Hong Kong, Australia and the EU
 
Table 1 – What does and organisation need to tell individuals?
  
 

SG

MY

PH

HK

AU

EU

The identity of the relevant party

Χ 

Χ 

Χ 

Contact information for the relevant party

Χ 

Χ 

The relevant purposes 

Any recipients

Χ 

Whether data are obligatory or voluntary

Χ  Χ  Χ 

That there are rights to access / rectification

Χ 

Any international transfers 

Χ  Χ  Χ  Χ 

That there are relevant policies 

Χ  Χ  Χ  Χ  Χ 

Does the notice have to be in advance? 

Χ 

Are there exceptions? 

Many Many Many Χ

Reasonable steps

Effort-based

 

Table 2 – What are the main justifications available?

 

 

SG

MY

PH

HK

AU

EU

Explicit consent has been obtained

√*

Deemed consent applies

 Χ

 Χ

√****  

√**

Can consent be withdrawn?

Χ

 It is in the individual’s interests 

 Χ

√****

 Χ

It is in the 'data controller’s' interests

Χ

Χ

Χ

√****

√***

It is for entering into / performing a contract

Χ

Χ

√****

√***

Is notice in itself sufficient? (see table 1) 

Χ

Χ

Χ

Χ

Χ

 

 

 

For further information, please contact:

 

Michelle Chan, Partner, Herbert Smith Freehills
michelle.chan@herbertsmith.com
 
Mark Robinson, Herbert Smith Freehills
Mark.Robinson@hsf.com
 
Tabitha Saw, Herbert Smith Freehills
Tabitha.Saw@hsf.com
 

 

Leave a Reply

You must be logged in to post a comment.