Developing data protection laws in Singapore and South East Asia

Singapore's Personal Data Protection Bill ("Bill") has, following its second and third reading in Parliament on 15 October 2012, been passed in an amended form. The Personal Data Protection Act ("PDPA") is expected to come into force in January 2013.  Mark Robinson, Michelle Chan and Tabitha Saw provide an overview of the proposals and a comparison with data protection laws in South Esat Asia and other jurisdictions. 

Organisations will be given 18 months from its enactment to comply with the requirements of the PDPA. Singapore's Ministry of Information, Communications and the Arts ("MICA") is expected to publish guidelines to assist organisations with their compliance obligations although the timing for the release of the guidelines has not yet been confirmed. MICA has also assured the public that it will be conducting education sessions to build awareness amongst stakeholders on their rights and obligations under the PDPA.

• Purpose: The PDPA is intended to protect personal data through regulating the collection, use and disclosure of personal information. According to MICA, the PDPA's primary purpose is to protect consumer data against misuse whilst balancing the needs of organisations to obtain and process data for legitimate and reasonable purposes.
• Application: The proposed data protection regime will apply to all organisations, whether or not resident or having a place of business in Singapore. Notably, the PDPA will cover organisations that are engaged in data collection, processing or disclosure within Singapore, even if such organization has no physical presence in Singapore.The PDPA catches all electronic and non-electronic data about a natural person where the person can be identified from the data and other information to which the organization has access. The Bill, as amended, did not include the previous draft's requirement that personal data have a "Singapore link", i.e. that the personal data be either collected from an individual physically present in Singapore, the data be located in Singapore at the time of collection, the organization uses the data in Singapore, or the data are disclosed in Singapore.
• Exempt persons: Public agencies and certain persons, such as those collecting data as employees or in a purely personal capacity, are excluded from the ambit of the PDPA. However, unlike in certain other jurisdictions there is no exemption for small companies with low annual turnover; MICA being wary of organisations seeking to circumvent the PDPA through setting up smaller entities.
• Obligations: Generally, the obligations under the PDPA pertaining to the use of personal data under the original draft PDPA have been retained as follows (for a more detailed summary of the main obligations under the PDPA please see our APAC technology, media and telecommunications e-bulletin dated 6 October 2011):
  • an individual's consent, whether express or implied, must be obtained before an organisation can collect, use or disclose personal data, unless certain exceptions apply;
  • the collection, use or disclosure by an organisation must be for purposes which a reasonable person would consider appropriate and which was informed to the individual at the time of collection, failing which fresh consent is required;
  • organisations should ensure that personal data are accurate and complete;
  • organisations are required to protect personal data within their custody through reasonable security arrangements; and
  • individuals have the right to request access to personal data held by an organisation and the right to request the correction of any inaccurate data unless an organization has reasonable grounds for refusing such a request.
• Exceptions to consent: The Bill was amended to extend and clarify the list of exemptions from the requirement to obtain consent. Schedule 2 to the PDPA has now, for example, been extended to exclude data which is publicly available and to clarify the exemptions for news activities, health care providers and credit agencies.
• Transfers: The introduction of Section 26 requires organisations to ensure that any transfer of personal data outside of Singapore meets the minimum standards prescribed under the PDPA.
• Narrowing of certain obligations: Following the various public consultation processes, the amended Bill has narrowed the scope of certain obligations. For instance, the amended Bill has removed the requirement that an organisation which uses an individual’s personal data to make a decision that directly affects the individual should retain that personal data for at least one year after using it. Also, the obligation to provide information to individuals on the ways in which their personal data may have been used or disclosed by the organization has been limited to a year prior to the date of the request.
• Enforcement: The Data Protection Commission has been given various investigative and enforcement powers under the PDPA, including to issue directions for non-compliance and to impose financial penalties of up to S$1,000,000 against non-compliant organisations. Notably, the amended Bill has extended the right to appeal decisions of the Data Protection Commission to include individuals who are aggrieved by any direction or decision of the Commission.
• Do not call: No marketing will be permitted unless within 30 days of the marketing, companies have confirmed the number is not on the do not call register or obtained explicit consent from the subscriber. The authorizing sender must be identified and contact information provided. Caller line identification must not be hidden.The Bill works in conjunction with the Spam Control Act of 2007 which regulates email spam and the use of address harvesting software.