Singapore has recognised regional certification for transferring personal data overseas
In June 2020, the Personal Data Protection Regulations 2014 (“Regulations”) were revised to recognise the Asia Pacific Economic Cooperation (“APEC”) Cross Border Privacy Rules (“CBPR”) System and, for data processors, the Privacy Recognition for Processors (“PRP”) System certifications as an additional data transfer mechanism under the PDPA for transferring personal data outside Singapore.
Section 26 of the PDPA restricts an organisation from transferring personal data outside Singapore (“Transfer Limitation Obligation”), unless at least one of the prescribed safeguards has been put in place to ensure that the data recipient will provide a standard of protection to the transferred personal data that is comparable to the protection under the PDPA. The Regulations further specify the steps that an organisation may take to ensure that the overseas recipient of personal data is bound by legally enforceable obligations to provide a comparable standard of protection to the transferred personal data.
Currently, the Regulations only recognise certain data transfer mechanisms, which include, amongst others, (i) individual’s consent, provided that certain prescribed steps have been taken in obtaining such consent; (ii) legally binding contractual provisions to impose data protection obligations on the data recipient; (iii) binding corporate rules for intra-group data transfer; and (iv) if the data transfer is necessary for the performance of a contract between the individual and the transferring organisation, or to do anything at the individual’s request with a view to the individual entering into a contract with the transferring organisation.
The Regulations have been revised so that a new data transfer mechanism is now recognised under the PDPA, i.e. if the recipient holds a specified certification that is granted or recognised under the law of that country or territory to which the personal data is transferred. Specified certifications refer to (i) the APEC CBPR System; or (ii) for data intermediaries (i.e. data processors), the APEC PRP System. Therefore, the Transfer Limitation Obligation under the PDPA is satisfied if the overseas data recipient is receiving the personal data (i) as an organisation holding a valid APEC CBPR certification; or (ii) as a data intermediary holding a valid APEC PRP certification.
Singapore data privacy laws will have more teeth after proposed reform
On 2 November 2020, the Personal Data Protection (Amendment) Bill (“Amendment Bill”) was passed by Parliament. The amendments to the Personal Data Protection Act 2012 (“PDPA”) are expected to come into force in early 2021.
On 20 November 2020, the Personal Data Protection Commission (“PDPC”) issued draft advisory guidelines on the Amendment Bill (“Draft Advisory Guidelines”), which will be finalised and issued when the Amendment Bill comes into effect.
The Amendment Bill follows the public consultation exercise held in May 2020. The amendments are driven by global and regional privacy laws developments, e.g. the General Data Protection Regulation (“GDPR”) in Europe and recent reform to privacy laws in other Asian jurisdictions, and will bring the PDPA more in line with global and regional standards.
The objectives of the amendments are to (i) improve consumer protection through greater organisational accountability in their handling of personal data; (ii) address data privacy issues in using personal data for innovation purposes; and (iii) provide consumers with greater autonomy over their personal data; and (iv) enhance the effectiveness of the PDPA enforcement framework.
We summarise the key amendments to the PDPA below:
(a) Mandatory data breach notification
Currently, breach notification is voluntary under the PDPA.
Once the amendments take effect, organisations (i.e. data controllers) will be required to notify the PDPC as soon as reasonably practicable, but in any case, no later than 3 calendar days after becoming aware of a data breach that:
- results in, or is likely to result in, significant harm to an affected individual (e.g. physical, psychological, emotional, economic and financial harm and reputational damage); or
- is, or is likely to be, of a significant scale, (i.e. those that involve the personal data of 500 or more individuals).
The organisation must also notify the affected individuals if the notifiable data breach results in, or is likely to result in significant harm to the affected individuals.
Where a data intermediary (i.e. a data processor) has reasons to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation, the data intermediary must also notify that other organisation of the occurrence of the data breach without undue delay.
Further, to provide certainty to organisations on data breaches that are notifiable, the PDPC will prescribe the personal data or classes of personal data that is considered likely to result in significant harm to affected individuals if such data is compromised in a data breach.1
(b) New basis for deemed consent to apply for collection, use and disclosure of personal data
PDPA is a consent-based data privacy regime. Currently, there is a “deemed consent” provision under the PDPA which provides that an individual (i.e. the data subject) is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if (a) the individual voluntarily provides the personal data to the organisation for that purpose; and (b) it is reasonable that the individual would voluntarily provide the data. This is referred to as “deemed consent by conduct” in the Draft Advisory Guidelines.
The Amendment Bill will introduce two new basis for “deemed consent” to apply, namely:
Deemed consent by contractual necessity:
An individual is deemed to have consented to the disclosure of his/her personal data in situations for the necessary conclusion or performance of a contract or transaction between the individual and the organisation he had originally provided the personal data to, e.g. deemed consent for processing of payment.
Deemed consent by notification:
An individual may be deemed to have consented to the collection, use or disclosure of personal data for a purpose that he had been notified of, and he has not taken any action to opt out of the collection, use or disclosure of his personal data.2 This deemed consent by notification does not apply to, amongst other things, the sending of direct marketing messages.
(c) New consent exceptions for collection, use and disclosure of personal data
Other than deemed consent under the PDPA, there are also consent exceptions for the collection, use and disclosure of personal data as set out in the Second to Fourth Schedules of the PDPA.
The current Second to Fourth Schedules to the PDPA will be repealed by the Amendment Bill and the existing consent exceptions will be revised and included in the new First and Second Schedules to the PDPA. The new First and Second Schedules to the PDPA will also include two new consent exceptions, namely, the (i) legitimate interests exception; and the (ii) business improvement exception.
Legitimate interests exception
“Legitimate interests” generally refers to any lawful interests of an organisation or other person (including other organisations). Under the new First Schedule, there are
- specific legitimate interests purposes, e.g. for evaluative purposes, for any investigation or proceedings, or for recovery or payment of debt owed (which are the same as those available under the current Second to Fourth Schedules to the PDPA); and
- the general legitimate interests exception, which is a broad exception that can be relied on for any other purposes that meet the definition of legitimate interests, when other specific exceptions do not apply. This general legitimate interests exception is similar to the legitimate interests legal basis under Article 6 of the GDPR
To rely on the general legitimate interests exception, the onus is on the organisation seeking to rely on this exception to comply with additional safeguards to ensure that the interests of individuals are protected.
Organisations must satisfy the following requirements before relying on the general legitimate interests exception: (i) identify and articulate the legitimate interests; (ii) conduct an assessment to assess the adverse effect and ensure the legitimate interests outweigh any adverse effect, and to ensure that they have identified and implemented reasonable measures to eliminate or mitigate the adverse effect, or reduce the likelihood of occurrence of any adverse effect; and (iii) disclose their reliance on the general legitimate interests exception.
Business improvement exception
The “business improvement” exception can be relied on by organisations to use, without consent, personal data that they had collected in accordance with the data protection provisions of the PDPA, where the use of the personal data falls within the scope of any of the following business improvement purposes:
- improving, enhancing or developing new goods or services;
- improving, enhancing or developing new methods or processes for business operations in relation to the organisations’ goods and services;
- learning or understanding behaviour and preferences of individuals (including groups of individuals segmented by profile); or
- identifying goods or services that may be suitable for individuals (including groups of individuals segmented by profile) or personalising or customising any such goods or services for individuals.
The business improvement exception can also be relied on by related corporations within the same company group to share personal data (i.e. collection and disclosure) intra-group, without consent, for the following business improvement purposes:
- improving, enhancing or developing new goods or services;
- improving, enhancing or developing new methods or processes for business operations in relation to the organisations’ goods and services;
- learning or understanding behaviour and preferences of existing or prospective customers (including groups of individuals segmented by profile); or
- identifying goods or services that may be suitable for existing or prospective customers (including groups of individuals segmented by profile) or personalising or customising any such goods or services for individuals.
This exception can only be relied upon if the purpose cannot reasonably be achieved without the collection, use or disclosure of personal data; and a reasonable person would consider such collection, use or disclosure of personal data appropriate under the circumstances. For intra-group sharing of personal data, the related corporations within the same company group must also be bound by agreements or binding corporate rules which require the recipient(s) of the personal data to implement and maintain appropriate safeguards for the personal data.
Organisations cannot rely on the business improvement exception to send direct marketing messages.
The research exception
While the business improvement exception is intended to enable organisations to use personal data to improve their products, services, business operations and customer experience, the research exception is intended to enable organisations to conduct broader research and development that may not have any immediate application to their products, services, business operations or market.
The amended PDPA has revised the research exception to allow organisations to use personal data for a research purpose, subject to the new conditions as follows:
- the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form;
- there is a clear public benefit to using the personal data for research purpose;
- the results of the research will not be used to make any decision that affects the individual; and
- in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual,
and provided that it is impracticable for the organisation to seek the consent of the individual for the disclosure.
(d) New right to data portability
An individual who has an ongoing relationship with an organisation will have a new right to data portability. This follows a similar right already introduced by the GDPR. The purposes of this right are to (i) provide individuals with greater autonomy over their own data; and (ii) boost development, enhancement and refinement of goods and services provided by organisations given that the transmission of data will be facilitated.
Save for certain excluded categories of data and in certain excluded circumstances3, organisations which possess or control the personal data of an individual (i.e. the “porting organisation”) will, upon receiving a data porting request by the individual, have to transmit applicable data about the individual specified in the request to another organisation (i.e. the “receiving organisation”) in accordance with the prescribed requirements in the PDPA, such as requirements relating to technical, user experience and consumer protection matters. This obligation only applies if the receiving organisation is formed or recognised under the laws of Singapore or a prescribed foreign country or territory (i.e. an applicable country), or be resident or having an office or a place of business in Singapore or an applicable country.
In addition, the amended PDPA will require a porting organisation to preserve a complete and accurate copy of applicable data that is specified in a data porting request for at least the prescribed period, regardless of whether the porting organisation agrees to the request or not. The applicable “prescribed period” may differ depending on the business sector of the porting organisation is in or the circumstances for the proposed data transmission.
(e) New offences and increased financial penalties
New offences will be introduced where an individual may be found personally liable in respect of (a) unauthorised disclosure of personal data; (b) improper use of personal data that results in personal gain for the offender or another person, or harm or loss to another person; or (c) re-identification of anonymised information.
In addition, the maximum financial penalty imposed on organisations for breaches of certain key obligations under Parts III to VI of the PDPA (the main data protection obligations) and the new Parts VIA (notification of data breaches) and VIB (data portability) will be increased to 10% of an organisation’s annual turnover in Singapore or one million Singapore dollars (SGD $1milion), whichever is higher.
(f) Offences for individuals who egregiously mishandle personal data
The PDPA will introduce new offences to hold individuals liable for egregious mishandling of personal data in the possession of or under the control of an organisation (including a public agency). The offences are
- knowing or reckless unauthorised disclosure of personal data;
- knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person; and
- knowing or reckless unauthorised re-identification of anonymised data.
Organisations shall remain liable for the actions of their employees in the course of their employment with the organisations. These offences are to criminalise egregious misconduct by individuals whose actions had not been authorised by the organisation.
(g) Processing of data on behalf of and for the purposes of a public agency
Currently, an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data is exempted from the main data protection obligations under the PDPA.
The amended PDPA will abolish this exemption, with the aim of increasing the accountability of third parties handling government personal data against the backdrop of a number of high profile data breach incidents relating to the public sector in recent years, e.g. the SingHealth data leakage incident.
Public agencies will continue to be exempted from the main data protection obligations under Parts III to IV of the PDPA, and the new obligations under the new Parts VIA (notification of data breaches) and VIB (data portability) of the amended PDPA.
Given the extent of changes to the PDPA, we encourage organisations processing personal data in Singapore to assess the impact of the PDPA amendments on their business activities prior to the coming into effect of such amendments to the PDPA, and review and revise their internal policies and business processes. For example, organisations should assess whether any deemed consent or new consent exceptions would be applicable to their handling of personal data, and formulate a data breach response policy.
1 Per the Draft Advisory Guidelines, data which is likely to result in significant harm to affected individuals includes (a) an individual’s full name or full national identification number in combination with, amongst other things, his/her private financial information, private life or health insurance information, medical information; and (b) an individual’s account information (bank account number, credit or debit card number) in combination with his/her biometric data, security code, access code, password or answer to security questions used to permit access to or use of the account, which may lead to misuse of account, fraudulent transactions, or disclosure of any information referred to in (a).
2 An individual is deemed to have consented to a new purpose of collection, use or disclosure of his/her personal data by notification if:
(a) the organisation has assessed that the proposed collection, use or disclosure of personal data is not likely to have an adverse effect on the individual;
(b) the organisation has taken reasonable steps to bring certain information to the attention of the individual, e.g. the intention, purpose for the proposed collection, use or disclosure of personal data;
(c) the individual will be provided with a reasonable period of time and given reasonable means to notify the organisation that he or she does not consent to the proposed collection, use or disclosure of his/ her personal data; and
(d) the individual has not notified the organisation that he does not consent to the proposed collection, use or disclosure of his/her personal data.
3 The excluded circumstances in which the right of portability is not available if, amongst others,
(a) the transmission can reasonably be expected to: (1) threaten the safety, or physical or mental health of an individual other than the individual to whom the personal data relates; or (2) cause immediate or grave harm to the physical or mental health of the individual to whom the data relates; or (3) contrary to the national interest of Singapore; or
(b) the receiving organisation belongs to a class of organisations that is excluded under the PDPA; or
(c) the PDPC directs the porting organisation not to transmit the personal data.
Disclaimer
Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.