In this two part series, Lawyer Yeong WanHsi discusses the various data protection regimes which have been implemented across the globe, the types of protection that they provide and the legal considerations which companies should bear in mind.
In the first part of this series, she compares the European Union’s GDPR with Singapore’s PDPA and examines the data protection regimes which have been adopted by other countries in the region.
General Data Protection Regulation (“GDPR”)
The GDPR has been effective as of 25 May 2018. It created much discussion around the world as it set an unprecedented compliance threshold in that even non-EU companies are now required to comply with its data protection obligations. The GDPR applies to non-EU companies where services are provided in the EU, or where personal data is obtained in the EU, and transferred out of the EU. Thus, companies with no physical presence in the EU may likely still be caught by the GDPR if they are in the business of offering goods or services to, or monitoring the behaviour of individuals in the EU.
Companies have to be extremely cautious to ensure their data collection/use/disclosure practices conform to the obligations set forth in the GDPR as the penalties imposed for non-compliance can be hefty. I.e. fine up to 20 million Euros or 4% of the global turnover, whichever is higher.
Data Protection in the Asia-Pacific Region
To have a better appreciation of the higher standard for data protection set by the GDPR, we first have to understand the current regulatory landscape surrounding data protection. Accordingly, we shall have a brief look at the data protection regulations across various jurisdictions in the Asia-Pacific region.
- The Philippines
The Philippines has one of the most comprehensive data protection regulation in the Asia-Pacific region. The relevant data protection regulation is the Data Privacy Act of 2012 (the “DPA”), and the National Privacy Commission (the “NPC”), being the enforcement authority, is tasked with the monitoring and enforcement of the DPA. The NPC’s Implementing Rules and Regulations (the “IRRs”) supplements the DPA by providing specific definitions to the general requirements of the DPA. It is pertinent to note that the Philippines has borrowed various principles from the GDPR such as the 72-hour data breach notification requirement, data subjects’ right to be informed of profiling and automated decision-making and a right to data portability. Currently, the NPC is investigating Uber regarding its 2016 data breach.
- Hong Kong
Hong Kong also has robust data protection laws with the primary legislation on data protection being the Data (Privacy) Ordinance (the “Ordinance”), which was enacted in 1996. The Ordinance regulates the collection, use and handling of personal data is based around a set of data protection principles. Recent reforms have made Hong Kong’s regulation of direct marketing one of the most stringent regimes globally. Its Privacy Commissioner for Personal Data (the “PCPD”) actively pursues public education by regularly publishing official guidance on a wide range of topics and enforcement to ensure compliance of Hong Kong’s data protection law. It also monitors closely global trends, especially the implementation of the GDPR, on which the PCPD has recently published a guide to raise awareness for organisations and businesses in Hong Kong on the impact of the GDPR.
Currently, Thailand does not have any specific personal data protection regulation. Nonetheless, the Cabinet of Thailand has been debating a draft data protection bill since February 2018. According to the draft bill, the collection and usage of personal data without the consent of the data subject will be prohibited and a data controller must inform the data subject of the purpose for the collection of data. The draft bill also imposes both criminal and civil liabilities for any breach of regulations.
Although there are pockets of regulations that provide for general personal data protection, Indonesia does not have an extensive data protection regime. Nonetheless, a data protection bill appears to be underway and is expected to come into force by the end of 2018. With a population of over a quarter billion and one of the highest economic growth rates, Indonesia is increasingly important for multi-national businesses. Foreign access to this market is being challenged by an increasingly fragmented and restrictive regulatory environment for data and technology. Thus, Indonesia urgently requires a comprehensive data protection regulatory framework and it is on the House of Representatives’ priority programme. There are pockets of legislations that currently cover this point: Article 26 of Law No. 11 of 2008 concerning Electronic Information and Transactions (“Law 11/2008”) mandates for the ‘use of any information through electronic media that involves personal data of a person must be made with the consent of the person concerned”. Law 11/2008 has been amended by Law No. 19 of 2016 (“Law 19/2016”), which has included in Article 26: an individual right to request the deletion of his personal data, as well as to request the deletion of personal data where they are no longer relevant (the so-called Indonesian “right to be forgotten”).
As can be observed, the GDPR has to an extent influenced data protection authorities and legislators outside of the EU to analyse it, with the intention to reform the respective domestic laws to reflect the global change towards a more comprehensive data protection framework.
The Singapore Position
In Singapore, the legislation that governs the protection of personal data is the Personal Data Protection Act 2012 (“PDPA”), which was passed into law progressively in successive parts from 2 January 2013 to 2 July 2014. Since its passing, the Personal Data Protection Commission of Singapore (the “PDPC”) has enforced a number of cases, with the highest penalty imposed being a fine of S$50,000, in the case of K Box Entertainment Group and Another, in which a list of 317,000 K Box members was disclosed online.
The PDPC actively publishes commentary and guidelines for businesses and consumers, the most recent being guidelines for the application of the PDPA to election activities. It has also various comprehensive advisory guidelines for the key concepts in the PDPA], PDPA for Selected Topics (e.g. NRIC, Employment, Anonymisation, etc.), DNC Provisions, Consent for Marketing Purposes, and Enforcement of Data Protection Provisions. Further, it is considering the implementation of a mandatory data breach notification regime, and the relaxation of the consent requirements on data controllers prior to processing data.
As mentioned above, the GDPR has attracted the attention of regulatory authorities outside the EU, and the PDPC is no different. Whilst it may not be authoritative in nature, the PDPC has issued a factsheet to guide organisations in Singapore as to the over-arching effects of the GDPR. Here are some of the highlights comparing the Singapore PDPA provisions vis a vis the key requirements of the EU GDPR:
Application of Legislation
|Sections 3, 4 & 26
The PDPA applies to organisations that collect, use and disclose personal data, whether outside or inside Singapore.
Similar to the GDPR, PDPA also has extra territorial application in that the personal data collected from outside Singapore is subject to the Transfer Limit Obligation (see below).
|Articles 3 and 27
The GDPR applies to organisations that:
1. Offer goods or services to individuals in the EU.
2. Monitor the behaviour of individuals within the EU.
No geographical restriction and has extra territorial effect.
Basis of Processing
• As indicated above, the PDPA recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
• However, unlike the GDPR, the PDPA is silent on the instances when personal data can be processed but what is clear are the setting out of two competing interests of the personal data vis a vis the need of organisations to collect.
• Instead of setting out the basis of processing, PDPA sets out two main aspects:
1. Protection of personal data
2. The setting up of a Do Not Call (DNC) registry
Processing of personal data is lawful in the following instances:
1. Consent is given by the individual for the specific purpose.
2. Necessary for the performance of the contract.
3. Necessary for organisation’s compliance with a legal obligation.
4. Necessary to protect vital interests of the individual or another natural person.
5. Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the organisation.
6. Necessary for the purposes of legitimate interest.
Evidently, this is quite encompassing and far reaching.
1. Individuals acting in a personal or domestic capacity.
2. Employees acting in the course of his/her employment.
3. Public agencies.
4. Any organisation acting on behalf of a public agency in relation to the collection, use of disclosure of personal data.
5. Organisations which are data intermediaries are also partially excluded from the provisions under the PDPA.
1. GDPR applies so long as an individual or entity, including a public authority or agency, falls within the definition of ‘controller’ or ‘processor’.
2. Only exception being natural persons acting ‘in the course of a purely personal or house activity’.
Rights of Individuals (Consent Obligation)
|*This is the key difference between the GDPR and the PDPA.
|Rights of the individuals are paramount in the GDPR unlike in the PDPA, wherein two competing rights are stated.
|Sections 13 to 17
• Individuals have to give or are deemed to have given their consent for the collection, use or disclosure of their personal data.
• However, an organisation does not require an individual’s consent beyond what is reasonable to receive the product or service.
• The PDPC intends to provide a ‘Notification of Purpose’ as part of the consent framework (a third basis other than actual and deemed consent) in the future.
The GDPR sets a very high standard for consent:
• Consent given must be clear, explicit and unambiguous.
• Organisations must take prudent steps to ensure that consent is clearly obtained (e.g. consent requires a positive opt-in).
Rights of Individuals (Purpose Limitation Obligation)
• Purposes need not be specified nor explicit, it just has to be reasonable and appropriate when judged by a reasonable person.
PDPC intends to provide for a legal or business purpose as a basis for organisations to collect, use or disclose personal data without consent.
Right to restriction of processing:
1. Accuracy of personal data is contested.
2. Processing does not fall into any of the categories under Article 6 (Refer to Basis of Processing section above).
Rights of Individuals (Notification Obligation)
• An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose the individual’s personal data.
• This would form an appropriate basis for an organisation to collect, use and disclose personal data.
|Right to be provided with basic information:
1. The identity of the controller.
2. The reasons for processing their personal data.
3. Other relevant information necessary to ensure the fair and transparent processing of personal data.
Rights of Individuals (Access Obligation)
• Upon request by the individual, an organisation shall provide that individual with his or her personal data, which it has in its possession or control.
• Exceptions from access requirement is set out in fifth Schedule of the PDPA.
• An individual has the right to access his personal data and request as to whom the personal data has been disclosed to and how the personal data was processed.
• Whilst it is based on a reasonable man’s test in relation to the PDPA, this right is more explicit and requires organisations to readily disclose such data when requested by an individual.
• There are also other accompanying rights to note as set out below to be read together.
Rights of Individuals (Correction Obligation)
|Sections 22 & 23
• An organisation, upon request for a correction by the individual, shall provide that individual with his or her personal data in the possession or under the control of the organisation.
• Exceptions from correction requirement are set out in 6th Schedule of the PDPA.
Right to rectification of inaccurate personal data concerning the individual.
• An organisation is required to make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data (a) is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or (b) is likely to be disclosed by the organisation to another organisation.
Rights of Individuals (Retention Limitation Obligation)
• There is no time frame.
• Organisation to cease retention of any documents containing personal data or remove the means by which the personal data can be associated with particular individuals, as soon as (a) the purpose for which that personal data was collected is no longer being served and (b) retention is no longer necessary for legal or business purposes.
Right to erasure of personal data regarding the individuals in certain circumstances:
1. The data is no longer needed for their original purpose and no new lawful purpose exists.
2. The lawful basis for the processing is the data subject’s consent, the data subject withdraws that consent, and no other lawful ground exists.
3. The data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing.
4. The data has been processed unlawfully.
5. Erasure is necessary for compliance with EU law or the national law of the relevant Member State.
Rights of Individuals (Protection Obligation)
• No one size fits all solution.
• In practice, an organisation to undertake a risk assessment exercise to ensure adequacy of its information security arrangements.
|Article 5 & 32
• The GDPR requires organisations to process personal data securely.
• Doing this requires organisations to consider factors like risk analysis, organisational policies, and physical and technical measures.
Rights of Individuals (Transfer Limit Obligation)
• An organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under the PDPA.
• There are specific situations where transfer is necessary for the data to be used.
• The GDPR imposes strict restrictions on the transfer of personal data outside the EU, to third countries or international organisations.
• Personal data may only be transferred outside of the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
Rights of Individuals (Right to Object)
|No explicit right to object.
• Data subject has the right to object to the processing of his/her personal data.
• Upon objection, data controller should no longer process the personal data unless there are ‘legitimate compelling reasons to do so’.
Rights of Individuals (Right to data portability)
|No right to data portability.
• Data subjects have the right to transfer their personal data between data controllers.
Rights of Individuals (Protection from automated decision making [including profiling])
|No explicit rights protecting individuals from automated decision making.
• Data subject has the right not to be subject to a decision based solely on automated processing which significantly affects them.
• This is permitted only when:
o It is necessary for entering into or performing a contract with the data subject provided that appropriate safeguards are in place.
o It is authorised by law.
o The data subject has explicitly consented and appropriate safeguards are in place.
Rights of Individuals (Withdrawal of Consent)
|• Once the data subject withdraws their consent, organisation must cease collecting, using or disclosing their personal data.
|• Data subject has the right to withdraw their consent at any time.
• Upon withdrawal, the organisation should no longer possess their personal data, unless other another legal basis applies.
Accountability and Governance (Data Protection by Default and Design)
|Sections 11 & 12
• Data Protection Management Programme (DPMP) helps organisations to establish a robust data protection infrastructure.
• When developing a DPMP, organisations should consider:
1. Developing a personal data protection policy.
2. Designating data protection roles, responsibilities of the people.
3. Designing processes to operationalise policies.
4. Detailed ways to stay relevant.
• Implementing appropriate technical and organisational measures to ensure that, by default, only personal data that is necessary for the specific purpose is processed.
• This would mean integrating data protection into organisations’ processing activities and business practices, from the design stage right through the lifecycle.
• This ensures that organisations comply with the GDPR’s fundamental principles and requirements
Accountability and Governance (Data Protection Impact Assessment)
|Sections 11 & 12
• Organisations should first assess whether there is a need for a DPIA. If the project involves personal data (i.e. collection, use, transfer, disclosure or storage), a DPIA is necessary.
• Organisations should do a DPIA when the system or process is:
o New and in the process of being designed.
o In the process of undergoing major changes.
• DPIA helps organisations identify and minimise the data protection risks of a project.
• Organisations must do a DPIA for processing that is likely to result in a high risk to individuals (particularly the use of new technologies).
• To assess the level of risk, organisations must consider the likelihood and the severity of impact on individuals.
Accountability and Governance (Data Protection Officer)
|• Though not statutorily prescribed, organisations are required to develop and implement policies and practices that are necessary to comply with the PDPA, hence appointing a DPO is highly encouraged by the PDPC.
Following companies need to appoint a DPO:
• Public authorities or bodies, except for courts acting in their judicial capacity.
• Companies who process data requiring ‘regular and systematic monitoring of data subjects on a large scale’.
• Companies who process, on a large scale, any special category of personal data. This includes data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs and other such information.
• Companies who process, on a large scale, personal data relating to criminal convictions and offences.
Data Breach Notification
|• No mandatory data breach notification. Organisations are only encouraged to notify individuals if they are affected by the data breach.
• However, PDPC has plans to implement a data breach notification framework. The proposed time frames for notification:
o Individuals – ‘as soon as practicable’
o PDPC – ‘as soon as practicable, no later than 72 hours’
|• A data controller must report a data breach within 72 hours after the breach is discovered.
• It is also expected to document the said breach comprising of the facts in relation to the breach and any remedial actions taken.
|Sections 29(2), 51, 56
• Fines up to S$1 million.
• Fines not exceeding $5,000 or $10,000, depending on the provision breached; and/or
• Discretion to impose a term of imprisonment up to 12 months or 3 years if serious breach of provision occurs.
Depending on which provisions are infringed:
• Fines up to EUR10 Million or two percent of worldwide annual turnover of preceding financial year (whichever is higher); or
• Fines up to EUR20 million or four percent of worldwide annual turnover of preceding financial year (whichever is higher).
From the comparison above, it is abundantly clear that the GDPR’s requirements are more rigorous and specific, and broader than the requirements of the PDPA. One example of the PDPA diverging from the GDPR is that the PDPA does not provide extra protection or special handling of sensitive personal data such as health data, race, ethnicity and religion. Therefore, compliance with the PDPA does not necessarily equate to compliance with the GDPR, as there are different requirements under the two regimes.
At the national level, it is apparent that there is a common theme across all jurisdictions. Regardless of the current state of the respective data protection regimes, all jurisdictions have identified the importance of the need for a more comprehensive data protection regime that caters to the privacy needs of an increasingly globalised world, and are taking measures to achieve such a robust regime.
Have a question about data protection?
If you have any questions about the PDPA and would like to speak a lawyer, you can request a Quick Consult with WanHsi Yeong or lawyers with similar expertise from a transparent, flat fee of $49. You can expect a call back within 1-2 days on the phone to get legal advice and have your questions answered.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.