In early 2019, Singapore’s data privacy regulators proposed that the country’s data privacy law could use two new updates—a data breach notification requirement and a right of data portability for the country’s residents.
The proposed additions are commonplace in several data privacy laws around the world, including, most notably, the European Union General Data Protection Regulation, or GDPR, a sweeping set of data protections that came into effect two years ago.
If Singapore approves its two updates, it would be the latest country in a long line of other countries to align their own data privacy laws with GDPR.
The appeal is clear: Countries that closely hew their own data privacy laws to GDPR have a better shot at obtaining what is called an “adequacy determination” from the European Commission, meaning those countries can legally transfer data between themselves and the EU.
Such a data transfer regime is key to engaging in today’s economy, said D. Reed Freeman Jr., cybersecurity and privacy practice co-chair at the Washington, D.C.-based law firm Wilmer Cutler Pickering Hale and Dorr. If anything, the proposed appeal to GDPR is as much an economic decision as it is one of data privacy rights.
“The world’s economy depends on data flows, and the more restrictive the data flows are, the better,” Freeman said. “Multinational [organizations] in Singapore would like to have an adequacy determination.”
On October 15, 2012, Singapore passed its data protection law, the Personal Data Protection Act (PDPA), putting into place new rules for the collection, use, and disclosure of personal data. The PDPA did two other things. It created a national “Do Not Call” register and it established the country’s primary data protection authority, the Personal Data Protection Commission.
For years, the Personal Data Protection Commission has issued warnings to organizations that violate the country’s data protection law, publishing their decisions for the public to read. It is the same commission responsible for the current attempts to update the law.
Today, Singaporeans enjoy some of the same data protection rights found in the European Union and even in California.
For starters, Singaporeans have the right to request that an organization hand over any personal data that belongs to them. Further, Singaporeans also have the right to correct that personal data should they find any errors or omissions.
Singapore’s data privacy law also includes restrictions for how organizations collect, use, or disclose the personal data of Singaporeans.
According to the PDPA, organizations must obtain “consent” before collecting, using, or disclosing personal data (more on that below). Organizations must also abide by “purpose” limitations, meaning that they can “collect, use or disclose personal data about an individual only for purposes that a reasonable person would consider appropriate in the circumstances and, if applicable, have been notified to the individual concerned.” Organizations must notify individuals about planned collection, use, and disclosure of personal data, and collected personal data must be accurate.
Further, any personal data in an organization’s possession must be protected through the implementation of “reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks.” And organizations also have to “cease to retain” documents that contain personal data, or “remove the means by which the personal data can be associated with particular individuals” after the purpose for collecting personal data ends.
While these rules sound similar to GDPR, there are discrepancies—including how Singapore and the EU approach “consent.” In Singapore’s PDPA, consent is not required to collect personal data when that data is publicly available, is necessary for broadly defined “evaluative purposes,” or collected solely for “artistic or literary purposes.” In the EU, there are no similar exceptions.
Two other areas where the laws differ are, of course, data portability and data breach notification requirements. Singapore’s law has none.
On February 25, 2019, Singapore’s Personal Data Protection Commission published a “discussion paper” on data portability, explaining the benefits of adding a data portability requirement to the PDPA.
"Data portability, whereby users are empowered to authorize the movement of their personal data across organizations, can boost data flows and support greater data sharing in a digital economy both within and across sectors," the PDPC said in a press release.
With a right data portability, individuals can request that organizations hand over their personal data in a format that lets them easily move it to another provider and basically plug it in for immediate use. Think of it like taking your email contacts from one email provider to another, but on a much larger scale and with potentially less value—it’s not like your Facebook status updates from 2008 will do you much good on Twitter today.
Less than one week after publishing its data portability discussion paper, the Personal Data Protection Commission also announced plans to add a data breach notification requirement to the PDPA.
The Personal Data Protection Commission proposed that if organizations suffered a data breach that potentially harmed individuals, those individuals and the PDPC itself would need to be notified. Further, even if a data breach brought no potential harm to individuals, organizations would need to notify the PDPC if more than 500 people’s personal data was affected.
Following public consultations, the data portability requirement was well-received.
Aligning a country’s data protection laws with the protections provided in GDPR is nothing new, and in fact, multiple countries around the world are currently engaged in the same process. But Singapore’s timing could potentially be further pinned down to another GDPR development in early January of 2019—an adequacy determination granted by the European Commission to another country, Japan.
Wilmer Hale’s Freeman said it is likely that Singapore looked to Japan and wanted the same.
“[Singapore] is competing in the Asia market and in the global market, and I would suspect that the leaders in Singapore saw what happened in Japan, asked the relevant people at the Commission, ‘What do we need to do to get that?’ and were told ‘If you line up [PDPA] pretty close, we have a good chance of getting an adequacy determination.’” Freeman said.
Freeman explained that, in recent history, obtaining an adequacy determination relies on whether a country’s data protection laws are similar to GDPR.
“Over time, it’s been sort of short-hand thought of as ‘adequacy’ means something close to ‘equivalent,’” Freeman said.
As to the importance, Freeman explained that any multinational business that wants to move data between its home country and the EU must, per the rules of GDPR, obtain an adequacy determination. No determination, no legal opportunity to engage in the world’s economy.
“If you’re a multinational company and you have employees and customers in Europe, and you want to store the data at the home office in Singapore, you need a lawful basis to do that,” Freeman said. An adequacy determination is that legal basis, Freeman said, and it’s far more difficult to “undo” an adequacy determination than it is a bilateral agreement, like the one struck down by the Court of Justice for the European Union between the EU and the United States.
Singapore has not proposed a time frame for when it wants to finalize the data portability rights and data breach notification requirements. Nor has it specified the actual regulations it would put in place—including how long before the Personal Data Protection Commission would enforce the new requirements, or what those enforcement actions would entail.
Freeman suggested that when the Singaporean government clarifies its proposals, it look to its neighbors across the world who have grappled with the same questions on data breach notifications and data portability.
For data portability, Freeman explained that many large corporations have already struggled to comply with the rules both in GDPR and in the California Consumer Privacy Act, not because of an inability to do so, but because providing such in-depth data access to individuals requires understanding all the places where an individual’s personal data can live.
“Is it stored locally? On servers in different places? Is it in email? In instant messaging? On posts?” Freeman said.
For data breach notification requirements, Freeman also said that it makes little sense to create something “out of whole cloth” that will create new burdens on multinational businesses that already have to comply with the data breach notification requirements in GDPR and in the 50 US states.
It’s better to find what currently works, Freeman said, and borrow.