Singapore inched ever closer to passing its first legally enforceable approach to data protection with the publication by the Ministry of Information, Communications and the Arts (MICA) of its second consultation paper and the draft Personal Data Protection Bill (the “Draft Bill”) on March 19, 2012.
The question raised during the first consultation (see analysis at WDPR, September 2011, page 4) remains equally valid now: Will this law be the “light touch”, “baseline law” aimed at setting just the “minimum standards” that the first consultation paper stated it would be, or will Singapore adopt a more rigourous regime?
Now that the Draft Bill has been published, the die has, to a certain extent, been cast. Many of the smaller private companies that will be subject to the legislation’s provisions are likely to be content that MICA continues to seek only a “baseline law”. Those multinationals operating in Singapore are likely to comply with a higher standard of data protection regardless of Singapore’s statutory requirements. Others, whether not multinationals, or simply not caught, may have no awareness of data protection or its consequences, and yet others, seeking to exploit Singapore’s hitherto lax approach to data protection, may encounter a rude shock. But the greatest question facing the government in relation to those companies is whether they have the awareness, and intention, to comply with the legislation.
Forty-nine organisations, ranging from international law firms and multinational corporations to local pressure groups, and 11 individuals submitted comments in response to the first consultation. Views on the latest offering from MICA are due by April 30, 2012.
Key Proposals Revised
A number of changes to the proposals have been introduced as a result of the consultation process, moving the Draft Bill closer to an internationally accepted standard.
This article looks at some of those changes, identifies the gaps that continue to exist and considers whether, and how, the Draft Bill addresses the concerns that are now being considered by the European Union as a result of globalisation and technological changes never envisaged when the 1995 EU Data Protection Directive was adopted.
The Draft Bill and the consultation paper merit close scrutiny and analysis, and companies that would be affected by its passage would be well advised to respond officially to the consultation paper.
Concept of ‘Data Intermediaries’ Introduced
One of the most welcome changes in the Draft Bill is the introduction of the concept of a data processor. The first consultation anticipated no distinction between a company that had full control over data and a company that dealt with personal data on an outsourced basis only. The original intention was that the Personal Data Protection Act (the PDPA) would apply equally to controllers and processors of personal data.
The Draft Bill, taking on board objections from the majority of respondents, proposes to introduce a category of “data intermediaries” who are essentially data processors. Data intermediaries will be subject only to those requirements of the PDPA that relate to the safeguarding of personal data, rather than the numerous other more onerous provisions to which data controllers will be subject. The relationship between the intermediary and the controller must be documented contractually, and the intention is that the data controller will not be able to transfer its obligation to comply with the provisions of the PDPA to the intermediary.
However, there is still no clarity as to the extent of the data controller’s responsibility. Will the controller be expected simply to contractually provide for compliance, actually police the intermediary’s compliance, or stipulate and monitor to which countries the intermediary may or may not transfer personal data?
Sectoral Regulations to Remain in Place
Singapore’s sectoral regulations, which have to date governed data protection, shall, in spite of objections in the submissions to the initial consultation paper, remain intact and shall apply concurrently with the proposed legislation. Concerns were raised during consultation that this concurrence would introduce uncertainty and confusion between different applicable provisions. Requests were made that sectoral regulations be aligned with the PDPA prior to it being passed. This has not been addressed by MICA. In addition, requests for clarity as to which sectoral regulations would apply have also not been addressed.
It should be noted that, in the main, sectoral regulations are not legally binding and the standards they impose may conflict with the draft PDPA.
The author’s suggestion is not that the PDPA should replace the sector specific regime in a wholesale fashion, but rather that a subjective analysis be undertaken so as not to miss this opportunity to introduce a legally enforceable, clear, and adequate system of protection. In certain cases, for example, banking regulations, it is entirely advisable to retain existing sector specific rules which are more rigid and onerous than the proposed PDPA and are also easily identified by data subjects seeking to protect their rights. In other cases, the clarity that a formal regime would introduce would be welcome. In the case of medical data held by government bodies, for example, the government’s Health Promotions Board (HPB), existing regulations fall far short of the standard anticipated by the draft PDPA and do not appear to be legally enforceable in any event. An enquiry made of the HPB regarding data protection is met with a referral to the Attorney General’s (AG) Office, and the AG’s Office responds with a suggestion that the enquirer retains a solicitor. This makes for less than a transparent, data subject-friendly regime.
A further potential area of conflict relates to confusion surrounding enforcement proceedings in the event that both the PDPA and the separate sectoral regulations may apply. In the new consultation paper, MICA proposes addressing this by granting to the proposed Data Protection Commission the power to refer to another regulatory authority an incident that would otherwise be within its remit. No clarification is given in the Bill as to what factors the Data Protection Commission will take into account in deciding whether or not to pass a matter on to a different regulatory authority.
From its inception, the PDPA was not intended to apply to anything other than the private sector. Public, government bodies, MICA has said, are already governed by their own data protection rules. The nature and exact content of these rules is not easy to establish if one is not a government body, nor is their legal force. Respondents to the initial consultation paper requested clarification of this, and while the second consultation paper repeats that the rules relating to public bodies are quite similar to those set out in the Draft Bill, it gives no tangible evidence of this nor clarification on the details of the rules, where they may be found or how a data subject is expected to be capable of enforcing these rules. The concerns relating to sector specific regulations could be said to apply equally here.
This creates a double tiered approach to data protection: one set of legally enforceable laws that can be enforced by data subjects against the data controllers and intermediaries, and another set, less identifiable, either sector specific or applicable to public bodies but that may have no standing in law and may not be legally enforceable by data subjects, nor monitored by a separate independent commission. This reflects an approach to data protection that is at odds with that of the EU and the Organisation for Economic Co-operation and Development (OECD) regimes, which have, at their deepest core, the protection of data subjects.
New Definition of ‘Personal Data’ Offered
On a more positive note, the new consultation paper has also amended slightly the previously suggested, all important definition of “personal data”. The definition now refers to data “true or not” about an individual “who can be identified” from that data or from data “to which the organisation is likely to have access”.
While this removes the previously objected to reference to an “identifiable individual”, it does not address all the concerns that arise concerning the combination of data held in different places that together may constitute “personal data”. The words “likely to have”, rather than simply “has”, introduce the element of potential opportunity rather than actual opportunity that could extend the definition of “personal data” to otherwise sanitised lists of information used, for example, by a data processor on behalf of the data controller.
Business Contact Information
A welcome provision is the exclusion of business contact information from the scope of the PDPA. However, while exclusions will also be introduced for examination results and related information and university admission related information, there shall be no exclusion for personal data being circulated within a group of organisations or between an organisation and its head office or affiliates. As a result of lobbying by respondents to the consultation paper, there has also been an amendment, in line with legislation in British Columbia, relating to an exclusion for “work product information”, which means that personal data included in a document produced in the course of the individual’s employment, business or profession will be exempt from the PDPA.
The Future
As technology advances relentlessly and data transfers that were never previously contemplated become the norm, a number of other provisions in the Draft Bill may give rise to concerns, or they may assuage fears. It remains to be seen how the PDPA, which has been so long coming, will keep up with the rapidly evolving international field of data protection.
The European Union is in the process of reviewing its 1995 Data Protection Directive to consider its efficacy in the face of increasing globalisation and ever changing technologies (see analysis at WDPR, February 2012, page 4). Proposals include the introduction of a harms-based assessment of applicability, but this does not supersede the main recommendation to date, which is the harmonisation of interpretation and implementation of definitions and processes emanating from the Data Protection Directive. Apart from disparities in interpretation of principles, an oft-repeated concern relates to the consequences of unequal, and often unpredictable, enforcement, something which is clearly a risk in Singapore.
As those countries in the world that have been operating a formal and detailed approach to data protection since the 1990s re-evaluate their approach, there is an increasing awareness that a balance is required between a formal, predictable regime of rules and a more risk-aware approach to ensure new technological advances are taken into account and a pervading culture of data protection is instilled. There is recognition that the current system of disparate regimes and approaches is cumbersome for corporations, governments and individuals, and that a unified approach is required. But the proposal of nuanced, or simply different, terms by Singapore seems somewhat out of step with the direction other regulators and governments are currently following.
Vivianne Jabbour is a Consultant with Webb Henderson in Singapore. She may be contacted at vivianne.jabbour@webbhenderson.com.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.