A rising regime: Singapore’s new data protection law

Passed in Parliament on Oct. 15 last year, Singapore’s first data protection law is expected to come into play from January 2013 onwards. Broad reaching, investor friendly and welcomed in the marketplace, the law brings the country in line with other regional and international regimes, creating a more efficient environment for cross border business as well as safeguarding individuals’ personal data.

A piecemeal path to privacy

“Singapore has basically gone from a zero to hero status,” says Arthur Cheuk, associate at DLA Piper,
“by zero, I mean that the country currently runs on a very piecemeal, sectoral regime; basically the data protection laws consist of a multitude of laws covering different sectors. Now, this legislation has taken a leap forward by implementing a single law governing the use of personal data.”

Prior to the announcement of this law, various industries in Singapore were governed by disparate legislation that had elements of data protection or privacy, such as the banking industry’s adherence to the Banking Act, or the competition code for the telecommunications sector. However, the new law is an overarching piece of legislation that creates a baseline parametre for industries across the board.

What are the drivers behind this push for privacy? Largely economic impetus; as Singapore becomes increasingly significant to the cloud computing industry and well positioned as a data centre, the need to normalise its laws to an international standard grows. “If you look at the G20 member states, the overwhelming majority of them have data privacy laws. Singapore is a major financial hub and a major economy,” says Matt Glynn, partner and head of intellectual property and technology at DLA Piper, “If it’s going to continue in this league, there have to be regulations to facilitate the flow of info between other major economies. If it is going to continue to attract investment, it needs to have a regulatory framework that other countries will recognise as transparent and world class.”

Practitioners admit that although the law does strengthen the protection of personal data, the right to privacy isn’t what has propelled this law into reality. “For countries in Asia, laws are generally drafted with a view to the interests of society as a whole first, and then to a lesser extent, the rights of an individual,” says Rajesh Sreenivasan, partner at Rajah & Tann LLP, “This is the first of a new breed of legislation where the rights of the individual are given a high degree of credence and respect. It’s a mindset change that organisations have to adopt, but it’s not necessarily one that comes naturally to us.”

Finally, there’s something to be said for the “keeping up with the Joneses” factor as regionally countries have ramped up their data protection regimes in the last 12 months, with Malaysia’s law coming into effect, Australia and Hong Kong promising significant amendments to theirs, and the Philippines and Taiwan being the latest newcomers with brand new legislation. “Asia-Pacific has been a very rapidly evolving data protection landscape and in today’s digital economy where internet and networks play such a central role in everyday life, there is an urgent need to bring Singapore’s regime up to speed and comparable with those more developed regimes,” states Rosemary Lee, counsel at Pinsent Masons MPillay.

Breaking it down

The draft bill, once passed, will become known as the Personal Data Protection Act (PDPA). It has several major prongs, which include establishing a Data Protection Commission to administer and enforce the act, applying the law to all private sector organisations in Singapore, the introduction of a Do Not Call Registry, and the facility for individuals to request access to their personal data that is held by an organisation.

Several parts of the law have been highlighted as particularly effective, primarily that of the financial penalties that can be imposed on companies that fall afoul. “It’s a regime that now has some substantive remedies. So the dollar fine that exists for certain breaches is a meaningful provision in terms of enforcement,” explains Scott Thiel, partner at DLA Piper, “What we have seen in other jurisdictions is a regime that exists, but with sanctions that are so moderate that they aren’t encouraging people to actually take notice or invest the time and effort and money required to get compliant. So the financial sanctions definitely stand out as a particular effective measure.”

The Do Not Call Registry is also a new concept for Singapore, and will affect many companies in the marketplace. Individuals will have the chance to register their telephone numbers in order to stop receiving marketing messages. The responsibility will now lie with the company to check with the registry prior to contacting potential customers. “This is fairly stringent, and will affect all direct marketers as well as us as individuals,” says Sheena Jacob, partner at Bird & Bird ATMD, “It’s interesting that the law also includes SMS in the Do Not Call Registry regime because not all countries do that. But that is definitely a positive step.”

The law’s extraterritorial application has also caught the attention of the marketplace. Ambitiously, the draft bill proposes to not only cover companies based in Singapore, but also those located outside that are engaged in data collection or processing of data within the country. In a wider context, this makes sense given the world that we live in today, where data isn’t received or stored in one jurisdiction. Especially in Singapore, regional headquarters for many MNCs who still also continue to have a reporting line back to their home jurisdictions, resulting in the flow of data all around the world. Enforcement of the PDPA against these companies may prove problematic.

Lim Chong Kin, director at Drew & Napier, elaborates: “In order to do so effectively, the commission would likely require the assistance of the relevant foreign authorities, which in itself connotes a whole set of challenges. Nevertheless, it’s noted that extending the personal data protection framework to overseas organisations might still prove valuable as a deterrent, and provide consistent treatment for local organisations in comparison to overseas organisations with data-related operations in Singapore.”

Some practitioners have cast doubt on the fact that the public sector is not included within the remit of the law, as it only applies to private organisations. However Jacob explains that: “Culturally, it’s a big step forward for Singapore just to go ahead with this law; the concept of privacy is much more developed in Europe. You also don’t see a strong push for inclusion of the public sector so I don’t anticipate that there will be any move towards the new law applying to the government sector.”

In fact, the public sector already has its own code in regards to privacy that monitors information sharing between governmental departments. Practitioners point out that in the Singapore context, there is a very high degree of trust between citizens and its government. They accept the fact that the government possesses personal data but also believe that the government uses it for their benefit in terms of the services that it provides.

In comparison, there are several jurisdictions where data privacy laws don’t make a distinction between the public and the private sector, such as Hong Kong, but “on whether it is effective or not really depends on how aggressive the data protection commission is, “ finishes Cheuk, “The law is really only as good as the regulator that enforces it.”

Prepare to comply

“It’s never too early for companies to start putting the house in order in terms of looking at their current business processes and practices,” says Lee.

What should organisations do to become compliant with the PDPA? It starts with due diligence exercises to evaluate existing processes, and extends to training sessions for employees as well as the creation of internal compliance manuals.

“It’s not an act that you can take lying down,” says Sreenivasan, “Companies have a responsibility to take this act seriously, and are statutorily obliged to ensure that adequate compliance measures are adopted in time.” It’s probable that the PDPA will primarily affect the IT, marketing and HR sectors of companies, given their handling of individual data on a regular basis.

Organisations will now need to identify an individual as an official personal data protection officer, who must be able to respond to queries from the public; queries that will perhaps come rapidly once the law comes into effect. Companies should now evaluate their processes to see if they have the correct systems in place to be able to deal with these requests. If they are unable to answer these questions from the public (ranging from ‘what kind of personal data do you hold of mine?, can I amend parts of this data?, what are you doing with this information? and can I withdraw my consent for you to use this data?’) then a complaint can be lodged with the commission.

One particularly tricky aspect arises when third parties become involved. “It’s very challenging when it comes to outsourcing, “says Lee, “It’s integral for a company to be able to maintain control over its third party service provider. Outsourcing represents a risk to organisations; the risk that the personal data they hold will be going through a third party. So it becomes very important for companies to look at their contracts to ensure that certain security standards or use of encryption and other controls are in place so as to maintain control. At the end of the day, a company cannot outsource its data protection obligations under the new law.”

The cost of compliance

Given these tumultuous economic times, it’s no surprise that the cost of compliance is an issue of critical importance to the marketplace. Big business and SMEs will predictably, be affected in different ways when it comes to expenditure. “This is a key issue, especially for SMEs,” says Lim, “and the Ministry of Communications and Information has sought to mitigate compliance costs for businesses where possible. The minister assured the Members of Parliament that the ministry had been mindful to ensure that the Bill does not impose overly onerous requirements on businesses, while maintaining an adequate level of protection for consumers.”

For large companies, compliance isn’t a new term and they would most probably already have a compliance officer in place. SMEs, however, wouldn’t have the dedicated resources or deep pockets of a large organisation. So cost-effective means of compliance would become essential. Practitioners advocate a range of methods ranging from adapting handbooks to sharing resources within departments. Sreenivasan says, “We are assisting both SMEs and large companies in terms of compliance with the act. At a fundamental, legal level, the process is the same for all organisations, but it’s at the execution of compliance where there is need for each category of organisation to take a different path nuanced on factors such as their size and industry.”

Most lawyers agree that the act has struck a decent balance between respecting the rights of individuals as well as not being too overbearing for organisations when it comes to compliance costs. Not to say that there isn’t any cost, depending on the nature of the company and the level of data within their care. “Asia is not immune to the global financial crisis,” says Glynn, “We are living in an increasingly regulated world, and corporate governance is a top priority for almost every company in the world. There’s only so much budget available for organisations to launch compliance programmes. So it will be interesting to see whether clients will start spending meaningful amounts of money into data protection in Singapore.”

Time to transition

There will be a transition period of 18 months and 12 months before the general data protection rules and the DNC registry provisions come into effect. “During this transition period, it is expected that the commission will issue advisory guidelines, provide educational materials, as well as conduct education and outreach activities to help both organisations and individuals better understand the PDPA,” says Lim.

What else will we see during this period? Glynn predicts that “there will be a heightened sensitivity as people will start looking at their businesses ahead of time. Clients will want to take a forward looking approach, and get on with the business of designing a compliance strategy. That will translate for law firms working in this space as more opportunities.”

Increased demand for legal services will, in turn, lead to an expansion of the firms working in this space. Many are looking to actively hire in order to meet and cope with the predicted demand. “Work is coming in thick and fast already, and we are conducting awareness campaigns within companies and starting compliance reviews for both MNCs and Singapore companies,” says Jacob.

There is no easy, one-size-fits-all solution for companies that will be affected by the PDPA, and as a result, many lawyers see data protection globally as a significant part of the practice for the next year. “It’s quite an interesting point in time right now as the laws try to catch up with changes in technology. It’s challenging because it’s a race to keep abreast of the new developments,” sums up Lee.

Follow us on Twitter: @ALB_Magazine.

Subscribe to our newsletter