Focus: Major Singapore data protection reforms proposed
24 October 2011
In brief: A proposed new consumer data protection regime will affect all Singapore business sectors, applying a uniform minimum data protection standard to every industry. Senior Associate Jeremy Chase and Lawyer Henry Fraser report.
How does it affect you?
- The Ministry of Information, Communications and the Arts (MICA) has released a public consultation paper outlining a proposed consumer data protection regime.
- If implemented in its current form, all organisations in Singapore collecting personal data will be required to comply with minimum data protection standards. Until now, data protection has been regulated on a sector-specific basis.
- MICA has flagged that the draft Bill that will be introduced to effect the new regime will be prepared by early 2012.
MICA released, on 13 September 2011, a public consultation paper on a proposed consumer data protection regime for Singapore.1
There is currently no general privacy law in force in Singapore. Rules relating to privacy and data protection are instead dealt with via a number of sectoral Acts, which include specific secrecy and disclosure provisions relating to each applicable sector. The MICA paper proposes the introduction of a new general data protection regime to apply to all business sectors in Singapore and seeks public submissions on the proposals.
MICA has expressed the key rationales of the proposed data protection reforms to be:
- the safeguarding of consumers' personal data and the promotion of greater consumer trust in the private sector; and
- to enhance Singapore's position as venue of choice for global data management and processing services.
The proposed regime is expressed to be a 'light touch' baseline regime that will apply a minimum data protection standard uniformly across all industries. However, MICA has highlighted that sectoral-specific regulations could co-exist with the proposed general data protection legislation where a relevant industry (for example, the banking sector) warrants more stringent data protection standards.
- MICA's proposed data protection regime would:
- apply universally to private sector organisations in Singapore (MICA is seeking submissions on whether the regime should apply to organisations located outside Singapore that collect and process personal data in Singapore);
- require organisations to obtain individuals' express or implied consent to the collection, use or disclosure of 'personal data' (defined in the paper as 'information about an identified or identifiable individual');
- limit organisations' use and disclosure of personal data to the purposes for which the individual concerned has consented;
- require organisations to give individuals access to their personal data and to ensure that the data is accurate; and
- require organisations to implement 'reasonable' security arrangements to protect the data.
- Organisations would be permitted to transfer personal data outside Singapore but would still be considered to be controlling that data and, as such, would be required to ensure appropriate measures are taken to protect personal data where such data is transferred outside Singapore.
- MICA proposes to establish a Data Protection Commission to administer the new data protection regime. The Data Protection Commission would have power to:
- launch investigations into compliance on its own initiative or if it receives a complaint;
- make orders for organisations to take steps to rectify non-compliance; and
- impose fines of up to S$1,000,000 for failure to rectify non-compliance.
- Criminal penalties are proposed for organisations obstructing or misleading the Data Protection Commission, or failing to comply with an order by the Data Protection Commission.
- MICA has proposed that any data protection regime would have a transitional 'sunrise period' of between 12 to 24 months before it came into effect. It is proposed that any organisation holding existing personal data at the time the regime came into effect would be deemed to have obtained consent from the relevant individual for reasonable existing uses. However, fresh consent would be required if existing personal data were used for a new or different purpose.
Should the data protection regime apply only to organisations in Singapore?
The consultation paper proposes that the data protection regime will apply to organisations that are 'in Singapore' or have 'a presence' in Singapore.
In addition, MICA has stated that there are valid reasons for extending coverage of the proposed data protection law to all data collection and processing activities in Singapore, regardless of whether the organisation responsible is situated there. However, MICA has also stated that there are significant practical difficulties in taking enforcement action against an organisation with no presence in Singapore, which may limit the effectiveness of the Singapore data protection regime in addressing any breach by an organisation located outside Singapore.
MICA is seeking submissions on whether organisations located outside Singapore should be regulated by the data protection regime to the extent they collect or process data in Singapore. It is also seeking submissions on how the regime could be practically applied to such organisations.
An opt-out regime
MICA has proposed a data protection regime based on consent. In general, an organisation is required to obtain an individual's consent for the collection, use or disclosure of personal data. Such consent may be explicit or implied, depending on the circumstances.
The discussion paper notes that, in some jurisdictions, consent will be deemed to have been given when the individuals are notified of an organisation's intent to collect and use personal data, and the individual concerned does not object to such collection or use within a reasonable time period.
MICA has recognised that such 'opt-out' regimes are cost effective for regulated organisations. However, it has noted that an opt-out regime shifts the burden of proving whether consent was given or withheld from the organisation to the individual. MICA is seeking submissions on whether it is reasonable to allow organisations to have 'opt-out' privacy compliance programs.
Under the MICA proposal, organisations will be required to implement reasonable data security measures to prevent unauthorised access, collection, use, disclosure and copying of personal data. The proposed security requirement is stated to be a response to a number of widely publicised cases of data breach in several countries, due to malicious activities, such as hacking, or to carelessness on the part of the organisation holding the personal data.
Given that there may be a range of sensitivities of data, as well as a range of ways of data storage (eg electronic or paper records), MICA has not been prescriptive in proposing what will be required of organisations in implementing reasonable data protection arrangements. It has flagged that guidelines on data protection may be issued once the data protection regime is implemented. However, if the data protection regime is implemented without more certainty about what data security measures will be considered 'reasonable', the Data Protection Commission's power to impose hefty fines for failure to rectify non-compliance may cause concern for organisations in Singapore that collect and use personal data.
MICA, having issued the discussion paper, is seeking comments on the proposed universal data protection regime. It has requested comments before 25 October 2011.
MICA has indicated in press releases that it is looking to propose a Data Protection Bill by early 2012, following the completion of its public consultation. However, if the transitional arrangements indicated in the discussion paper are reflected in any proposed draft law, organisations in Singapore should expect a period of between 12 to 24 months to prepare for any new data protection regime.
- Public Consultation issued by the Ministry of Information, Communication and the Arts, Proposed Consumer Data Protection Regime for Singapore, 13 September 2011.
- Marae CiantarPartner,
Ph: +65 6535 6622
- Gavin SmithPartner,
Ph: +61 2 9230 4891
- Michael PattisonPartner,
Ph: +61 3 9613 8839