In 2016 and 2017, Singapore continued to rapidly develop its personal data protection, cybercrime and cybersecurity regulatory framework and enforcement initiatives. As set out in Singapore’s October 2016 cybersecurity strategy report,2 the government views its efforts in these areas as part of an integrated cybersecurity plan to protect the country from cyberthreats and to reinforce Singapore’s standing as a leading information systems hub. The key legal components in this strategy include the Personal Data Protection Act 2012 (PDPA), Singapore’s first comprehensive framework established to ensure the protection of personal data, the Computer Misuse and Cybersecurity Act (CMCA) to combat cybercrime and other cyberthreats, and the upcoming Cybersecurity Act (the Cybersecurity Act), which will be focused on protecting Singapore’s critical information infrastructure (CII) and on establishing a comprehensive national cybersecurity framework.3
Although much of the government’s focus in 2017 has been on issuing and passing the proposed Cybersecurity Act, data protection and cybercrime regulation and enforcement both saw significant developments in the past year. With respect to privacy and data protection, the Personal Data Protection Commission (PDPC), the body set up to administer and enforce the PDPA, continued to engage in significant public consultations on aspects of the law and to bring enforcement actions. On cybercrime, the government strengthened existing CMCA provisions and added new cybercrime offences.
In this chapter, we will outline the key aspects of the PDPA, CMCA and the proposed Cybersecurity Act. The chapter will place particular emphasis on the PDPA, including a brief discussion of the key concepts, the obligations imposed on data handlers, and the interplay between technology and the PDPA. Specific regulatory areas such as the protection of minors, financial institutions, employees and electronic marketing will also be considered. International data transfer is particularly pertinent in the increasingly connected world; how Singapore navigates between practical considerations and protection of the data will be briefly examined. We also consider the enforcement of the PDPA in the event of non-compliance.
This chapter also will review the amendments to the CMCA and the CMCA’s linkages with the related proposed Cybersecurity Act. The discussion will cover the proposed consolidation of cybersecurity authority within Singapore’s Cyber Security Agency (CSA) and the new position of Commission of Cybersecurity that the Cybersecurity Act would establish.
II THE YEAR IN REVIEW
i PDPA developments
There were a number of significant developments related to the PDPA and the PDPC in the 12 months from September 2016 to August 2017. In October 2016, the government moved the PDPC into the newly formed Info-communications Media Development Authority (IMDA), which itself had emerged from a restructuring of two previous entities: the Infocomm Development Authority of Singapore and the Media Development Authority. Officials noted that the PDPC will continue to operate as an independent personal data protection authority but expected that there would be synergies between the PDPC’s activities and IMDA’s mission to protect consumers in the information, communication and media sectors.
Although there were no new PDPA-related regulations or subsidiary legislation issued in 2016 and the first half of 2017, the PDPC continued to be very active in issuing advisory guidelines. These guidelines are advisory and not legally binding but provide essential guidance for companies seeking to comply with the provisions of the PDPA. The advisory guidelines updates include:
- a PDPC Advisory Guidelines on Key Concepts in the Personal Data Protection Act, issued on 24 September 2013 and revised on 27 July 2017 (the PDPA Key Concepts Guidelines);4
- b PDPC Advisory Guidelines on the Personal Data Protection Act for Selected Topics, issued on 24 September 2013 and revised on 28 March 2017 (the PDPA Selected Topics Guidelines);5
- c PDPC Advisory Guidelines on the Do Not Call Provisions, issued on 26 December 2013 and revised on 27 July 2017 (the PDPA Do Not Call Guidelines);6
- d PDPC Advisory Guidelines on Application of PDPA to Election Activities, issued on 8 July 2017; and
- e PDPC Advisory Guidelines for the Healthcare Sector, issued on 11 September 2014 and revised on 28 March 2017 (the PDPA Healthcare Guidelines).
On 27 July 2017, the PDPC also issued a public consultation notice on important potential changes to PDPA implementation and enforcement. In this Public Consultation for Approaches to Managing Personal Data in the Digital Economy, the PDPC requested public views on two key areas: a proposed ‘enhanced framework’ for collection, use and disclosure of personal data, and a proposed mandatory data breach notification requirement.
These proposals could have significant impacts on Singapore’s data protection regime. With the enhanced framework, the PDPC proposed allowing for collection, use and disclosure of personal data under the PDPA without requiring consent in certain circumstances and only requiring a notification of purpose. These situations may include where an organisation has customer data but no customer contact information or when a company records data in high-traffic areas that may include personal information. In addition, the PDPC proposed establishing a ‘legal or business purpose’ exception to the consent, and in some situations, even the notification requirement. (The PDPA already provides certain exceptions to the consent requirement, such as debt collection or in investigations.) With respect to the data breach proposal, the PDPC noted that there is no requirement that an organisation inform any party when a breach has occurred. The PDPC proposed introducing a mandatory data breach notification to notify any affected individuals. In addition, the PDPC proposed requiring data breach reporting to the PDPC if the number of individuals affected is 500 or more. The consultation period for this notice ends on 21 September 2017.
ii CMCA developments and the proposed Cybersecurity Act
The CMCA and the proposed Cybersecurity Act are closely linked. In the October 2016 Cybersecurity Report, the government noted the need for a comprehensive framework to prevent and manage the increasingly sophisticated threats to Singapore’s cybersecurity. According to the report, the proposed Cybersecurity Act would establish that framework and would complement the existing cybercrime measures set out in the CMCA.
In 2013, the government amended the existing Computer Misuse Act, renaming it the Computer Misuse and Cybersecurity Act, to strengthen the country’s response to national-level cyberthreats. In 2017, the government introduced further amendments to the CMCA, and the amended law came into effect on 1 June 2017. The amendments broadened the scope of the CMCA by criminalising certain conduct not already covered by the existing law and enhancing penalties in certain situations. For example, the new provisions of the CMCA criminalise the use of stolen data to carry out a crime even if the offender did not steal the data him or herself, and prohibits the use of programs or devices used to facilitate computer crimes, such as malware or code crackers. The amendments also extended the extraterritorial reach of the CMCA by covering actions by persons targeting systems that result in, or create a significant risk of, serious harm in Singapore, even if the persons and systems are both located outside Singapore.
In keeping with the government’s emphasis on safeguarding critical information infrastructure, on 10 July 2017, the Ministry of Communications and Information and the CSA issued the draft Cybersecurity Act for public comment. The proposed Cybersecurity Act focuses on the protection of CII, defined as computer systems necessary for the delivery of certain ‘essential services’, the loss of which would have a severe impact on key sectors such as defence, public health and safety. As defined by the bill, essential services would include energy, telecommunications, healthcare, banking and finance, media and other sectors – 11 in total. The proposed act would impose a number of new obligations on CII owners and would implement a licensing system for cybersecurity service providers. The proposed act would establish also a new Commissioner of Cybersecurity (a post apparently filled by the current head of the CSA) with wide-ranging supervisory, investigatory and enforcement powers. The public comment period ended on 24 August 2017 and, at the time of writing, the government has not yet issued the final statutory text.
iii 2017 Developments and regulatory compliance
Although the developments with the CMCA and the proposed Cybersecurity Act represent significant milestones in Singapore’s overall cybersecurity strategy, the key compliance framework from the perspective of companies and organisations remains at this point with data protection and privacy. The CMCA is primarily a criminal statute, and the government has not issued any regulations or guidelines for the CMCA. The proposed Cybersecurity Act would impose a number of legal requirements on CII owners and cybersecurity service providers, but the final law has not yet been issued. Once (or if) the Cybersecurity Act comes into effect, the government is likely to need to issue implementing regulations or advisory guidance, or both, to clarify the various obligations on affected organisations. Until that point, organisations’ focus will be on the PDPA and its related regulations, subsidiary legislation and advisory guidelines.7
III PDPA REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The PDPA framework is built around the concepts of consent, purpose and reasonableness. The main concept may be summarised as follows: organisations may collect, use or disclose personal data only with the individual’s knowledge and consent (subject to certain exceptions) for a purpose that would be considered appropriate to a reasonable person in the circumstances.
There is no prescribed list of ‘personal data’; rather, these are defined broadly as data about an individual, whether or not they are true, who can be identified from that data or in conjunction with other information to which the organisation has or is likely to have access.8 In addition, the PDPA does not distinguish between personal data in its different forms or mediums. Thus, there is no distinction made for personal data that are ‘sensitive’, or between data that are in electronic or hard copy formats. There are also no ownership rights conferred on personal data to individuals or organisations.9 There are certain exceptions to which the PDPA would apply. Business contact information of an individual generally falls outside the ambit of the PDPA,10 as does personal data that is publicly available.11 In addition, personal data of an individual who has been deceased for over 10 years12 and personal data contained within records for over 100 years is exempt.13
Pursuant to the PDPA, organisations are responsible for personal data in their possession or under their control.14 ‘Organisations’ include individuals who are resident in Singapore, local and foreign companies, associations and bodies (incorporated and unincorporated), whether or not they have an office or a place of business in Singapore.15 The PDPA does not apply to public agencies.16 Individuals acting in a personal or domestic capacity, or where they are an employee acting in the course of employment within an organisation, are similarly excluded from the obligations imposed by the PDPA.17
Where an organisation acts in the capacity of a data intermediary, namely an organisation that processes data on another’s behalf, it would only be subject to the protection and retention obligations under the PDPA. The organisation that engaged its services remains fully responsible in respect of the data as if it had processed the data on its own.18
There is no requirement to prove harm or injury to establish an offence under the PDPA, although this would be necessary in calculating damages or any other relief to be awarded to the individual in a private civil action against the non-compliant organisation.19
Subsidiary legislation to the PDPA includes implementing regulations relating to the DNC Registry,20 enforcement,21 composition of offences,22 requests for access to and correction of personal data, and the transfer of personal data outside Singapore.23
There is also various sector-specific legislation, such as the Banking Act, the Telecommunications Act and the Private Hospitals and Medical Clinics Act, imposing specific data protection obligations. All organisations will have to comply with PDPA requirements in addition to the existing sector-specific requirements. In the event of any inconsistencies, the provisions of other laws will prevail.24
As mentioned in Section I, to ease organisations into the new data protection regime, the PDPC has released various advisory guidelines, as well as sector-specific advisory guidelines for the telecommunications, real estate agency, education, social services and healthcare sectors. The PDPC has also published advisory guidelines on data protection relating to specific topics such as photography, analytics and research, data activities relating to minors and employment. While the advisory guidelines are not legally binding, they provide helpful insight and guidance into problems particular to each sector or area.
ii General obligations for data handlers
The PDPA sets out nine key obligations in relation to how organisations collect, use and disclose personal data, as briefly described below.
An organisation may only collect, use or disclose personal data for purposes to which an individual has consented. Where the individual provided the information voluntarily and it was reasonable in the circumstances, the consent may be presumed. Consent may be withdrawn at any time with reasonable notice.26 The provision of a service or product must not be made conditional upon the provision of consent beyond what is reasonable to provide that product or service.
An organisation may obtain personal data with the consent of the individual from a third part source under certain circumstances. For example, with organisations that operate in a group structure, it is possible for one organisation in the group to obtain consent to the collection, use and disclosure of an individual’s personal data for the purposes of the other organisations within the corporate group.27
Organisations are limited to collecting, using or disclosing personal data for purposes that a reasonable person would consider appropriate in the circumstances and for a purpose to which the individual has consented.
Organisations are obliged to notify individuals of their purposes for the collection, use and disclosure of the personal data on or before the collection, use and disclosure. The PDPC has also released a guide to notification to assist organisations in providing clearer notifications to consumers on the collection, use and disclosure of personal data that includes suggestions on the layout, language and placement of notifications.30
Access and correction31
Save for certain exceptions, an organisation must, upon request, provide the individual with his or her personal data that the organisation has in its possession or control, and how the said personal data has been or may have been used or disclosed by the organisation during the past year. The organisation may charge a reasonable fee in responding to the access request.
The organisation is also obliged to allow an individual to correct an error or omission in his or her personal data upon request, unless the organisation is satisfied that there are reasonable grounds to deny such a request.32
An organisation should respond to an access or correction request within 30 days, beyond which the organisation should inform the individual in writing of the time frame in which it is able to provide a response to the request.33
An organisation is obliged to make a reasonable effort to ensure that the personal data collected by or on behalf of the organisation are accurate and complete if they are likely to be used to make a decision that affects an individual or are likely to be disclosed to another organisation.
An organisation is obliged to implement reasonable and appropriate security safeguards to protect the personal data in its possession or under its control from unauthorised access or similar risks. As a matter of good practice, organisations are advised to design and organise their security arrangements in accordance with the nature and varying levels of sensitivity of the personal data.36
An organisation may not retain the personal data for longer than is reasonable for the purpose for which they were collected, and for no longer than is necessary in respect of its business or legal purpose. Beyond that retention period, organisations should either delete or anonymise their records.
An organisation may not transfer personal data to a country or territory outside Singapore unless it has taken appropriate steps to ensure that the data protection provisions will be complied with, and that the overseas recipient is able to provide a standard of protection that is comparable to the protection under the PDPA (see Section IV).
An organisation is obliged to implement necessary policies and procedures in compliance with the PDPA, and to ensure that this information is available publicly.
iii Technological innovation and privacy law
The PDPC considers that an IP address or network identifier, such as an International Mobile Equipment Identity number, may not on its own be considered personal data as it simply identifies a particular networked device. However, where IP addresses are combined with other information such as cookies, individuals may be identified via their IP addresses, which would thus be considered personal data.
In relation to organisations collecting data points tied to a specific IP address, for example, to determine the number of unique visitors to a website, the PDPC takes the view that if the individual is not identifiable from the data collected, then the information collected would not be considered personal data. If, on the other hand, an organisation tracks a particular IP address and profiles the websites visited for a period such that the individual becomes identifiable, then the organisation would be found to have collected personal data.
If an organisation wishes to use cloud-based solutions that involve the transfer of personal data to another country, consent of the individual may be obtained pursuant to the organisation providing a written summary of the extent to which the transferred personal data will be protected to a standard comparable with the PDPA.42 It is not clear how practicable this would be in practice; a cloud-computing service may adopt multi-tenancy and data commingling architecture to process data for multiple parties. That said, organisations may take various precautions such as opting for cloud providers with the ability to isolate and identify personal data for protection, and ensure they have established platforms with a robust security and governance framework.
As regards social media, one issue arises where personal data are disclosed on social networking platforms and becomes publicly available. As noted earlier, the collection, use and disclosure of publicly available data is exempt from the requirement to obtain consent. If, however, the individual changes his or her privacy settings so that the personal information is no longer publicly available, the PDPC has adopted the position that, as long as the personal data in question were publicly available at the point of collection, the organisation will be able to use and disclose the same without consent.43
iv Specific regulatory areas
The PDPA does not contain special protection for minors (under 21 years of age).44 However, the Selected Topics Advisory Guidelines note that a minor of 13 years or older typically has sufficient understanding to provide consent on his or her own behalf. Where a minor is below the age of 13, an organisation should obtain consent from the minor’s parents or legal guardians on the minor’s behalf.45 The Education Guidelines46 provide further guidance on when educational institutions seeking to collect, use or disclose personal data of minors are required to obtain the consent of the parent or legal guardian of the student.
Given the heightened sensitivity surrounding the treatment of minors, the PDPC recommends that organisations ought to take relevant precautions on this issue. Such precautions may include making the terms and conditions easy to understand for minors, placing additional safeguards in respect of personal data of minors and, where feasible, anonymising their personal data before use or disclosure.
A series of notices issued by the Monetary Authority of Singapore (MAS),47 the country’s central bank and financial regulatory authority, require various financial institutions to, among other things:
- a upon request, provide access as soon as reasonably practicable to personal data in the possession or under the control of the financial institution, which relates to an individual’s factual identification data such as full name or alias, identification number, residential address, telephone number, date of birth and nationality; and
- b correct an error or omission in relation to the categories of personal data set out above upon request by a customer if the financial institution is satisfied that the request is reasonable.
In addition, legislative changes to the Monetary Authority of Singapore Act, aimed at enhancing the effectiveness of the anti-money laundering and the countering of financing of terrorism (AML/CFT) regime of the financial industry in Singapore, came into force on 26 June 2015.
Following the changes, MAS has the power to share information on financial institutions with its foreign counterparts under their home jurisdiction on AML/CFT issues. MAS may also make AML/CFT supervisory enquiries on behalf of its foreign counterparts. Nonetheless, strong safeguards are in place to prevent abuse and ‘fishing expeditions’. In granting requests for information, MAS will only provide assistance for bona fide requests. Any information shared will be proportionate to the specified purpose, and the foreign AML/CFT authority has to undertake not to use the information for any purpose other than the specified purpose, and to maintain the confidentiality of any information obtained.
The PDPA contains provisions regarding the establishment of a national DNC Registry and obligations for organisations that send certain kinds of marketing messages to Singapore telephone numbers to comply with these provisions. The PDPA Healthcare Guidelines48 provide further instructions on how the DNC provisions apply to that sector, particularly in relation to the marketing of drugs to patients. In relation to the DNC Registry, the obligations only apply to senders of messages or calls to Singapore numbers, and where the sender is in Singapore when the messages or calls are made, or where the recipient accesses them in Singapore. Where there is a failure to comply with the DNC provisions, fines of up to S$10,000 may be imposed for each offence.
The PDPC provides that organisations should inform employees of the purposes of the collection, use and disclosure of their personal data and obtain their consent.
Employers are not required to obtain employee consent in certain instances. For instance, the collection of employee’s personal data for the purpose of managing or terminating the employment relationship does not require the employee’s consent, although employers are still required to notify their employees of the purposes for their collection, use and disclosure.49 Examples of managing or terminating an employment relationship can include using the employee’s bank account details to issue salaries or monitoring how the employee uses company computer network resources. The PDPA does not prescribe the manner in which employees may be notified of the purposes of the use of their personal data; as such, organisations may decide to inform their employees of these purposes via employment contracts, handbooks or notices on the company intranet.
In addition, collection of employee personal data necessary for ‘evaluative purposes’, such as to determine the suitability of an individual for employment, neither requires the potential employee to consent to, nor to be notified of, their collection, use or disclosure.50 Other legal obligations, such as to protect confidential information of their employees, will nevertheless continue to apply.51
Section 25 of the PDPA requires an organisation to cease to retain documents relating to the personal data of an employee once the retention is no longer necessary.
IV PDPA AND INTERNATIONAL DATA TRANSFER
An organisation may only transfer personal data outside Singapore subject to requirements prescribed under the PDPA so as to ensure that the transferred personal data is afforded a standard of protection comparable to the PDPA.52
An organisation may transfer personal data overseas if:
- a it has taken appropriate steps to ensure that it will comply with the data protection provisions while the personal data remains in its possession or control; and
- b it has taken appropriate steps to ensure that the recipient is bound by legally enforceable obligations to protect the personal data in accordance with standards comparable to the PDPA.53 Such legally enforceable obligations would include any applicable laws of the country to which the personal data is transferred, contractual obligations or binding corporate rules for intra-company transfers.54
Notwithstanding the above, an organisation is taken to have satisfied the latter requirement if, inter alia, the individual consents to the transfer pursuant to the organisation providing a summary in writing of the extent to which the personal data transferred to another country will be protected to a standard comparable to the PDPA;55 or where the transfer is necessary for the performance of a contract.
In respect of personal data that simply passes through servers in Singapore en route to an overseas destination, the transferring organisation will be deemed to have complied with the transfer limitation obligation.56
The Key Concepts Guidelines57 also provide examples to illustrate situations in which organisations are deemed to have transferred personal data overseas in compliance with their transfer limitation obligation pursuant to Section 26 of the PDPA, regardless of whether the foreign jurisdiction’s privacy laws are comparable to the PDPA. An example is when a tour agency needs to share a customer’s details (e.g., his or her name and passport number) to make hotel and flight bookings. The tour agency is deemed to have complied with Section 26 since the transfer is necessary for the performance of the contract between the agency and the customer.
An organisation is also deemed to have complied with the transfer limitation obligation if the transfer is necessary for the performance of a contract between a Singaporean company and a foreign business, and the contract is one that a reasonable person would consider to be in the individual’s interest.
Other examples given by the Key Concepts Guidelines include the transferring of publicly available personal data, and transferring a patient’s medical records to another hospital where the disclosure is necessary to respond to a medical emergency.
The Key Concepts Guidelines also set out the scope of contractual clauses at Section 19.5 for recipients to comply with the required standard of protection in relation to personal data received so that it is comparable to the protection under the PDPA. The Key Concepts Guidelines sets out in a table (reproduced below) the areas of protection a transferring organisation should minimally set out in its contract in two situations: where the recipient is another organisation (except a data intermediary); and where the recipient is a data intermediary (i.e., an organisation that processes the personal data on behalf of the transferring organisation pursuant to a contract).
Area of protection
Organisation (except data intermediary)
Purpose of collection, use and disclosure by recipient
Policies on personal data protection
V PDPA AND COMPANY POLICIES AND PRACTICES
Organisations are obliged to develop and implement policies and practices necessary to meet their obligations under the PDPA.58 Organisations must also develop a complaints mechanism,59 and communicate to their staff the policies and practices they have implemented.60 Information on policies and practices, including the complaints mechanism, is to be made available on request.61 Every organisation is also obliged to appoint a data protection officer, who would be responsible for ensuring the organisation’s compliance with the PDPA, and to make the data protection officer’s business contact information publicly available.62
As a matter of best practice, an organisation should have in place notices and policies that are clear, easily accessible and comprehensible. Some of the policies and processes that an organisation may consider having in place are set out below.
i Data protection policy
If an organisation intends to collect personal data from individuals, it would be required to notify them of the purposes for the collection, use and disclosure of the personal data and seek consent before collecting the personal data. It should also state whether the personal data will be disclosed to third parties, and if so, who these organisations are. Further, where it is contemplated that the personal data may be transferred overseas, the organisation should disclose this and provide a summary of the extent to which the personal data would receive protection comparable to that under the PDPA, so that it may obtain consent from the individual for the transfer. The data protection policy may also specify how requests to access and correct the personal data may be made. To satisfy the requirement in the PDPA that data protection policies are available on request, the organisation may wish to make its policy available online.
iii Complaints mechanism
The organisation should develop a process to receive and respond to complaints it receives, and this should be made available to the public.
iv Contracts with data intermediaries
Contracts with data intermediaries should set out clearly the intermediaries’ obligations, and include clauses relating to the retention period of the data and subsequent deletion or destruction, security arrangements, access and correction procedures, and audit rights of the organisation over the data intermediaries. Where a third party is engaged to collect data on an organisation’s behalf, the contract should specify that the collection is conducted in compliance with the data protection provisions.
v Employee data protection policy
Employees should be notified of how their personal data may be collected, used or disclosed. The mode of notification is not prescribed, and the employer may choose to inform the employee of these purposes via employment contracts, handbooks or notices on the company intranet. Consent is not required if the purpose is to manage or terminate the employment relationship; as an example, the company should notify employees that it may monitor network activities, including company emails, in the event of an audit or review.
vi Retention and security of personal data
Organisations should ensure that there are policies and processes in place to ensure that personal data are not kept longer than is necessary, and that there are adequate security measures in place to safeguard the personal data. An incident-response plan should also be created to ensure prompt responses to security breaches.
VI PDPA AND DISCOVERY AND DISCLOSURE
The data protection provisions under the PDPA do not affect any rights or obligations under other laws.63 As such, where the law mandates disclosure of information that may include personal data, another law would prevail to the extent that it is inconsistent with the PDPA. For instance, the Prevention of Corruption Act imposes a legal duty on a person to disclose any information requested by the authorities. Under those circumstances, the legal obligation to disclose information would prevail over the data protection provisions.
The PDPA has carved out specific exceptions in respect of investigations and proceedings. Thus, an organisation may collect data about an individual without his or her consent where the collection is necessary for any investigation or proceedings, so as not to compromise the availability or accuracy of the personal data.64 Further, an organisation may use personal data about an individual without the consent of the individual if the use is necessary for any investigation or proceedings.65 These exceptions, however, do not extend to internal audits or investigations. Nevertheless, it may be argued that consent from employees is not required as such audits would fall within the purpose of managing or terminating the employment relationship.66 Employees may be notified of such potential purposes of use of their personal data in their employee handbooks or contracts, as the case may be.
On an international scale, Singapore is active in providing legal assistance and in the sharing of information, particularly in respect of criminal matters. That said, the PDPC may not share any information with a foreign data protection body unless there is an undertaking in writing that it will comply with its terms in respect of the disclosed data. This obligation is mutual, and the PDPA also authorises the PDPC to enter into a similar undertaking required for a foreign data protection body where required.67
VII PDPA PUBLIC AND PRIVATE ENFORCEMENT
i Enforcement agencies
The PDPC is the key agency responsible for administering and enforcing the PDPA. Its role includes, inter alia, reviewing complaints from individuals,68 carrying out investigations (whether on its on accord or upon a complaint), and prosecuting and adjudicating on certain matters arising out of the PDPA.69
To enable the PDPC to carry out its functions effectively, it has been entrusted with broad powers of investigation,70 including the power to require organisations to produce documents or information, and the power to enter premises with or without a warrant to carry out a search. In certain circumstances, the PDPC may obtain a search and seizure order from the state courts to search premises and take possession of any material that appears to be relevant to an investigation.
Where the PDPC is satisfied that there is non-compliance with the data protection provisions, it may issue directions to the infringing organisation to rectify the breach and impose financial penalties up to S$1 million.71 The PDPC may also in its discretion compound the offence.72 Certain breaches can attract penalties of up to three years’ imprisonment.73 In addition to corporate liability, the PDPA may also hold an officer of the company to be individually accountable if the offence was committed with his or her consent or connivance, or is attributable to his or her neglect.74 Further, employers are deemed to be vicariously liable for the acts of their employees, unless there is evidence showing that the employer had taken steps to prevent the employee from engaging in the infringing acts.75
Directions issued by the PDPC may be appealed to be heard before the Appeal Committee. Thereafter, any appeals against decisions of the Appeal Committee shall lie to the High Court, but only on a point of law or the quantum of the financial penalty. There would be a further right of appeal from the High Court’s decisions to the Court of Appeal, as in the case of the exercise of its original civil jurisdiction.76
In relation to breaches of the DNC Registry provisions, an organisation may be liable for fines of up to S$10,000 for each breach.
ii Recent enforcement cases
Starting with the first round of decisions and penalties in April 2016, the PDPC has been active in enforcing violations of the PDPA and has published the grounds of all its decisions on its website and in the first Personal Data Protection Digest, which was released by the PDPC in early 2017. In 2016, the PDPC published 22 decisions, in the majority of which it found the respondents had breached the PDPA. In 2017, the number of published decisions stood at 12 by July 2017. In the decisions, the PDPC provides substantial factual detail and legal reasoning, and the decisions are another source of information for companies seeking guidance on particular issues.
Several enforcement actions in the first half of 2017 set out the PDPC’s typical mix of behaviour remedies combined with financial penalties, including:
- a Propnex Realty Pte Ltd:77 the PDPC imposed a financial penalty of $10,000 on the respondent for failing to make reasonable security arrangements to prevent unauthorised access of individuals’ personal data stored online. The PDPC also directed the respondent to cease the storage of documents containing personal data until a security scan had been completed.
- b Singapore Telecommunications Ltd and Tech Mahindra Pte Ltd:78 the PDPC imposed a financial penalty of $10,000 on respondent Tech Mahindra, a data intermediary, for ailing to make reasonable security arrangements to prevent unauthorised access and modification of SingTel customers’ personal data via SingTel webpages. The PDPC found no violation for respondent SingTel.
- c National University of Singapore:79 for the respondent’s failure to prevent the disclosure of student personal data, the PDPC directed the respondent to design training to address data protection related to student events and implement the training for student leaders in charge of organising such events.
- d Orchard Turn Developments Pte Ltd:80 the PDPC imposed a financial penalty of $15,000 on the respondent for failing to make reasonable security arrangements to protect member personal data stored on its server. The PDPC also directed the respondent to patch all vulnerabilities, conduct a penetration test, implement a password management policy and conduct staff training.
iii Private litigation
Anyone who has suffered loss or damage directly arising from a contravention of the data protection provisions may obtain an injunction, declaration, damages or any other relief against the errant organisation in civil proceedings in court. However, if the PDPC has made a decision in respect of a contravention of the PDPA, no private action against the organisation may be taken until after the right of appeal has been exhausted and the final decision is made.81 Once the final decision is made, a person who suffers loss or damage as a result of a contravention of the PDPA may commence civil proceedings directly.82
VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS
The PDPA applies to foreign organisations in respect of activities relating to the collection, use and disclosure of personal data in Singapore regardless of their physical presence in Singapore.
Thus, where foreign organisations transfer personal data into Singapore, the data protection provisions would apply in respect of activities involving personal data in Singapore. These obligations imposed under the PDPA may be in addition to any applicable laws in respect of the data activities involving personal data transferred overseas.
IX CYBERSECURITY AND DATA BREACHES
i Data breaches
While the PDPA obliges organisations to protect personal data, there is currently no requirement to notify authorities in the event of a data breach. However, as noted above, in the PDPC’s public consultation of July through September 2017, the PDPC proposed incorporating a requirement that organisations inform affected individuals in the event of a breach and report the incident to the PDPC if there are 500 or more persons affected. In the absence of mandatory data breach requirements, government sector regulators have imposed certain industry-specific reporting obligations. For example, MAS issued a set of notices to financial institutions on 1 July 2014 to direct that all security breaches should be reported to MAS within one hour of discovery.
The proposed Cybersecurity Act represents a move away from sector-based regulation. The Act would require mandatory reporting to the new Commissioner of Cybersecurity of ‘any cybersecurity incident’ (which is broader than but presumably would also include data breaches) that relates to CII or systems connected with CII. In issuing the bill, the government noted that it had considered sector-based cybersecurity legislation but had concluded that an omnibus law that would establish a common and consistent national framework was the better option.
Singapore is not a signatory to the Council of Europe’s Convention on Cybercrime.
In Singapore, the CMCA is the key legislation governing cybercrime and cybersecurity, pending the passage of the proposed Cybersecurity Act. The CMCA is primarily focused on defining various cybercrime offences, including criminalising the unauthorised accessing83 or modification of computer material,84 use or interception of a computer service,85 obstruction of use of a computer,86 and unauthorised disclosure of access codes.87 The 2017 amendments to the CMCA added the offences of obtaining or making available personal information that the offender believes was obtained through a computer crime88 and using or supplying software or other items to commit or facilitate the commission of a computer crime.89
Although the CMCA is in general a criminal statute, the 2013 amendments added a cybersecurity provision in the event of certain critical cybersecurity threats. In particular, the Minister of Home Affairs may direct entities to take such pre-emptive measures as necessary to prevent, detect or counter any cybersecurity threat posed to national security, essential services or the defence of Singapore or foreign relations of Singapore.90 As previously noted, the proposed Cybersecurity Act would greatly expand national cybersecurity protections, including a nearly identical provision granting similarly sweeping powers to the Minister of Media and Communications in the event of a cybersecurity ‘emergency’. More generally, the proposed Cybersecurity Act would mark a new phase in Singapore cybersecurity’s regime by imposing affirmative reporting, auditing and other obligations on CII owners and by appointing a new Commissioner of Cybersecurity with broad authority, including the power to establish mandatory codes of practice and standards of performance for CII owners.
In keeping with its declared strategy, Singapore continues to progress on clarifying and enforcing its existing data privacy and cybersecurity laws and establishing a more robust cybersecurity framework. With the imminent passage of the proposed Cybersecurity Act, 2017 is likely to be viewed as a watershed year in the country’s cybersecurity regulatory regime.
Moving forward, we expect to see a high degree of activity within the government, as well as in the context of public consultations, after the passage of the proposed Cybersecurity Act. As with the PDPA, the government is likely to have to provide substantial guidance, in the form of implementing regulations, subsidiary legislation or advisory guidelines, or both, to clarify vague provisions in the final law and to set out specific administrative mechanisms.
We also expect PDPA-related activities to continue. The PDPC currently is considering revisions to the data privacy framework, including implementing a mandatory breach notification requirement. In addition, we expect the PDPC to continue providing guidance on various aspects of the PDPA and to maintain its enforcement vigilance.
1 Yuet Ming Tham is a partner at Sidley Austin LLP.
2 See Singapore’s Cybersecurity Strategy, Cyber Security Agency of Singapore (Oct. 2016) (Cybersecurity Report).
3 The government published the proposed Cybersecurity Act in July 2017, and the public consultation period is scheduled to end on 24 August 2017.
4 The PDPA Key Concepts Guidelines, as with the other advisory guidelines, elaborate on and provide illustrations for the key obligations and interpretation of key terms in the PDPA. The 27 July 2017 revision primarily clarifies the definition of ‘personal data’ in Chapter 5 based on 2016 and 2017 enforcement decisions by the PDPC.
5 The PDPA Selected Topics Guidelines elaborate on how the PDPA applies to certain issues and domains, such as photography and video recordings, employment and research. The 28 March 2017 revision to the PDPA Selected Topics Guidelines updates Chapter 3 to provide additional guidance on using and disclosing anonymised data, including further information on the considerations for assessing and managing the risk of re-identification.
6 The PDPA Do Not Call Guidelines provide examples of how the PDPA Do Not Call (DNC) provisions apply in different situations. The 27 July 2017 revisions to Chapters 3, 7 and 11 provide additional clarifications on dealing with third parties and the definition of an ‘ongoing relationship’.
7 Government agencies are not covered by the scope of the PDPA.
8 Section 2 of the PDPA.
9 Section 5.30, PDPA Key Concepts Guidelines.
10 Section 4(5) of the PDPA.
11 Second Schedule Paragraph 1(c); Third Schedule Paragraph 1(c); Fourth Schedule Paragraph 1(d) of the PDPA.
12 Section 4(4)(b) of the PDPA. The protection of personal data of individuals deceased for less than 10 years is limited; only obligations relating to disclosure and protection (Section 24) continue to apply.
13 Section 4(4) of the PDPA.
14 Section 11(2) of the PDPA.
15 Section 2 of the PDPA.
16 Section 4(1)(c) of the PDPA.
17 Section 4(1)(a) and (b) of the PDPA.
18 Section 4(3) of the PDPA.
19 Section 32 of the PDPA.
20 Personal Data Protection (Do Not Call Registry) Regulations 2013.
21 Personal Data Protection (Enforcement) Regulations 2014.
22 Personal Data Protection (Composition of Offences) Regulations 2013.
23 Personal Data Protection Regulations 2014.
24 Section 6 of the PDPA.
25 Sections 13 to 17 of the PDPA.
26 In Section 12.42 of the PDPA Key Concepts Guidelines, the PDPA would consider a withdrawal notice of at least 10 business days from the day on which the organisation receives the withdrawal notice to be reasonable notice. Should an organisation require more time to give effect to a withdrawal notice, it is good practice for the organisation to inform the individual of the time frame under which the withdrawal of consent will take effect.
27 Section 12.32, PDPA Key Concepts Guidelines.
28 Section 18 of the PDPA.
29 Section 20 of the PDPA.
30 PDPC Guide to Notification, issued on 11 September 2014.
31 Sections 21 and 22 of the PDPA.
32 Section 22(6) and Sixth Schedule of the PDPA.
33 15.18, PDPA Key Concepts Guidelines.
34 Section 23 of the PDPA.
35 Section 24 of the PDPA.
36 See discussion in Sections 17.1–17.3, PDPC Key Concepts Guidelines.
37 Section 25 of the PDPA.
38 Section 26 of the PDPA.
39 Sections 11 and 12 of the PDPA.
40 Sections 7.5–7.8, PDPA Selected Topics Guidelines.
41 Section 7.11, PDPA Selected Topics Guidelines.
42 Section 9(4)(a) of the Personal Data Protection Regulations 2014.
43 Section 12.61, PDPA Key Concepts Guidelines.
44 Section 8.1, PDPA Selected Topics Guidelines.
45 Section 14(4) of the PDPA. See also discussion at Section 8.9 of the PDPA Selected Topics Guidelines.
46 Sections 2.5–2.8, PDPC Advisory Guidelines on the Education Sector, issued 11 September 2014.
47 MAS Notice SFA13-N01 regulating approved trustees; MAS Notice 626 regulating banks; MAS Notice SFA04-N02 regulating capital markets intermediaries; MAS Notice FAA-N06 regulating financial advisers; MAS Notice 824 regulating finance companies; MAS Notice 3001 regulating holders of money-changers’ licences and remittance licences; MAS Notice PSOA-N02 regulating holders of stored value facilities; MAS Notice 314 regulating life insurers; MAS Notice 1014 regulating merchant banks; and MAS Notice TCA-N03 regulating trust companies.
48 Section 6 of the PDPC Healthcare Guidelines.
49 Paragraph 1(o) Second Schedule, Paragraph 1(j) Third Schedule, and Paragraph 1(s) Fourth Schedule of the PDPA.
50 Paragraph 1(f) Second Schedule, Paragraph 1(f) Third Schedule and Paragraph 1(h) Fourth Schedule of the PDPA.
51 Sections 5.14–5.16 of the PDPA Selected Topics Guidelines.
52 Section 26(1) of the PDPA. The conditions for the transfer of personal data overseas are specified within the Personal Data Protection Regulations 2014.
53 Regulation 9 of the PDP Regulations.
54 Regulation 10 of the PDP Regulations.
55 Regulation 9(3)(a) and 9(4)(a) of the PDP Regulations.
56 Regulation 9(2)(a) of the PDP Regulations.
57 Issued on 23 September 2013 and revised on 8 May 2015.
58 Section 12(a) of the PDPA.
59 Section 12(b) of the PDPA.
60 Section 12(c) of the PDPA.
61 Section 12(d) of the PDPA.
62 Section 11(4) of the PDPA.
63 Section 4(6) of the PDPA.
64 Second Schedule, Section 1(e) of the PDPA.
65 Third Schedule, Section 1(e) of the PDPA.
66 As discussed earlier, consent is not required if the purpose for the collection, use and disclosure of personal data is for managing or terminating the employment relationship.
67 Section 10(4) of the PDPA.
68 Section 28 of the PDPA.
69 See Sections 28(2) and 29(1) of the PDPA. The PDPC has the power to give directions in relation to review applications made by complainants and contraventions to Parts III to VI of the PDPA.
70 Section 50 of the PDPA. See also Ninth Schedule of the PDPA.
71 Section 29 of the PDPA.
72 Section 55 of the PDPA.
73 Section 56 of the PDPA.
74 Section 52 of the PDPA.
75 Section 53 of the PDPA.
76 Section 35 of the PDPA.
77 Decision Citation:  SGPDPC 1.
78 Decision Citation:  SGPDPC 4.
79 Decision Citation:  SGPDPC 5.
80 Decision Citation:  SGPDPC 12.
81 Section 32 of the PDPA.
83 Sections 3 and 4 of the CMCA.
84 Section 5 of the CMCA.
85 Section 6 of the CMCA.
86 Section 7 of the CMCA.
87 Section 8 of the CMCA.
88 Section 8A of the CMCA.
89 Section 8B of the CMCA.
90 Section 15A of the CMCA. Essential services include the energy, finance and banking, ICT, security and emergency services, transportation, water, government and healthcare sectors.