Singapore’s personal data protection developments and the impact on cybersecurity companies

Genie Sugene Gan, Head of Public Affairs, APAC

The Personal Data Protection Act (PDPA), which was to govern the collection, use and disclosure of personal data, was introduced in the Little Red Dot in October 2012. Prior to that, Singapore had no overarching law that comprehensively governed the protection of personal data.

Since 2012

Equally recognizing (1) the right of individuals[1] to protect their personal data; and (2) the need for organizations[2]to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances as defined, the PDPA was implemented in three phases:

1. January 2013: general provisions came into effect, such as: the scope and interpretation of the PDPA; establishment of the Data Protection Advisory Committee, and the Personal Data Protection Commission (PDPC) – the independent authority that administers and enforces the PDPA;
2. January 2014: provisions that are specific to the Do-Not-Call Registry and its remit came into effect; and
3. July 2014: data protection provisions in Parts III and IV of the PDPA came into effect.

Since then, this almost decade-old legislation has gained much traction as it has been enforced widely in enumerable instances. A list of the PDPC’s enforcement decisions to date can be found on its website and accessed by anyone. As of 2019, about 100 grounds for decisions against more than that number of organizations have been issued by the PDPC. These cases stem from violations mostly in terms of disclosure of personal data, poor technical or physical security arrangements, errors in mass emails or postal communications, or insufficient data protection policies. One of the highest profile cases is an unprecedented personal data breach arising from a healthcare organization’s patient database system, which attracted collective financial penalties amounting to a seven-figure SGD sum.

Latest Development in 2020

In a public consultation on the latest proposed set of amendments to the PDPA in May 2020, it was sufficiently clear that among the Singapore government’s objectives are enhancing accountability in personal data protection through a risk-based approach – thereby promoting greater consumer confidence in the use, management and protection of personal data.

In gist,

1. The enhanced institutional framework for greater cybersecurity and cyber-maturity as a result of explicit inclusion of the accountability principle into the PDPA, and the introduction of mandatory data breach notification have the effect of: enabling greater confidence in modern data management practices, greater security for individuals, and better protection of organizations through well-planned incident response and remediation policies thus avoiding significant reputations and financial losses.
2. The proposed amendment to enhance accountability of third-parties’ handling government data provides greater consistency in personal data protection, and – especially today in the world where lines of trust are often blurred – this enables greater public confidence in non-government entities acting on behalf of public agencies.[3]
3. The proposed amendments providing reasonable derogations for the use of re-identification in the case of cybersecurity research and investigations as well as research-related activities provide legal security to researchers who conduct legitimate research to uncover inadequate anonymization as a flaw in technical design to ensure personal data protection.
4. The introduction of new exceptions to consent and thus inclusion of an additional legal basis for personal data processing provide greater opportunities for the use of personal data (for personal data processing and data portability) that are lawful and, at the same time, innovative and beneficial for individuals themselves. Particularly, the legitimate interest exception that is intended to ‘detect or prevent illegal activities or threats to physical safety and security, ensuring IT and network security; and prevent misuse of services’, would provide cybersecurity vendors with sufficient functionality to provide data security to individuals.

As with all things in this imperfect world, there are particular aspects of the proposals that could benefit from further refinement, including:

1. In the context of a personal data breach, consistent definitions of what constitutes data ‘in transit’ and ‘in use’, along with data ‘in rest’ to be protected. More specifically:

     ○ The proposals highlight that a ‘data breach refers to any unauthorized access, collection, use, disclosure, copying, modification, disposal of personal data, or loss of any storage medium or device on which personal data is stored’.

     ○ There appears a lack of attention in the definition to data ‘in transit’ and data ‘in use’ – widely accepted notions in the industry along with data ‘in rest’ (meaning being stored). From that, a risk of creating legal loopholes when a data breach occurs while the data is being transmitted or actively used or processed may arise.

     ○ It is therefore recommended that the definition be slightly amended as follows: ‘data breach refers to any unauthorized access, collection, use, disclosure, copying, modification, disposal of personal data, or loss of any storage medium or device on which personal data is stored, used and transmitted’.

2. Clarity on liability of organizations in the case of data portability.

     ○ The proposal to introduce portability presents an important milestone in the personal data protection legal framework, and empowers individuals to have greater control over their personal data in a data-driven economy. Free portability of personal data from one organization to another can be a strong mechanism in fostering digital services and interoperability of platforms. However, the security and privacy risks correspondingly increase when systems are more interconnected given the potentially voluminous data being processed.

     ○ The liability of organizations in the case of data portability should also be clarified. If an organization provides personal data directly to an individual or another organization in response to a data portability request, there has to be clarity as to who is responsible for further processing of that data. For comparison, the Global Data Protection Regulation has faced criticism for not specifying any obligation, under the right to data portability, to check and verify the quality of the data which an organization transmits, though there is an obligation to ensure the accuracy of the data.

3. Clear guidelines on achieving data protection by design and by default for not only organizations processing personal data and data intermediaries, but also for producers of hardware and software for personal data use. Organizations processing personal data generally do not develop hardware and software themselves but rely on readily available hardware and software operating systems and applications. For greater security and data protection by design and by default, we recommend developing clear guidelines in terms of practical organizational and technical measures for both organizations and producers. For reference, there are known examples[4] of such guidelines that were shared in the public domain. Kaspersky once provided its thoughts[5] on enhancing a personal data protection framework through security measures.

Kaspersky congratulates Singapore on yet another milestone in its journey in building a robust data protection framework in the country and has engaged with the regulators on our support of the Bill and our suggestions for further refinement of the proposed amendments. We look forward to seeing the final Bill passed in the Parliament of Singapore in due course.

[1] Defined by natural persons, whether living or not

[2] Includes legally incorporated commercial entities and unincorporated bodies, including those formed or resident outside Singapore

[3] The existing exception in the PDPA for these organizations creates loopholes and may pose significant risks to individuals and affect their confidence in the data management and protection processes authorized by public agencies, particularly out of fear of abuse.

[4]https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2019/guidelines-42019-article-25-data-protection-design_en

[5]https://edpb.europa.eu/sites/edpb/files/webform/public_consultation_reply/kasperskys_submission_on_the_guidelines_on_article_25_data_protection_by_design_and_by_default.pdf