Singapore to form advisory council for ethical use of AI
Jun21

Singapore to form advisory council for ethical use of AI

Earlier this month, the Singapore Government announced the formation of an Advisory Council on the Ethical Use of Artificial Intelligence (AI) and Data as part of a wider push to support Singapore as a global hub for AI development and innovation. The council will be chaired by former Attorney-General VK Rajah, and will consist of representatives from technology companies and users of AI. What is the role of the Advisory Council? The Advisory Council will lead discussions and provide guidance to the Singapore Government on the responsible development and deployment of AI. It will work with key stakeholder groups on ethical issues arising from the use of AI. This will include working with industry to understand issues arising in the private sector; working with consumer advocates to understand consumer expectations in respect of AI; and working with the investment community to increase awareness of the need to incorporate ethical considerations in their AI investment decisions. Why is Singapore forming such an Advisory Council? AI is becoming an increasingly integral part of life in Singapore as the Government executes its “Smart Nation” initiative. For example, local bank OCBC has developed an AI-based automated chat system called Emma that can communicate with customers and work out home loans; scientists at A*star’s Genome Institute of Singapore are using AI to pinpoint the roots of gastric cancer by scanning the entire genomes of a few hundred gastric cancer tumours; and researchers from the Saw Swee Hock School of Public Health and Singapore’s National Environment Agency has developed an AI agent to forecast dengue incidence up to four months ahead by learning the seasonal patterns of dengue cases over the last decade. These are just a few recent use cases as, with top-down support from the Government, Singapore embarks on an effort to position itself as a global centre of excellence in AI. Putting in place the Advisory Council, as part of a wider set of initiatives in the AI space, is the start of an effort to build a framework for trust in AI. What does “ethics” mean in this context? In making the announcement, the Infocomm Media Development Authority (IMDA) provided its own definition of “ethics” in the context of AI: “Ethics encompasses issues surrounding fairness, transparency and the ability to explain an AI’s decision.” This is a concept that will no doubt develop in the coming years but by providing a definition and, in particular, emphasising a need for AI to be able to explain itself, the IMDA appears to be setting out in general terms what it considers to be “ethical” in the context of AI. What else is Singapore...

Read More
Singapore’s new Cybersecurity Bill: What’s changed and what happens next
Jan18

Singapore’s new Cybersecurity Bill: What’s changed and what happens next

Singapore has taken a step closer to passing its first Cybersecurity Act. On 8 January 2018, Singapore’s first Cybersecurity Bill was read in Parliament. This Bill is an updated version, and was revised following a public consultation process on the initial draft Bill in July 2017. The government received 92 submissions from a diverse range of stakeholder groups, and the consultation was extended in response to requests for more time to provide feedback, reflecting the level of interest in this legislation. This updated Bill is a timely and important development in view of increasingly sophisticated cyber-attacks that could potentially cause major disruptions to Singapore’s economy. The intention behind this Bill is to have a coordinated national approach to cybersecurity, and ensure that critical information infrastructure (CII) across all sectors are protected consistently. We summarised the key provisions in the previous Bill in our earlier post. In this post, we summarise the key changes introduced by the updated Cybersecurity Bill: What has changed? 1.  Critical information infrastructure. This updated Bill tightens certain important definitions, and acknowledges that the owners of CII may not always be best placed to ensure that the statutory obligations are fulfilled. The key changes are as follows: Definition of CII. The definition of CII has been tightened and will only include those computer or computer systems that have been designated as such by the Commissioner. Definition of owners of CII. Owners of CII, who will need to comply with the relevant statutory obligations under the Bill, are now defined as legal owners (instead of someone with effective control over the CII etc.). The Cyber Security Agency of Singapore (CSA), in its end-of-consultation report, further clarified that computer systems in the supply chain supporting the operation of a CII will not be designated as CII, and therefore third party vendors will not be considered owners of CII. These are positive developments as there is now certainty over the imposition of statutory obligations. Responsibility for compliance. There is also now a mechanism for owners of CII to request the Commissioner to address the notice for compliance to another person under certain conditions (e.g. if the owner does not have effective control over the operations of the CII). This acknowledges that owners may not also be operators of the CII, and are hence not best placed to ensure that the statutory obligations are fulfilled. 2.  Government power to access data. Some of the responses expressed concerns about the government’s broad rights to access information and systems. However, the broad powers granted to the Commissioner to access physical and digital assets have, if anything, been increased further. Although the degree...

Read More
New opportunity for Singapore banks: MAS expands scope of permissible activities
Oct10

New opportunity for Singapore banks: MAS expands scope of permissible activities

On 29 September 2017, the Monetary Authority of Singapore (MAS) released a public consultation paper to relax the anti-commingling rules for banks. This is a follow-up from the Minister for Finance’s announcement in June 2017 that these rules will be further adjusted. See our previous post on the announcement here. Since the introduction of the prohibition on banks to carry out non-financial businesses more than a decade ago (the anti-commingling rules), the banking landscape has evolved. Technological advancements have disrupted traditional banking business models. Today, consumers can access financial and related non-financial services seamlessly. Banks are also facing competition from non-financial players who are leveraging their large user bases to provide e-payments and other financial services. MAS acknowledges this new environment, and recognises that the anti-commingling rules can be simplified and adjusted. MAS’s proposals will allow banks to broaden and better integrate their financial services. Crucially, the adjusted rules will continue to ensure that banks remain focused on their core banking business and competencies, and avoid potential contagion from the conduct of non-financial businesses (the core policy objectives). The following are the key proposals under this public consultation paper: Streamlining the conditions to carry out non-financial businesses. Currently, banks are allowed to carry out non-financial businesses, but only upon compliance with certain minimum requirements. These requirements are onerous and include the requirement to obtain prior approval from the banks’ parent supervisory authorities. MAS proposes to simplify the rules by removing this requirement, subject to certain conditions. The primary condition is that the aggregate size of all non-financial businesses cannot exceed 10% of the bank’s capital funds. This is to limit contagion risks and ensure that banks remain focused on their core financial business. Broadening the scope of permissible non-financial businesses. MAS acknowledges that the online purchase of goods and services and the use of e-payment services are becoming increasingly integrated. Many non-financial entities are also starting to deliver financial services through their online platforms. MAS proposes to broaden the scope of permissible non-financial businesses to enable banks to better compete against such non-financial players in this new digital economy. The proposal allows banks to engage in: (i) operating online platforms that match buyers and sellers of consumer goods or services; (ii) sale of consumer goods or services via online platforms; and (iii) any business incidental to (i) and (ii) including the provision of logistic services to deliver goods to consumers. MAS also proposes to allow banks to engage in: (i) sale of software or systems originally developed by the bank for its financial business; and (ii) entering into tie-ups to sell or provide products or services (which the counterparty...

Read More
3 Things you need to know about Singapore’s proposed changes to Data Protection
Jul31

3 Things you need to know about Singapore’s proposed changes to Data Protection

On 27 July 2017, the Personal Data Protection Commission of Singapore (PDPC) issued a public consultation paper on managing personal data in the digital economy. The consultation paper seeks to greater facilitate the use of personal data in the digital economy through changes to the consent requirements and at the same time seeks to ensure that security standards are uplifted through the introduction of mandatory breach notification. The consultation paper is a step in the right direction for Singapore on its Smart Nation journey given the importance of data analytics in the digital economy, whilst the mandatory breach notification provisions align the Singapore data protection regime with that of Singapore’s draft Cybersecurity Bill which was recently introduced. The consultation paper demonstrates that the PDPC recognises the importance of data for innovation and growth, and has proposed changes to ensure the regulatory environment keeps pace with evolving technology in enabling innovation, while ensuring effective protection for individuals’ personal data in the changing landscape. The following are the 3 key things you need to know about the PDPC’s proposed changes: Notification of purpose can be sufficient. Although the PDPC proposes that organisations should still seek consent for collecting, using and disclosing personal data where practicable, it recognises the need to cater to circumstances where consent is not feasible or desirable, and where the collection, use or disclosure would benefit the public. The PDPC recommends that notifying individuals of the purpose can be sufficient where: (i) it is impractical to obtain consent (and deemed consent does not apply); and (ii) the collection, use or disclosure of personal data is not expected to have any adverse impact on individuals. However, when using this exception, organisations have to conduct a risk and impact assessment and put in place measures to identify and mitigate the risks that may arise. Consent (or notification) not needed where it is for a legitimate purpose. Under the current personal data protection regime, except for where an exemption applies, organisations are not allowed to collect, use or disclose personal data without consent even for a legitimate purpose if this is not expressly provided for or required under any written law (e.g. the sharing and use of personal data to detect and prevent fraudulent activities). As such, the PDPC proposes to update the law so that organisations will be able to collect, use or disclose personal data without consent where: (i) it is not desirable or appropriate to obtain consent; and (ii) the benefits to the public clearly outweigh any adverse or risks to the individual. Again, when relying on this exception, organisations have to conduct a risk and impact assessment...

Read More
Introducing Singapore’s new draft Cybersecurity Bill
Jul12

Introducing Singapore’s new draft Cybersecurity Bill

On 10 July 2017, Singapore’s long-awaited draft Cybersecurity Bill was introduced. This is a timely development, especially in view of recent cybersecurity attacks such as the Advanced Persistent Threat attacks targeting two of Singapore’s universities and the global WannaCry and Petya / Petna malware attacks. As a small and highly connected nation, Singapore is dependent on info-communications technology, and cybersecurity threats need to be taken seriously. Attacks on critical information infrastructure (CII) systems that manage utilities, healthcare, transportation and other essential services can lead to disruptions that can cripple Singapore’s economy and lead to loss of life. Even though the current Computer Misuse and Cybersecurity Act (CMCA) already has some provisions on cybersecurity, it primarily concerns cybercrime such as e-commerce scams and hacking. This draft Cybersecurity Bill caters more broadly to the security of a computer or computer system against unauthorised access or malicious acts, to preserve their availability and integrity, or the confidentiality of information stored or processed in them. The intention behind the draft Cybersecurity Bill is to have a coordinated national approach to cybersecurity, and ensure that CIIs across all sectors are protected consistently. Its provisions will apply equally to both public and private sectors. The following are the key provisions under the draft Cybersecurity Bill: Appointment of Commissioner and Powers. The powers of the Cybersecurity Bill will vest in the Commissioner of Cybersecurity, who has various functions including the overseeing and maintenance of cybersecurity in Singapore. Critical Information Infrastructure. CIIs are computers or computer systems that are necessary for the continuous delivery of essential services that Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defence, foreign relations, economy, public health, public safety or public order of Singapore. Currently, essential services have been identified in 11 sectors, including utilities, banking and finance, media, info-communications, healthcare and transportation. The owners of CIIs, which are defined as persons with, amongst others, effective control over the operations of the CII, have certain statutory duties, including the duty to comply with codes and directions, to conduct audits and risk assessments, to report cybersecurity incidents including any incident that occurs in respect of the CII and any incident that occurs in respect of any computer or computer system under the owner’s control that is interconnected with or communicates with the CII, and to participate in cybersecurity exercises. Responses to Cybersecurity Threats and Incidents. If there is a cybersecurity threat or incident, the Commissioner can choose to investigate it in order to determine its impact, to prevent further harm and to prevent further incidents. These investigative powers can be delegated to authorised...

Read More