Singapore seeks to introduce new data portability obligation
Jun04

Singapore seeks to introduce new data portability obligation

Key Takeaways  Singapore’s Personal Data Protection Commission (PDPC) released a public consultation on 22 May 2019 relating to data portability and data innovation under the Personal Data Protection Act (PDPA). The proposed data portability obligation would impose a mandatory obligation on organisations to provide an individual’s data at their request to another organisation in a commonly used machine-readable format. The proposed data innovation clarifications would exempt organisations from: (a) notifying individuals of and seeking their consent to use personal data for “business innovation purposes”; and (b) complying with the access, correction and proposed data portability obligations in respect of “derived personal data”. This PDPC is now seeking feedback on these proposals. The deadline to submit feedback is 3 July 2019. The proposed changes at a glance  Proposed Data Portability Obligation Who does the obligation apply to? All organisations to which the PDPA applies, except for data intermediaries. What is the scope of the obligation? Upon request from an individual, an organisation must provide the individual’s data in its possession or under its control to another organisation that has a presence in Singapore in a commonly used machine-readable format. This is subject to compliance with a prescribed process for dealing with such requests that includes verification of the request and allowing the individual to verify the data before it is ported. Please see the graphic below for more details. What data is subject to the obligation? Any data in electronic form: (i) provided by the individual to the organisation; and (ii) generated by the individual’s activities in using the organisation’s product or service. This is not limited to personal data and may include non-personal data, such as business contact information. However, personal data collected lawfully without consent (e.g. where authorised under the PDPA or other law) is not included. Are there any exceptions to the obligation? These would be the same as the exceptions to the existing Access Obligation, save for the exceptions where fulfilling the request would: (i) reveal personal data about another individual; (ii) reveal the identity of the individual who has provided the personal data and that individual does not consent to the disclosure of his/her identity. The data portability obligations must still be fulfilled in those situations. What are the penalties for non-compliance? The PDPC has the power to review refusals to port data, failure to port data within a reasonable time, and the fees imposed for porting data. Breaches of the proposed data portability obligation would be subject to the same penalty framework as the rest of the PDPA. Fig. 1 Handling Data Portability Requests: Key Obligations  Proposed Data Innovation Provisions PDPC is proposing clear...

Read More
Singapore cracks down on privacy breaches
Apr25

Singapore cracks down on privacy breaches

Singapore’s data protection regulator, the Personal Data Protection Commission (PDPC), has been cracking down on breaches of the Personal Data Protection Act (PDPA). It has just released a set of Data Protection Enforcement Cases, which includes a list of enforcement actions taken against 11 organisations for breaching the PDPA. This provides an insight into the approach the authorities will take to enforcing what is still a relatively new law. According to the reported enforcement cases, four organisations were fined, ranging from S$5,000 to S$50,000 (about USD 3,700 to USD 37,000), and seven others were issued warnings or directions.  The PDPC looked at various factors when determining severity of breaches, such as to what extent the organisations had data protection policies and processes in place, the time taken to remedy the breach, the number of affected individuals and the type of personal data involved.  The highest fine of S$50,000 (about USD 37,000) was imposed on K Box Entertainment Group for failing to have in place adequate security measures to protect its members’ personal data, resulting in details of 317,000 members being leaked online in September 2014.  An IT vendor, Finantech Holdings, which was engaged by K Box to develop and manage K Box’s Content Management System, was also found liable and fined S$10,000 (about USD 7,400), as a data intermediary for K Box.  As with all published enforcement actions, the reputational implications tend to be at least as significant as any other penalties. Since the PDPA came into force in July 2014, the PDPC has received 667 complaints in total, of which 92% were resolved by investigation and facilitation between the respective complainants and organisations. Common issue with these complaints involved unauthorised personal data processing and lack of data protection measures in place. So what does this mean for organisations in Singapore? These enforcement cases confirm that although the PDPA is generally regarded a “business-friendly” regulation which is not intended to stifle data innovation, the PDPA is clearly willing to intervene when organisations fall short of the required standards. Given the reputational and financial implications of these high-profile enforcement actions, organisations will need to look carefully at their processes and policies to ensure they are...

Read More