Singapore’s Personal Data Protection Commission (PDPC) released a public consultation on 22 May 2019 relating to data portability and data innovation under the Personal Data Protection Act (PDPA).
- The proposed data portability obligation would impose a mandatory obligation on organisations to provide an individual’s data at their request to another organisation in a commonly used machine-readable format.
- The proposed data innovation clarifications would exempt organisations from: (a) notifying individuals of and seeking their consent to use personal data for “business innovation purposes”; and (b) complying with the access, correction and proposed data portability obligations in respect of “derived personal data”.
- This PDPC is now seeking feedback on these proposals. The deadline to submit feedback is 3 July 2019.
The proposed changes at a glance
Proposed Data Portability Obligation
- Who does the obligation apply to? All organisations to which the PDPA applies, except for data intermediaries.
- What is the scope of the obligation? Upon request from an individual, an organisation must provide the individual’s data in its possession or under its control to another organisation that has a presence in Singapore in a commonly used machine-readable format. This is subject to compliance with a prescribed process for dealing with such requests that includes verification of the request and allowing the individual to verify the data before it is ported. Please see the graphic below for more details.
- What data is subject to the obligation? Any data in electronic form: (i) provided by the individual to the organisation; and (ii) generated by the individual’s activities in using the organisation’s product or service. This is not limited to personal data and may include non-personal data, such as business contact information. However, personal data collected lawfully without consent (e.g. where authorised under the PDPA or other law) is not included.
- Are there any exceptions to the obligation? These would be the same as the exceptions to the existing Access Obligation, save for the exceptions where fulfilling the request would: (i) reveal personal data about another individual; (ii) reveal the identity of the individual who has provided the personal data and that individual does not consent to the disclosure of his/her identity. The data portability obligations must still be fulfilled in those situations.
- What are the penalties for non-compliance? The PDPC has the power to review refusals to port data, failure to port data within a reasonable time, and the fees imposed for porting data. Breaches of the proposed data portability obligation would be subject to the same penalty framework as the rest of the PDPA.
Proposed Data Innovation Provisions
PDPC is proposing clear provisions outlining how organisations can use data for business innovation purposes.
- New concept of “business innovation purpose”. This refers to the use of personal data for the purposes of operational efficiency and service improvements, product and service development or knowing customers better.
- Proposed exceptions to notice and consent obligations for “business innovation purpose”. The PDPC proposes that organisations may use personal data for business innovation purposes without having to notify individuals of or obtain consent for these purposes. This extends to situations where the individual has withdrawn consent for the organisation to use or disclosure their personal data.
- New concept of “derived data” and “derived personal data”. “Derived data” refers to new data that is created through processing of other data by applying business-specific logic or rules, and “derived personal data” is any “derived data” that is also personal data under the PDPA.
- Proposed exceptions to access and correction obligations for “derived personal data”. PDPC proposes that organisations not be required to comply with data subject access and correction requests in relation to ‘derived personal data’ However, the organisation would still be required to comply with the other obligations under the PDPA in respect of derived personal data (e.g. they must furnish the individual with information about the ways in which the derived personal data has been used or disclosed within one year upon request).
The PDPC is now welcoming comments on the proposed provisions by Wednesday, 3 July 2019.