10 in 2010: A Chat with Lawrence Tan

As part of our ongoing celebration of the IAPP’s tenth year, the

spoke with longtime member Lawrence Tan, CIPP, CIPP/G, about how--all the way from Singapore--he became a certified information privacy professional and Singapore’s data protection landscape.

I’ve been involved in a number of data protection and privacy initiatives over the years, mainly on behalf of the Singapore Government. I participated in the development of Singapore’s Model Data Protection Code for the Private Sector, the accreditation standard behind Singapore’s e-commerce trustmark program, TrustSg, (which incorporates the Model Data Protection Code as a component) as well Singapore’s spam control framework. It was in the context of this work that I became aware of the IAPP in 2005 and started to participate in IAPP conferences. One thing led to another, and before I knew it, I had become a CIPP! The training and, more importantly, the networks have been helpful in my subsequent engagements in this area, and it has been a great privilege to work with IAPP colleagues in the region, amongst others, in forging a distinctive Asia-Pacific privacy model. I was, for a period, a member of the APEC Privacy Sub-group and had, in a different capacity, chaired an initiative by the Asia Trustmark Alliance to develop substantive minimum criteria to support the cross-recognition of regional trustmark programs (which incorporates the APEC Privacy Principles as a component). The IAPP networks remain relevant in my current portfolio, which involves consulting with Singapore’s Ministry of Health on the development of a smart regulatory framework for personal health information.

I think data protection legislation raises many challenges that defy easy answers. I would also suggest that these are not unique to Singapore—other Asia Pacific nations face them as well. Firstly, the concept of privacy itself is not culturally neutral. As the concept has evolved in the West, it enshrines the primacy of individual autonomy, which does not resonate to the same extent in more communitarian cultures. Given the different cultural expectations and historical development paths, I would suggest that many Asian jurisdictions see the issue through the lens of consumer trust and protection rather than as a fundamental human right. This opens the door to more pragmatic approaches than prescriptive EU-style data protection laws. Secondly, there is the familiar tension between reconciling a more general approach to data protection with the need to address the unique requirements of different sectors. While prospective comprehensive lawmaking could lead to unintended consequences, it is also possible to adopt a more incremental, problem-driven approach in addressing emerging privacy issues. Thus, while Singapore has not yet decided to enact general data protection legislation, new laws have been passed to tackle or preempt concerns as they arise. For example, Singapore has had spam control legislation in place since 2007 and is now giving consideration to the need for personal health information legislation as we enter the era of the electronic health record. On the other hand, a case could be made for a blended approach with general data protection legislation providing a baseline level of protection. So I think the jury is still out on this question.