In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Professor Hannah YeeFen Lim offers a comparison of Singapore’s Personal Data Protection Act with the GDPR.
Singapore’s first PDPA was passed October 15, 2012, after a number of consultation rounds that saw a large number of submissions. The end product is a light touch regime that offers some control to individuals over their personal data, certainly a far cry from the rigorous requirements of the GDPR.
Like the GDPR, the PDPA exerts extraterritorial reach and is explicitly extended to those who may not have any presence in Singapore or which may not even be recognized under the law of Singapore. The definition of personal data in the PDPA is, in effect, similar to the GDPR, and it is similarly a technology-neutral definition. This, however, may be where the similarities end.
Limited scope
The PDPA has limited scope and does not apply to all personal data processing activities, most notably, it does not apply to the activities of the public sector or any organization acting as an agent of a public agency in processing personal data. Further, business contact information has effectively been excluded entirely from the operation of the PDPA. Also excluded from much of the PDPA obligations are data intermediaries, although data intermediaries do need to abide by the provisions on the protection of personal data and the deletion of personal data when the purposes are no longer served in their retention.
Consent
One of the major operational differences between the PDPA and GDPR concerns consent. At first glance, it may appear that consent is the legal basis for data processing under the PDPA. Section 13 requires consent to be given before personal data is collected, used or disclosed. It explicitly provides in Section 14 that consent that is obtained without first notifying the individual of the purpose(s) is not valid consent, nor is the consent valid if false, misleading or deceptive practices have been utilized. Further, the PDPA prohibits an organization from requiring an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual.
The actual operation of the consent provision, however, stands in stark contrast with the GDPR because of extensive exemptions listed in the PDPA, as well as the notion of deemed consent found in Section 15 of the PDPA. Consent can be deemed from an individual if the individual, without actually giving consent, voluntarily provides the personal data to the organization for that purpose, and it is reasonable that the individual would voluntarily provide the data. This provision is clearly aimed at achieving operational efficiency, where the purposes and consent do not need to be expressed or verbalized at all. Such a lax provision encourages organizations to process personal data without first obtaining consent and to append additional purposes that may not necessarily have been envisaged by the individual data subject. The GDPR does not allow for the concept of deemed consent at all; the basis for the processing of personal data based on consent requires the consent to be unambiguous, explicit, expressed and be freely given (Article 4).
Consent is not required under the PDPA if the data processing falls within the purview of the Section 17 exemptions. Section 17(1) provides that personal data can be collected without consent in the circumstances set out in the Second Schedule. Section 17(2) and s 17(3) similarly provides that personal data can be used and disclosed without consent in the circumstances set out in the Third and Fourth Schedules respectively. These Schedules contain wide exemptions. such as if the personal data is publicly available, if the use is necessary for evaluative purposes (evaluative purpose is widely defined), or if the personal data is collected solely for artistic or literary purposes. These exemptions are so broad that they move far beyond the grounds other than consent that is set out in the GDPR (Article 6) for the processing of personal data.
Section 16 of the PDPA allows consent to be withdrawn, even for consent that has been deemed, and organizations are not permitted to prohibit an individual from withdrawing consent. However, if consent is withdrawn, whatever legal consequences that may arise from the withdrawal will have to be borne by the individual, and the organization has the responsibility to inform the individual of the likely consequences of the withdrawal of consent. Once a withdrawal of consent has been received by an organization, it must cease and ensure its data intermediaries and agents also cease collecting, using or disclosing the personal data, as the case may be. There are no requirements for the organization to inform third parties of the withdrawal of consent; thus, the onus lies on the individual to seek out the other organizations to withdraw consent. There are a number of exceptions to the withdrawal of consent, such as if the collection, use or disclosure is required by law, or if it is necessary for legal or business purposes.
The GDPR stipulates that consent must be given by someone with the legal capacity to do so. The GDPR sets a threshold of 16 years of age for consent; although, this can be lowered by individual countries to between 13 and 16 years of age. Unlike the GDPR, the PDPA does not stipulate a minimum age of consent, choosing to leave it to other general rules of law to determine the question of capacity.
Data minimization
The GDPR mandates that only personal data that is necessary for the purpose can be collected. The data minimization principle in Article 5 requires that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected and/or further processed. There is no such principle under the PDPA, and any personal data that is remotely relevant to the purpose can be collected.
Purposes
The GDPR requires that personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5). This is a much higher standard to satisfy than the standards adopted in the PDPA, which refers not to legitimate purposes but to a test of reasonableness in some instances and in others, merely a test of the appropriateness of the purpose as judged by a reasonable person (Section 18). Further, as mentioned above, under the PDPA, the purposes need not be specified nor explicit in the case of deemed consent.
Access, correction and erasure
The GDPR provides for extensive provisions allowing data subjects to access, correct, block and even the right to erase (Article 17) their personal data. The PDPA only allows access and correction of personal data, and even so, these are very limited in nature. Section 21 of the PDPA allows an individual to request access to personal data held by an organization and to information concerning its use or disclosure in the preceding one year. This right to request access is, however, subject to many exceptions. Similarly, Section 22 of the PDPA grants a right to request corrections in the personal data held by an organization that is due to error or omission. However, organizations can, on reasonable grounds, choose not to correct the data. If organizations decide against correction, then the personal data should be annotated with the correction that was requested but not made. There are also numerous exceptions to this right.
Any notion of a right to erasure in the PDPA might come from Section 25 concerning the requirement to destroy or deidentify personal data when there are no longer any legal or business and any other purpose for the retention of the personal data. This, however, is extremely limited in scope and certainly, unlike the GDPR, could not be relied upon to compel the erasure of publicly available personal data on websites.
Accuracy and completeness
Article 5 of the GDPR stipulates that personal data that is processed should be accurate and, where necessary, kept up to date. There is no such requirement under the PDPA. Section 23 of the PDPA requires organizations to make a reasonable effort to ensure that personal data collected by or on behalf of the organization is accurate and complete. However, this “reasonable effort” required is not an absolute requirement as organizations are only required to do this if the personal data is likely to be used by the organization to make a decision that affects the individual to whom the personal data relates or if it is likely to be disclosed by the organization to another organization.
Protection of personal data
Section 24 of the PDPA requires organizations to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. The PDPA obligations are in line with the GDPR requirements.
There are no mandatory data breach reporting provisions in force in the PDPA. However, the personal data Protection Commission has issued a Guide to Managing Data Breaches, which does strongly recommend data breaches to be reported, and it also sets out in great detail the kinds of information to be reported, the frequency and expected timelines, much of which is similar to the GDPR (Articles 33–34).
Transfer limitation
Like the GDPR, the PDPA also has a provision limiting the transfer of personal data outside Singapore. The operation of this provision is set out in the Personal Data Protection Regulations 2014, and it is a codification of the most effective and workable aspects of the solutions currently found in international practice for protecting personal data that is transferred overseas.
Notable differences
The GDPR is the product of more than 30 years of development and fine-tuning. It naturally includes protections not found in the PDPA. The GDPR, for example, grants a right to object to processing due to the data subject’s particular situation, right to object to processing where it is for purposes of direct marketing activities and profiling, a general right to object to automated individual decisions, and a right to data portability that allows individuals to receive personal data concerning themselves in a structured, commonly used and machine-readable format. The PDPA also notably diverges from the GDPR in that it does not provide extra protection or special handling for sensitive personal data, such as health data, race, ethnicity and religion.
Compliance with the GDPR
With the extended jurisdictional reach of the GDPR, organizations should ascertain the applicability of the GDPR to their operations, develop compliance strategies and implement necessary changes.