On June 27, the Monetary Authority of Singapore announced that banks will soon be allowed to invest in and operate digital platforms that offer complementary services to the banks’ financial businesses, including e-commerce and online shopping.                                        

In his speech, Singapore’s Minister of Finance Heng Swee Keat explained that this development is driven by increasing competition faced by banks from online and nonfinancial players that have “leveraged their large user base” to provide digital wallets, payments and remittance services. 

While it is certainly not news that businesses would seek to acquire and monetize on consumer data, as businesses become increasingly digital, such data has become far more ubiquitous and valuable than ever before. This is keenly recognized in Singapore, which aspires to be the world’s first Smart Nation. 

With the relatively recent enactment of Singapore’s Personal Data Protection Act 2012, data protection is fast emerging as a key consideration in commercial transactions, particularly ones involving the acquisition of data.

The act prescribes nine main data protection obligations for all private-sector organizations to comply with.

In relation to an asset transaction involving personal data specifically, there is an exception to consent which permits any organization to collect, use and disclose personal data, whether that of customers, employees, directors, officers or shareholders, without having to seek their consent if they fulfill the relevant criteria.

Before the transaction is entered into, the act exempts a prospective party from having to obtain consent to collect, use or disclose personal data if such data is “necessary for an organisation to determine whether to proceed” with the transaction. It is unclear what “necessary” means since the data must also “relate directly” to the assets with which the transaction is concerned, though this is likely to be fact specific.

For instance, if the core assets in a digital start up are its co-founders and key employees who possess highly specialized technical know-how, then these individuals’ personal data would arguably be necessary for a prospective acquirer to determine whether to proceed with the potential investment. Conversely, where the target is a large online retail marketplace for users to buy and sell second-hand goods, it would be harder to justify that requiring the personal information of all end-users is equally necessary.

There may also be a potential argument that insofar as an acquiring party is obliged under Singapore’s Employment Act to ensure that the terms of employment of employees affected by a transfer of employment are no less favorable to them post-transfer, the acquirer would need to access relevant employment records containing personal data of the affected employees.

The definition of “business asset transaction” in the act makes it clear that transactions in which personal data itself is traded are excluded from the above consent exemption. To rely on the exception, parties must also have entered into an agreement to restrict the use and disclosure of that data to purposes solely related to the transaction. The specific legal provision could be made to address such obligations in relation to personal data, along with appropriate provisions on data security, and this would be in addition to the typical confidentiality undertakings which parties may agree to and stipulate in a nondisclosure agreement before the commencement of due diligence.

After the transaction has been entered into, there is a similar exception in the act for the acquirer to be able to collect and use relevant individuals’ personal data without the need for consent. This is subject to conditions: The acquirer may only use or disclose such data for the same purposes as the selling entity (seller) is permitted, and relevant individuals must also be notified of the transaction that has taken place and that their data has been disclosed.

After completion of the transaction, the acquirer is bound to comply with all applicable data protection obligations under the act, including honoring any valid withdrawal of consent requests and/or access and correction requests, as well as implementing reasonable data security and retention measures as are appropriate.

If, on the other hand, the transaction fails to reach completion, then the act obliges a receiving party to destroy or return to the disclosing organization all personal data collected.

While it may be helpful to be aware of the act with a view to complying with its applicable obligations, it would be equally useful to note the relevance of considering data protection in a more overarching and commercial context, when dealing with an asset transaction, as well.

For example, at the due diligence stage of a potential transaction, parties should determine whether it is necessary for specific categories of personal data to be shared. As an illustration, while the data of existing customers and employees may be relevant for an acquirer to decide whether to proceed with the transaction, the data of former employees may be less so. There is also the issue of the extent and volume of data to be required; depending on the nature of the target’s business, it may, for instance, be sensible to exclude or at least limit the disclosure of historical information relating to customers, to a specified time period (e.g. three years) prior to due diligence.

Finally, parties should also consider the appropriate level of detail to be disclosed, given that data which is more sensitive, subject to sector-specific regulation, as well as of minors, would likely generate more risk.

Additionally, due diligence should involve a review of the target’s compliance with its obligations under the act. Non-exhaustively, this may include assessing:

• the adequacy of external privacy policies and internal standard operating procedures;
• the duties of the data protection officer (whose appointment is mandated by the act);
• the sufficiency of technical, administrative and organizational data security measures;
• standard procedures relating to requests for access, correction, withdrawal of consent and/or complaint handling;
• data incident management and response plans;
• third-party contracts;
• cross border transfer agreements;
• staff trainings on the act,
• and the occurrence and reporting of data protection-related incidents and/or violations.

It would be prudent for parties to properly document such findings, and a good starting point would be to involve external legal counsel in the preparation of the due diligence checklist so as to ensure sufficient coverage is accorded to these issues. Also, it would make it easier subsequently for the acquirer to identify any potential gaps and take the necessary steps to a more appropriate level of compliance post-completion. 

The MAS is expected to conduct a consultation on its proposal to allow banks to acquire digital platforms by September. It is hoped that further guidance will also be provided in due course, to offer clarity on specific issues like data protection and how consumer data is to be treated in such transactions. As Singapore has adopted the comprehensive model of data protection, the act applies to all private-sector organizations and violations are enforced by the Personal Data Protection Commission. Entities operating in certain sectors, however, such as financial services, may be subject to additional requirements imposed and enforced by sectoral regulators, like the MAS.

In the meantime, as data protection law and enforcement in Singapore continue to mature and evolve steadily, data privacy and security considerations will no doubt feature prominently as an important component of commercial transactions.