-DATA PROTECTION AND PRIVACY-
Proposal To Introduce Data Privacy Legislation In Singapore
The Singapore Government has indicated its intention to introduce data privacy legislation to take effect as early as 2012. The government has stated that the aim of the legislation will be to protect individuals’ personal data against unauthorised use and disclosure for profit and the legislation will likely introduce consent requirements in relation to the disclosure of personal data. A Data Protection Council is expected to be set up to administer compliance with the new legislation.
Ministry of Information, Communications and Arts Issues Paper on Personal Data Protection Bill
The Ministry of Information, Communications and the Arts (MICA) has issued a consultation paper on Singapore’s Personal Data Protection Bill. The Data Protection Bill concerns the regulation of the collection, use, disclosure, transfer and security of personal data. The proposed introduction of a DP regime in Singapore seeks to create a balance between the need to protect individuals’ personal data against organisations’ need to obtain and process such data for legitimate and reasonable purposes. It seeks to protect the interests of consumers and deliver economic benefits for Singapore. The proposed Data Protection regime seeks to safeguard individuals’ personal data against misuse, at a time when such data has become increasingly valuable for businesses and more easily collected and processed with information technology. The legislation will also provide for a Commission, referred to in this paper as the Data Protection Commission (“DPC”), to be set up to oversee compliance with the new Data Protection law and to undertake DP education and awareness efforts. It is believed that this legislation will strengthen and entrench Singapore’s position as a trusted hub for businesses, a key national economic strategy for Singapore. MICA will accept written comments on the paper until 30 April.
Singapore Finally Passes Personal Data Protection Bill
The Singapore parliament finally passed the personal data protection bill that is designed to safeguard an individual’s personal data against misuse. It encompasses a national Do-Not-Call registry and a new enforcement agency will be tasked to regulate the management of personal data by businesses and impose financial penalties. Singapore’s personal data protection law will give individuals more control over their personal data, since they have to give consent and be informed of the purposes for which organizations collect, use, or disclose the information.
They can seek compensation for damages directly suffered from a breach of the data protection rules through private rights of action. The Bill applies to all organizations across the private sector, but does not cover the public sector, which already has its own set of data protection rules with which all public officers must comply. To give time for businesses to adjust, the data protection law will be implemented in a phased approach and will become official by January 2013.
Breach Disclosure ‘Inevitable’ for Singapore Data Protection Law
Public disclosure and notification of companies’ security breaches will “inevitably” be part of discussions in future amendments to Singapore’s upcoming Data Protection Act, as the country looks to keep in line with more mature jurisdictions. Notification of security breaches by companies is already a part of several jurisdictions such as with the European data protection and America’s data protection directive. Singapore is relatively new with its data protection bill not officially enacted yet, therefore it will look to countries with more mature laws for adequacy, or giving its citizens similar level of data protection. Currently, it is not mandatory for organizations to issue data breach notifications. For example, if a Singapore company with international operations is breached, they would have to disclose the breach in countries such as the U.S. where the data protection law states the company has to notify them. However, they do not have to disclose it in Singapore. This could affect companies and the way they do business because of differing regulations, while citizens may question inconsistencies between the local government and those abroad.
Commission Set Up to Administer Now Effective Privacy Law
The Ministry of Communications and Information (MCI) set up in January 2013, the Personal Data Protection Commission (PDPC) and a Data Protection Committee to administer and advise respectively on the Personal Data Protection Act (PDPA). Charmian Aw, Associate Director at Drew & Napier LLC, said “It is widely anticipated that Singapore’s first baseline personal data protection law will not only serve to protect consumer interests, but also improve Singapore’s economic competitiveness through strengthening consumer confidence in the emerging data management industry.” The PDPA was passed in October 2012, however there is a staggered transition period for businesses to adjust their compliance practices in light of the new law. Despite some initial compliance costs involved, the law is anticipated to strengthen Singapore businesses in the long run.