Planning for Privacy Compliance in 2014: The Singapore Personal Data Protection Act

GM’s recent decision to move its international operations headquarters from Shanghai to Singapore reflects Singapore’s continued transformation from a regional business hub to a global business center. With business moves data. So, as we begin to anticipate privacy law changes coming in the year ahead, it is worth focusing on the Singapore Personal Data Protection Act (the “Act”), which will be enforced beginning July 2, 2014.

The Act establishes a general framework for the protection of “Personal Data” – data about an individual who can be identified from that data or from that data and other data to which an organization has or is likely to have access. The Act requires that before a private organization collects or otherwise processes Personal Data it inform the concerned individual of the purpose of such processing and obtain the individual’s consent. The processing must be for a reasonable purpose. Consent may be either expressed or implied under the circumstances. The Act also requires that individuals be given the opportunity to access their Personal Data and have it corrected.

The Act leaves it to the Singapore Personal Data Protection Commission (“Commission”) and Singapore’s various industry regulatory agencies to provide detailed rules with regard to the collection, use, and disclosure of personal information as well as any data breach notification requirements applicable to particular types of Personal Data, such as financial and health information.

Transfers of Personal Data outside of Singapore are permitted if the transferring organization complies with the Act’s requirements to ensure that the receiving organizations provide protection comparable to that under the Act. In its February 5, 2013 Public Consultation, the Commission indicated that the use of contract clauses (outlined in the Public Consultation) and the use of binding corporate rules would be two alternative ways to satisfy these transfer requirements.

On September 27, 2013, the Commission released advisory guidelines, which explain key concepts of the Act and explore selected topics, indicating how the Commission may apply the Act when enforcing it. Among other things, the guidelines discuss (1) the nine main obligations which organizations are required to comply with regarding their processing of Personal Data, (2) anonymisation, and (3) the treatment of IP addresses and cookies.  The guidelines also provide instructive examples. In the future, look for further Commission guidance as well as regulations implementing the Act.