Singapore’s Personal Data Protection Act: A review of the major changes ahead (Part 3): porting and data portability

Singapore’s Personal Data Protection Act (“PDPA”) is slated for major changes in early 2021. This is the third of a four-part series, which examines the amendments listed in the Personal Data Protection (Amendment) Bill (“Bill”) which: do away with a section in the PDPA which currently says that the PDPA’s nine data protection obligations do not apply to organisations acting on behalf of a public agency; and introduce a new Data Portability Obligation.

——

Read more:

——

No exclusion for organisations acting on behalf of public agencies

Under the current version of the PDPA, an organisation in the course of acting on behalf of a public agency in relation to the collection, use, or disclosure of personal data, is excluded from the application of Parts III to VI of the PDPA.¹ (These parts pertain to the nine data protection obligations under the PDPA.)

The Bill will remove this exclusion. The Public Consultation Paper explained that this amendment was based on the recommendations of the Public Sector Data Security Review Committee to ensure the accountability of non-Government third parties handling Government personal data, as there was a legislative gap where such parties were not covered under the PDPA or the Public Sector (Governance) Act 2018.²

Greater consumer autonomy over their personal data

Under this key area, the Bill will introduce a new Data Portability Obligation under a new Part VIB to the PDPA.³ A new section 26F of the PDPA will state that the purpose of the Part VIB is to:

provide individuals with greater autonomy and control over their personal data; and
facilitate the innovative and more intensive use of specified personal data in the possession or control of organisations to support the development, enhancement, and refinement of products and services provided by other organisations located or operating in Singapore or elsewhere.

In the PCP, the Ministry of Communications and Information and the Personal Data Protection Commission said that the Data Portability Obligation would allow individuals to switch to new service providers more easily, preventing consumer lock-in.⁴

Under the Data Portability Obligation and a new section 26G, a “porting organisation” must, upon receiving a request from an individual that the organisation transmit to a “receiving organisation” any “applicable data” specified in the request (“data porting request”), transmit that data to the receiving organisation in accordance with any prescribed requirements.

Two pre-conditions to this obligation are:

(1) the data porting request must satisfy any prescribed requirements; and

(2) the porting organisation must have an “ongoing relationship” with the individual at the time it receives the individual’s data porting request.

Unpacking section 26G:

The Bill defines “porting organisation” as an organisation that is or belongs to a class of organisations that is, prescribed.
“Receiving organisation” is defined as an organisation that receives applicable data from a porting organisation, and that is: (a) formed or recognised under the law of Singapore or an applicable country, or (b) resident or has an office or place of business in Singapore or an applicable country.
“Ongoing relationship” is defined as a relationship on an ongoing basis between the individual and the porting organisation, arising from the carrying on or conduct of a business or activity (whether commercial or otherwise) by the porting organisation.

Under the PDPA, “organisation” is defined to include any individual, company, association, or body of persons, corporate or unincorporated, whether or not formed or recognised under the Singapore law; or resident, or having an office or place of business in Singapore.

So the definition of “porting organisation” indicates that the obligation to transmit “applicable data” may apply to organisations both in Singapore and overseas, but only to those organisations which are “prescribed”. The definition of “receiving organisation” further narrows the scope of application of the Data Portability Obligation to primarily organisations in Singapore.

However, the wording of the definitions still gives PDPC latitude to “extend data portability to like-minded jurisdictions with comparable protection and reciprocal arrangements” in the future.⁵

Further unpacking section 26G, and in relation to “applicable data”:

“Applicable data” is defined as any personal data in the possession or control of the porting organisation that is, or belongs to a class of personal data that is, prescribed to be applicable data.
In addition, section 26F(2) says that the Data Portability Obligation only applies to applicable data that: (a) is in electronic form on the date that the porting organisation receives the data porting request; and (b) was collected or created by the porting organisation within the prescribed period before the date on which the porting organisation receives the data porting request.
It does not matter whether the applicable data is stored or processed in, or transmitted from, Singapore or a country or territory other than Singapore.

Two exceptions to the Data Portability Obligation

Under the first exception, the porting organisation has a choice not to transmit certain prescribed applicable data such as:

Opinion data kept solely for an evaluative purpose.
Personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation.⁶ (The PCP explained that this exception seeks to protect commercially sensitive information and safeguard the inventive for organisations to innovate, by ensuring that “first movers” who bring to market innovative products or services are not prejudiced by the Data Portability Obligation and subject to unfair competition from “fast followers”.)⁷
“Derived personal data”, which is defined in the Bill to mean personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual, that is in the organisation’s possession or control.⁸ An example is data that is derived by the organisation using simple sorting or common mathematical functions like averaging and summation.⁹

The porting organisation also has a choice not to transmit applicable data in certain situations, for example where the transmission will unreasonably interfere with that organisation’s operations because of the repetitious or systematic nature of the data porting request, the burden or expense of transmission is unreasonable to the porting organisation or disproportionate to the individual’s interests, or the data porting request is frivolous or vexatious.¹⁰

Under the second exception, the porting organisation must not transmit applicable data about an individual if:¹¹

(a) the transmission can reasonably be expected to:

(i) threaten the safety, or physical or mental health, of an individual other than the individual to whom the applicable data relates;

(ii) cause immediate or grave harm to the safety, or physical or mental health, of the individual to whom the applicable data relates; or

(iii) be contrary to the national interest;

(b) the receiving organisation is or belongs to a class of organisations that is prescribed as excluded; or

Reasons must be provided for non-transmission

If a porting organisation for any reason does not transmit any applicable data about an individual despite the data porting request, that organisation must notify the individual of the refusal within the prescribed time and in accordance with the prescribed requirements.¹²

Where another individual’s personal data would also be transmitted

If, in giving effect to a data porting request by an individual (P), the personal data of another individual (T) would also be transmitted to the receiving organisation, the porting organisation may disclose T’s personal data without T’s consent only if the data porting request:¹³

(a) Is made in P’s personal or domestic capacity; and

(b) Relates to P’s user activity data or user-provided data.

The receiving organisation is restricted to using T’s personal data only for the purpose of providing any goods or services to P.¹⁴

MCI and PDPC explained that these sections cater to the case where user provided and user activity data include personal data of third parties, and ensure that the Data Portability Obligation is balanced, reasonable, and pragmatic, as it would be impractical for the receiving organisation to have to obtain consent from every third party. It would also be onerous for organisations to have to redact the personal data of third parties who have not provided their consent. Third, if the requesting individual is making the porting request in his / her personal or domestic capacity, the third party’s interests would be unlikely to be adversely affected.

Timeline, and other data portability requirements

MCI and PDPC said in the PCP that the Data Portability Obligation would only come into effect with the issuance of Regulations.¹⁶ It is uncertain when this might be, as the PCP indicated that the PDPC would be consulting industry and relevant sector regulators in developing the requirements that would apply the porting of specific datasets, and those requirements would be part of the Regulations.

The PCP also said that PDPC intends to prescribe the following matters in the Regulations:¹⁷

A list of data categories to which the Data Portability Obligation applies, so as to reduce compliance costs and provide certainty for individuals and organisations.
Technical and process details to ensure that correct data is transmitted safely to the right receiving organisation, and in a usable form.
Data porting request models – consumers would be able to making the data porting request to the porting organisation (push model), or through the receiving organisation (pull model).
Safeguards for individuals, such as cooling off periods for certain datasets to give consumers time to change their minds and withdraw a porting request, and the establishment of a list of organisations to which porting organisations may justifiably refuse to port data.

Darren Grayson Chng is our International Associate Editor for Singapore

——

_{Notes & references}

_{1 See clause 4(1)(c) of the PDPA.}

_{2 See para 28 of the PCP.}

_{3 See clause 13 of the Bill.}

_{4 See paras 7c) and 44 of the PCP.}

_{5 See para 45c) of the PCP.}

_{6 See Part 1 of the new Twelfth Schedule, under clause 39 of the Bill.}

_{7 See para 48 of the PCP.}

_{8 Clause 2 of the Bill at p 2.}

_{9 See para 49 of the PCP.}

_{10 See Part 2 of the new Twelfth Schedule, under clause 39 of the Bill.}

_{11 Section 26H(6) at pp 19 – 20 of the Bill.}

_{12 Section 26H(7) at p 20 of the Bill.}

_{13 See section 26I(1) and (2) at p 20 of the Bill.}

_{14 Section 26I(3) at p 21 of the Bill.}

_{15 See para 46 of the PCP.}

_{16 See para 47 of the PCP.}

_{17 See para 47 of the PCP.}

Singapore’s Personal Data Protection Act: A review of the major changes ahead (Part 3): porting and data portability

Upcoming events

SCL Webinar – Competing Interests at the Competition Appeal Tribunal (CAT): Balancing Technology with Complexity

Controlling Liability in IT Contracts – Clause and Effect

SCL Summer Networking Event – Organised by the Trainee Group

SCL Event: Procurement of Government IT Projects

Generative AI and Deepfakes: Understanding the Illusion