Darren Grayson Chng, in the third of a series, explores the background to forthcoming changes to the Singapore Personal Data Protection Act
Singapore’s Personal Data Protection Act (“PDPA”) is slated for major changes in early 2021. This is the third of a four-part series, which examines the amendments listed in the Personal Data Protection (Amendment) Bill (“Bill”) which: do away with a section in the PDPA which currently says that the PDPA’s nine data protection obligations do not apply to organisations acting on behalf of a public agency; and introduce a new Data Portability Obligation.
No exclusion for organisations acting on behalf of public agencies
Under the current version of the PDPA, an organisation in the course of acting on behalf of a public agency in relation to the collection, use, or disclosure of personal data, is excluded from the application of Parts III to VI of the PDPA.1 (These parts pertain to the nine data protection obligations under the PDPA.)
The Bill will remove this exclusion. The Public Consultation Paper explained that this amendment was based on the recommendations of the Public Sector Data Security Review Committee to ensure the accountability of non-Government third parties handling Government personal data, as there was a legislative gap where such parties were not covered under the PDPA or the Public Sector (Governance) Act 2018.2
Greater consumer autonomy over their personal data
Under this key area, the Bill will introduce a new Data Portability Obligation under a new Part VIB to the PDPA.3 A new section 26F of the PDPA will state that the purpose of the Part VIB is to:
In the PCP, the Ministry of Communications and Information and the Personal Data Protection Commission said that the Data Portability Obligation would allow individuals to switch to new service providers more easily, preventing consumer lock-in.4
Under the Data Portability Obligation and a new section 26G, a “porting organisation” must, upon receiving a request from an individual that the organisation transmit to a “receiving organisation” any “applicable data” specified in the request (“data porting request”), transmit that data to the receiving organisation in accordance with any prescribed requirements.
Two pre-conditions to this obligation are:
(1) the data porting request must satisfy any prescribed requirements; and
(2) the porting organisation must have an “ongoing relationship” with the individual at the time it receives the individual’s data porting request.
Unpacking section 26G:
Under the PDPA, “organisation” is defined to include any individual, company, association, or body of persons, corporate or unincorporated, whether or not formed or recognised under the Singapore law; or resident, or having an office or place of business in Singapore.
So the definition of “porting organisation” indicates that the obligation to transmit “applicable data” may apply to organisations both in Singapore and overseas, but only to those organisations which are “prescribed”. The definition of “receiving organisation” further narrows the scope of application of the Data Portability Obligation to primarily organisations in Singapore.
However, the wording of the definitions still gives PDPC latitude to “extend data portability to like-minded jurisdictions with comparable protection and reciprocal arrangements” in the future.5
Further unpacking section 26G, and in relation to “applicable data”:
Two exceptions to the Data Portability Obligation
Under the first exception, the porting organisation has a choice not to transmit certain prescribed applicable data such as:
The porting organisation also has a choice not to transmit applicable data in certain situations, for example where the transmission will unreasonably interfere with that organisation’s operations because of the repetitious or systematic nature of the data porting request, the burden or expense of transmission is unreasonable to the porting organisation or disproportionate to the individual’s interests, or the data porting request is frivolous or vexatious.10
Under the second exception, the porting organisation must not transmit applicable data about an individual if:11
(a) the transmission can reasonably be expected to:
(i) threaten the safety, or physical or mental health, of an individual other than the individual to whom the applicable data relates;
(ii) cause immediate or grave harm to the safety, or physical or mental health, of the individual to whom the applicable data relates; or
(iii) be contrary to the national interest;
(b) the receiving organisation is or belongs to a class of organisations that is prescribed as excluded; or
(c) PDPC directs the porting organisation not to transmit the applicable data.
Reasons must be provided for non-transmission
If a porting organisation for any reason does not transmit any applicable data about an individual despite the data porting request, that organisation must notify the individual of the refusal within the prescribed time and in accordance with the prescribed requirements.12
Where another individual’s personal data would also be transmitted
If, in giving effect to a data porting request by an individual (P), the personal data of another individual (T) would also be transmitted to the receiving organisation, the porting organisation may disclose T’s personal data without T’s consent only if the data porting request:13
(a) Is made in P’s personal or domestic capacity; and
(b) Relates to P’s user activity data or user-provided data.
The receiving organisation is restricted to using T’s personal data only for the purpose of providing any goods or services to P.14
MCI and PDPC explained that these sections cater to the case where user provided and user activity data include personal data of third parties, and ensure that the Data Portability Obligation is balanced, reasonable, and pragmatic, as it would be impractical for the receiving organisation to have to obtain consent from every third party. It would also be onerous for organisations to have to redact the personal data of third parties who have not provided their consent. Third, if the requesting individual is making the porting request in his / her personal or domestic capacity, the third party’s interests would be unlikely to be adversely affected.
Timeline, and other data portability requirements
MCI and PDPC said in the PCP that the Data Portability Obligation would only come into effect with the issuance of Regulations.16 It is uncertain when this might be, as the PCP indicated that the PDPC would be consulting industry and relevant sector regulators in developing the requirements that would apply the porting of specific datasets, and those requirements would be part of the Regulations.
The PCP also said that PDPC intends to prescribe the following matters in the Regulations:17
Darren Grayson Chng is our International Associate Editor for Singapore