Singapore and the EU: Data Protection Laws

This is the time and age of data, an age where our digital footprint is constantly being monitored. It is easy to extract data and get information about an individual or an institution with the ‘click’ of a button. In this time and age of information dissemination, data protection has become considerably important and essential. The European Union has led from the front and given a new meaning to data protection with the General Data Protection Regulation (GDPR).

EU-GDPR

The EU General Data Protection Regulation (GDPR) its website reads, it is the ‘most important change in data privacy regulation in 20 years’ It was formally approved by the EU Parliament in April 2016 and enforced in May 2018. It replaced the erstwhile European Data Protection Directive and its jurisdiction extends beyond Europe The EU expects all its major trading partners to adhere to the norms laid out in the GDPR. Since Singapore is the EU’s largest trading partner within the Association of South East Asian Nations (ASEAN) it will be interesting to examine the ramifications of this agreement on Singapore and Singaporean companies.

The GDPR is a comprehensive and all-encompassing document and has been strengthened extensively to accommodate the interests of the citizens of the EU, with the right of access being a “data service right”. The “increased territorial scope” clause highlights that the GDPR is applicable anywhere and everywhere, where the EU citizen lives and resides. Similarly, the “privacy by design” clause articulates that data protection must be included at the onset of designing of systems, and not just as an addition. The age of consent is fixed at 16 or below with the option of parental consent being offered to younger parties. The right to be forgotten’ has been amended and the right to erasure has replaced it – giving the citizens the option of data deletion for further protection of data.

EUSFTA

Interestingly, Singapore and the EU have managed to sign European Union Singapore Free Trade Agreement (EUSFTA) in 2019 and this FTA provides further impetus to trade between EU and Singapore and will “give Singapore and the EU better access to each other’s markets, and boosting investment and business opportunities,” as pointed out by Lee Hsien Loong, the Prime Minister of Singapore in a Facebook statement. In this environment of camaraderie and positive exchange, the implementation of the GDPR can act as a “double edged sword” for Singaporean investors and businesses.

Singapore and GDPR

Since data protection appears to be the next important milestone that needs to be achieved by companies across the world, GDPR is applicable to all companies that work within the EU. Therefore, Singpaorean companies must adhere to the GDPR as well under two conditions:

• If the personal data of individuals in the EU is in relation to the offer of goods or services to individuals in the EU; or

• Monitor the behaviour of individuals in the EU.

Therefore Singaporean businesses like E-commerce retail chains, hospitality chains, data analytic companies, insurance companies and social media platforms. In case, a data breach occurs, “the organisation has up to 72 hours to report the breach to a supervisory authority and the affected individuals if the personal data is likely to risk the rights and freedoms of natural persons”.

Singapore -PDPA

Similarly, the Singapore Personal Data Protection Act recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.” according to PDPC. Though it is Singapore’s mechanism against data theft and includes nine protection obligations that include questions of consent whether it is “deemed consent” or “express consent”.

Unlike the GDPR, the PDPA is weaker and there is no particular age for seeking formal consent. Even the clause related to sensitive data is not formally explained unlike the GDPR norms. The PDPA, “establishes a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data.

While Singapore may profess and practice GDPR, it still has go up a few notches before it can match up to the EU in framing best practices for data management.

Inherent Challenges

The GDPR nurtures a “privacy conscious culture” according to KPMG. The ease of doing business is an important component of the EU’s traditional economic model but with the GDPR, there are riders attached now to this model. KPMG claims that Asian companies especially from Singapore may be impacted by GDPR and they will be obliged to adhere to GDPR requirements by their suppliers or contracting partners.

It suggests the recruitment of oversees data controllers and processors within the purview of the GDPR and calls for the designation of a representative based in an EU Member State to act as the point of contact. This representative, it is suggested, should be subjected to enforcement actions in case of non-compliance by the organisation in Asia. It clearly explains that an Asian company is liable to pay steep fines if it does not adhere to the provisions laid out within the ambit of GDPR.

Thomas Reuters claims that most countries that engage in trade with the EU are not GDPR compliant. Since GDPR necessitates obtaining information about how and when companies obtained consent through which available means, the appointment of data protection officers and data protection systems catering to the needs of the companies at hand, compliance to GDPR becomes more difficult for developing countries.

While Singapore initiated the Smart Nation initiative with much aplomb, and soon after followed it up with the PDPR, privacy concerns continue to abound with claims being made that “PDPR essentially protects the interests of firms and enterprises as opposed to citizens”.

The benefits of innovation therefore should not impede the rights of citizens argues Max Kantelia, the Co-Founder of Ziliqa, in his article in Regulation Asia. While Yeong Zee Kin, the deputy commissioner of Personal Data Protection Commission (PDPC) claims that innovation is being encouraged through PDPE and a fine balance needs to be maintained as well, his clarion call has its limitations.

The inherent limitations can be viewed through Grab’s conduct in recent years. Grab had faced charges and a hefty fine of $16,000 by the Singapore government for leaking its customers’ data in email marketing campaigns sent to customers who used GrabCar, its ride sharing cab facility. The Drum reports that Grab faced the ire of the PDPC with the PDPC commissioner “criticising Grab for not putting adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that leaked the data”. These cases set an incorrect precedent for Singapore and dent its image internationally.

Since Ernst & Young (EY) has already stated that 9/10 Singaporean companies do not have a particularly strategy to deal with GDPR, the chances of non compliance continue to be on the higher side. GuideME Singapore has initiated a programme to help companies cope with these new directives and measures and suggested that Singaporean companies appoint auditors, resident company secretaries and register themselves for the Good and Services Tax (GST) for their own benefit. Since data control, data security and data erasure are all covered by GDPR as pointed out before, the costs of non-compliance are hefty and companies are only realising that now.

Tech Republic has concluded that only 29% EU companies are GDPR complaint! If these statistics are anything to go by, GDPR is a tough nut to crack. It will be difficult for the Singaporeans to seal the deal in this competitive environment where it is increasingly difficult to read between the lines.

This piece is written by Anuttama Banerji. Anuttama is Associate Researcher at Govern.