Compliance with the GDPR in Singapore

CNPupdate

Compliance with the GDPR in Singapore

Thursday 24 May 2018

This article is written in conjunction with AKD Benelux Lawyers, a Dutch law firm recently named Benelux law firm of the year 2018.


Introduction

The European Union (“EU”) General Data Protection Regulation (the “GDPR”) was adopted on 14 April 2016, and will come into force on 25 May 2018. The GDPR is an ambitious piece of legislation, unifying data protection laws across the EU and, purporting to have global reach in protecting the personal data[1] of EU citizens.

With stringent new requirements, the GDPR applies to all organizations outside of the EU as long as the organization:

  1. offers goods or services to individuals in the EU irrespective of whether a payment is required; or
  2. monitors the behaviors of individuals within the EU,

with potentially hefty penalties of up to 20 million EUR or 4% worldwide annual turnover of preceding year (whichever is higher) for the infringement of provisions under the GDPR.

The GDPR’s requirements are more rigorous than that of Singapore’s own Personal Data Protection Act 2012 (“PDPA”). Organizations whose systems and procedures currently comply with the PDPA may nevertheless be in danger of falling afoul of the GDPR. We elaborate on the key features of this enhanced regime below.

In summary, organizations need to ensure that their internal processes and policies comply with the following requirements:

  1. Consent obtained from data subjects for the processing of his/her personal data is clear and unambiguous. The purpose for obtaining such personal data should be clearly stated;
  2. Personal data should not be retained longer than is necessary for the purposes for which the personal data was processed;
  3. Data subjects should have the right to:
    • access and correct personal data concerning him/her;
    • withdraw consent to the processing of his/her personal data at any time, and such withdrawal of consent should be as easy to withdraw as it is to give;
  4. No processing of personal data classified as ‘special’ under the GDPR (i.e. racial, ethnic origin, sexual orientation, philosophical beliefs) unless the limited exemptions under Article 9(2) of the GDPR applies; and
  5. Personal data breaches should be reported no later than 72 hours from the time the breach is discovered. Additionally, the breach and any subsequent remedial actions have to be clearly documented;

The GDPR’s Global Scope

Presently, the PDPA applies only if the data was collected, used or disclosed in Singapore (it is irrelevant if the organization is located in Singapore).[2]

The GDPR has no such geographical restriction. All organizations globally will have to comply with the GDPR as long as the organization:

  1. offers good or services to individuals in the EU, irrespective of whether a payment is required; or
  2. monitors their behaviors within the EU.

The PDPA also provides exemptions from data protection obligations to the following entities:

  1. individuals acting in a personal or domestic capacity;
  2. employees acting in the course of his/her employment with an organization;
  3. public agencies;
  4. any organization acting on behalf of a public agency in relation to the collection, use or disclosure of personal data; or
  5. organizations which are data intermediaries[3] are also partially excluded from the provisions under the PDPA.

By contrast, the GDPR applies so long as an individual or entity (including a public authority or agency) falls within the definition of ‘data controller[4] or ‘data processor[5] under Article 4 of the GDPR, save that natural persons acting “in the course of a purely personal or household activity” are exempted.

This is particularly significant in relation to data processors, third parties which collect and process data on behalf of other organizations (who fall under the definition of ‘data intermediaries’ under the PDPA and enjoy wide exemption from data protection obligations). Both data controllers and processors are subject to the provisions of the GDPR. The GDPR now imposes direct obligations making data processors liable for data protection infringement.[6]

Organizations should note the applicability of the GDPR in Singapore, particularly if its businesses are aligned with the above conditions. This is relevant particularly in light of the severe penalties which the EU may impose for data breaches, as discussed in the following section.

Penalties

Under the PDPA in Singapore, different administrative fines are applicable to both individuals and organizations. The GDPR makes no such distinction. The definitions of data controller and data processors under the GDPR include individuals, organizations or other legal entities, and even public authorities and agencies. All are subject to the same stringent penalties under the GDPR[7].

Under the PDPA, depending on the provision infringed, penalties for organizations will not exceed S$50,000 or S$100,000, as the case may be.[8] Penalties for individuals will not exceed S$5,000 or S$10,000, as the case may be, although in egregious breaches there is a discretion to also impose a term of imprisonment of up to 12 months or 3 years as the case may be.[9]

However, under the GDPR, depending on the provision infringed, entities may be subject to fines of up to 20 million EUR or 4% of worldwide annual turnover of preceding financial year (whichever is higher) may be imposed on the individual or organization.[10]

Given the intended global reach of the GDPR, it is therefore imperative that organizations (particularly those which do business in the EU) take precautions to ensure that they are compliant with the provisions of the GDPR. This may also apply where the business of an organization is to process personal data on behalf of other third parties, where the existing regulations under the PDPA are fairly light in comparison.

Consent

Consent has previously been seen as an absolute defense to privacy infringements. This changes with the GDPR.

Whilst the PDPA prohibits organizations from collecting, using or disclosing a data subject(s)’ personal data unless the data subject(s) gives his/her consent for the collection, use or disclosure of his/her personal data[11], there are a number of situations where a data subject(s) is deemed to have given her/her consent.[12] In addition, there are broad exemptions under which organizations are not required to obtain consent from data subject(s) under the PDPA.[13] For instance where, (i) personal data is publicly available;[14] (ii) the use of personal data is necessary for any investigation or proceedings by the organization;[15] or (iii) the disclosure of the personal data is necessary for the organization to obtain legal services,[16] consent is not required to be obtained by the organization from its data subject(s).

This is different under the GDPR. Under the GDPR, consent is one of the required legal grounds for processing personal information. However, the scope of consent is limited, and strictly defined.

The GDPR has clearly defined consent to be “freely given, specific, informed and unambiguous indication of the data the subject wishes by which he/her, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him/her.”[17]

The notion of “deemed consent” does not have similar traction under the GDPR as with the PDPA. As such, in all scenarios, organizations must take prudent steps to ensure that consent is clearly obtained.

Further, besides the requirement that consent must be given freely, the GDPR stipulates that even explicit consent may not be sufficient in cases where there is an imbalance of power, for example in the context of employer-employee relationships, or where consent to the processing of personal data is bundled together with other contractual provisions[18], particularly where such processing of personal data is not required for the performance of the contract[19]. Employees are considered to be in a dependent situation in relation to their employers and may therefore be inclined to give consent whereas they might want to refuse. Consequently, when the processing has multiple purposes, consent should be given for all of them.

Organizations that have taken measures to remain compliant with the PDPA; this does not naturally equate to compliance with the GDPR. It is crucial that organizations in Singapore obtain valid consent from data subject(s) and be especially careful where the processing of personal data relies on “deemed consent” under the PDPA.

In addition, organizations must pay particular attention to scenarios under which consent for data collection, usage, or disclosure are exempted under the Second to Fourth Schedules of the PDPA, and there are no equivalent exemptions offered under the GDPR.

Withdrawal of Consent

The withdrawal of consent by data subject(s) are permitted by both the GDPR and PDPA in varying degrees.

Under the PDPA, if the data subject(s) withdraws consent to the collection, use or disclosure of personal data the organization shall cease (and cause its data intermediaries and agents from doing so as well) collecting, using or disclosing the said personal data, unless, there was not a need to obtain consent from the data subject(s) in the first place[20] (see above for the definition of “deemed consent” or exemptions under the Second to Fourth Schedules of the PDPA). Consequences of withdrawal of consent should also be borne by the data subjects.

However, upon the withdrawal of consent, the organization is not required to delete or destroy a data subject’s personal data and may retain it for as long as there are necessary business or legal needs.[21]

By contrast, under the GDPR, the data subject(s) shall have the right to withdraw his/her consent at any time.[22] Upon the withdrawal of consent by the data subject(s), the organization should no longer process the personal data of the said data subject(s), unless another legal basis under Article 6 of the GDPR applies.

Processing of Special Categories of Personal Data

Different categories of personal data are afforded different levels of protection. This is a concept that is present in the GDPR, but not in the PDPA.[23]

Under the GDPR, special categories of personal data are defined as the “personal data revealing racial or ethnic origin, political opinions religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”[24]

The processing of special categories of personal data are generally prohibited under the GDPR, unless the exceptions under Article 9(2) applies to the organization.[25] These include: (i) processing of personal data which are made public by the data subject(s) (this exception is however interpreted vary narrowly);[26] (ii) processing of the personal data is necessary to protect the vital interests of the data subject(s);[27] or (iii) processing is necessary for reasons of public interest such as public health.[28]

This is a marked difference from the position under the PDPA. The PDPA does not explicitly categorize personal data. Instead, limited guidance is provided by the Personal Data Protection Commission (the “PDPC”) in its advisory guidelines[29], and adjudicated cases[30]. The PDPC has highlighted that “certain types of personal data would typically be more sensitive in nature”, without clearly demarcating what types of information would qualify as “sensitive” personal data[31]. Nevertheless, an organization’s obligations under the PDPA remain confined to ensuring that “a higher standard of protection is implemented for more sensitive personal data”, as opposed to a prohibition from processing under the GDPR.

As a consequence, organizations now need to note the difference between general personal data and special categories of personal data under the GDPR (and the consequent data processing prohibition). Given that the PDPA does not draw this distinction, it is likely that organizations will have to relook their internal procedures to accommodate this ‘new’ category of personal data.

Data Breach Notification

The PDPA does not currently make it mandatory for organizations to notify the data subject(s) in the event there is a personal data breach.[32]  Instead, organizations are encouraged to notify individuals affected by the data breach.

In comparison, under the GDPR, a data controller is obliged to report a data breach no later than 72 hours after such breach is discovered.[33] In the event that there is a breach of personal data, the data controller is expected to document the said breach comprising of the facts in relation to the breach and any remedial actions taken.[34]

The failure to adhere to this requirement may expose organizations to the same penalties described above. Organizations should take care to ensure that the relevant internal procedures are put in place to comply with this 72-hour timeline, particularly in light of the number of additional obligations imposed by the GDPR.

Correction of Personal Data

Both the GDPR and the PDPA permit the data subject(s) to rectify his/her personal data in varying scenarios.

Under the PDPA, a data subject(s) may request to correct an error or omission in his/her personal data held by the organization. However, in Singapore, an organization is not required to comply with this request if it is satisfied on reasonable grounds that the correction should not be made.[35]

Under the GDPR, the data subject(s) shall have the right to obtain data from the “controller without undue delay the rectification of inaccurate personal data concerning him or her.”[36] In addition, data subject(s) have the right to obtain from the controller without delay the rectification of inaccurate personal data concerning him/her. In the event that the personal data is incomplete, the data subject(s) shall have the right for it to be completed, including by means of providing a supplementary statement.[37]

Right to Access

Both the GDPR and PDPA entitle the data subject(s) to the option of access to his/her personal data.

Under the PDPA, data subject(s) may request for personal data about him/her from the organization and how this personal data has or may have been used or disclosed within a year before the date of the request.[38] Pursuant to the PDPA, the organization is not required to provide the information requested for matters under the Fifth Schedule.[39] For instance, (i) personal data which is subject to data privilege;[40] or (ii) any opinion data that is kept solely for an evaluative purpose.[41]

Additionally, the organization is not required to provide the requested information to the data subject(s) if it:

  1. results in the threat of safety, physical, mental health of a person other than the data subject;[42]
  2. results in immediate or grave harm to the safety, physical, mental health of the data subject;[43]
  3. reveals the personal data of another person;[44]
  4. reveals the identity of the person who provided the personal data of the data subject;[45] or
  5. be contrary to the national interest.[46]

Under the GDPR, the data subject(s) shall have the right to obtain personal data from the controller including the right to obtain a copy of the personal data as long as it does not adversely affect the rights and freedom of others.[47] Under the GDPR, the grounds for refusing a data subject his/her right to access is limited in comparison to the PDPA.

Right to Object

There is no explicit right under the PDPA for a data subject to object to the processing of his/her personal data.

However, under the GDPR, the data subject has the right to object to the processing of his/her personal data. Upon the objection of the data subject, the data controller should no longer process the personal data unless there are ‘legitimate compelling reasons’ to do so.[48]

Conclusion

As seen above, the GDPR marries a rigorous approach to data protection with an ambitious territorial scope.

It remains to be seen how the GDPR’s enforcement will be implemented. However, given the intended global reach of the GDPR, it would be prudent for organizations to revise their internal procedures and data protection policies to address the additional obligations imposed by the GDPR, over and above the existing requirements of the PDPA.

Disclaimer

This publication does not necessarily deal with every important topic or cover every aspect of the topics with which it deals. It is for information purposes only, and not intended to provide legal or any other advice, or to be relied on in any way.

Neither AKD Benelux Lawyers nor Colin Ng & Partners LLP shall be liable for any loss, damage or other consequences arising from any reliance on the contents of this publication. In the event that you have any queries about the operation of the GDPR or the PDPA, you can and should seek your own legal advice.

This update is provided to you for general information and should not be relied upon as legal advice. Authors and contributors: Mr Martin Hemmer (AKD Benelux Lawyers), Mr Randall Perera (cnplaw), Ms Wong Pei-Ling (cnplaw) and Ms Vitoria Owyong (cnplaw).

Footnotes

[1] Under the GDPR, personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

[2] PDPA Section 4

[3] Under the GDPR, data intermediary is defined as “an organization that processes personal data on behalf of another organization but does not include an employee of that other organization.”

[4] Under the GDPR, data controller is defined as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

[5] Under the GDPR, data processor is defined as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

[6] GDPR Article 28(1)

[7] GDPR Article 83(3)

[8] PDPA Section 51(4)

[9] PDPA Section 51(5) and Section 56

[10] GDPR Article 83(5)

[11] PDPA Section 13

[12] Under the PDPA, Section 15(1), deemed consent is defined when “an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organization for a purpose if (a) the individual, without actually giving consent referred to in Section 14, voluntarily provides the personal data to the organization for that purpose; and (b) it is reasonable that the individual would voluntarily provide the data. Under Section 15(2) of the PDPA, “if an individual gives, or is deemed to have given, consent to the disclosure of personal data about the individual by one organization to another organization for a particular purpose, the individual is deemed to consent to the collection, use or disclosure of the personal data for that particular purpose by that other organization.

[13] PDPA Second, Third and Fourth Schedules

[14] PDPA Second Schedule, Section 1(c)

[15] PDPA Third Schedule, Section 1(e)

[16] PDPA Third Schedule, Section 1(j)

[17] GDPR Article 4

[18] GDPR Article 7(2)

[19] GDPR Article 7(4)

[20] PDPA Section 16(4)

[21] PDPA Section 16(4)

[22] GDPR Article 7(3)

[23] PDPA Section 2

[24] GDPR Article 9(1)

[25] GDPR Article 9(2)

[26] GDPR Article 9(2)(e)

[27] GDPR Article 9(2)(c)

[28] GDPR Article 9(2)(i)

[29] Advisory Guidelines on Key Concepts in the PDPA at paragraph 17.2

[30] Re Aviva Ltd [20174] SGPDPC 14

[31] From the number of PDPC prosecutions over the last two (2) years, it has been established that the following are “more sensitive” personal data:

NRIC/Passport numbers; personal data of a financial nature such as bank account details, Central Depository account details, securities holdings, transaction and payment summaries; names of the policyholder’s dependents or beneficiaries, the sum insured under the insurance policy, the premium amount and type of coverage; an individual’s personal history involving drug use and infidelity; sensitive medical conditions; and personal data of minors.

[32] Under the GDPR, personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

[33] GDPR Article 33(1)

[34] GDPR Article 33(5)

[35] PDPA Section 22

[36] GDPR Article 16

[37] GDPR Article 16

[38] PDPA Section 21

[39] PDPA Fifth Schedule

[40] PDPA Fifth Schedule, Section 1(f)

[41] PDPA Fifth Schedule, Section 1(a)

[42] PDPA Section 21(3)(a)

[43] PDPA Section 21(3)(b)

[44] PDPA Section 21(3)(c)

[45] PDPA Section 21(3)(d)

[46] PDPA Section 21(3)(e)

[47] GDPR Article 15(4)

[48] GDPR Article 21(1)