Date Published: 29 January 2021
This article analyses the implications of WhatsApp’s recent announcement from a Singapore law perspective, in particular, under Singapore’s data protection laws.
Singapore’s data protection regime
In Singapore, the collection, use and disclosure of personal data by organisations are regulated by the Personal Data Protection Act 2012 (the “PDPA”). The PDPA applies to all organisations, regardless whether they are formed or recognized under the laws of Singapore. In this regard, every organisation is required to comply with the PDPA in respect of activities relating to the collection, use and disclosure of personal data in Singapore unless the collection, use and disclosure of personal data are expressly excluded from the application of the PDPA.
Personal data refers to data, whether true or not, about an individual who can be identified from that data on its own or from that data and other information to which the organisation has or is likely to have access. Data which can identify an individual on its own is referred to as a unique identifier, and the Personal Data Protection Commission (“PDPC”) generally considers such unique identifiers to include an individual’s full name, NRIC number or FIN, passport number, personal mobile telephone number, facial image of an individual, voice of an individual, fingerprint, iris image and DNA profile.
- A user’s account registration information (including phone number), transaction data, service-related information, mobile device information and IP address;
- Information on how a user interacts with others via WhatsApp;
- Such other information obtained upon notice to a user or based on the user’s consent.
Based on the above, it is apparent that the information that WhatsApp collects and shares with Facebook will include personal data, and as such, Facebook will be required to comply with the obligations set out in the PDPA in relation to the collection, use and disclosure of personal data, namely:
- Whether data is collected, used or disclosed for purposes that a reasonable person would consider appropriate in the circumstances;
- notifying users of the purposes and obtaining users’ consent for the collection, use or disclosure of personal data;
- Allowing users to access and correct their personal data;
- protecting personal data (including observing the requirements for international transfers) and not retaining personal data if no longer needed; and
- Having policies and practices to comply with the PDPA.
Under the PDPA, an organisation is generally not allowed to collect, use or disclose a user’s personal data unless the user has given or is deemed to have given, his consent for the collection, use or disclosure of personal data. In order for consent to be valid, the PDPA requires an organisation to notify users of the purposes for which their personal data will be collected, used or disclosed. In addition, if an organisation intends to use or disclose personal data for purposes other than as notified to users or for which it has not obtained users’ consent (“New Purposes”), the organisation will be required to inform its users of the New Purposes and obtain fresh consent for the New Purposes.
Disclosure of data to Facebook
Notwithstanding the above, the PDPA also stipulates that organisations providing a product or service to an individual must not, as a condition for providing the product or service, require the individual to consent to the collection, use or disclosure of his personal data beyond what is reasonable for the provision of the product or service, or provide false or misleading information or use deceptive or misleading practices to obtain the individual’s consent. Any consent obtained in the foregoing circumstances would not be valid. For the avoidance of doubt, the PDPC has advised that an organisation may require an individual to consent to the collection, use and disclosure of his personal data as a condition of providing a product or service where it is reasonably required in order to provide the said product or service.
WhatsApp in its clarificatory statement on 12 January 2021 stated that the purpose for sharing user data with Facebook was to make it easier and better for WhatsApp users to engage in business messaging as users are inter alia able to use secure hosting services from Facebook to manage their WhatsApp chats with their customers, answer questions and send helpful information to their customers. Given that there are many WhatsApp users who use WhatsApp primarily for social and not business purposes (“Non-Business users”), it is not apparent why WhatsApp has to share such Non-Business users’ data with Facebook, in order for it to continue to provide instant messaging services.
Alternatives to express consent
In addition to the above, the Personal Data Protection (Amendment) Bill was passed in Parliament on 2 November 2020, to amend the PDPA. The amendments expanded the categories of consent by introducing deemed consent by notification. An individual may be deemed to have consented to the collection, use or disclosure of personal data for a purpose that he had been notified of, if he has not taken any action to opt out of the collection, use or disclosure of his personal data. However, deemed consent by notification will only be effective if:
- The organisation, prior to the collection, use or disclosure of personal data, has conducted an assessment to determine that the proposed collection, use or disclosure of personal data is not likely to have an adverse effect on the individual;
- The organisation has taken reasonable steps to ensure that the individual is notified of the organisation’s intent to collect, use or disclose the personal data; the purpose of such collection, use or disclosure; and the period within which the individual can opt out of the collection, use or disclosure of his personal data for such purpose; and
- The opt-out period must be reasonable.
Separately, under the amended PDPA, an organisation may rely on the “business improvement” exception to use personal data collected by the organisation (as long as this is done in accordance with the PDPA), to increase operational efficiency, develop new products, improve or enhance its services. However, this exception may only be relied upon for such purposes that a reasonable person may consider appropriate in the circumstances and where such purposes cannot be achieved without use of the personal data. Potentially, this “business improvement” exception may be applied to the sharing of personal data between entities in a group, as long as the conditions under the amended PDPA are met.
 Paragraph 2.2 of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act; https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-(2-June-2020).pdf?la=en
 Section 13 of the PDPA
 Paragraph 14.12 of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act; https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-(2-June-2020).pdf?la=en
 Section 14(2)(a) of the PDPA
 Paragraph 12.20 of the Advisory Guidelines on Key Concepts in the Personal Data Protection Act; https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Key-Concepts/Advisory-Guidelines-on-Key-Concepts-in-the-PDPA-(2-June-2020).pdf?la=en
 Advisory Guidelines on requiring consent for Marketing Purposes; https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/advisoryguidelinesonrequiringconsentformarketing8may2015.pdf?la=en
 Section 15(1)(a) of the PDPA
Disclaimer: This update is provided to you for general information and should not be relied upon as legal advice. The editor and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents.
With the prevalence of technology and increasing connectivity through the internet, cybersecurity and data protection are areas that have grown more important in Singapore.
Since the introduction of the Personal Data Protection Act 2012 (“PDPA), it is mandatory for organisations to comply with data protection rules and we strive to help our clients understand that compliance with the PDPA is no longer an option.
At CNPLaw, we have worked with our clients and helped them navigate through a variety of data protection issues, which include:
- Reviewing existing policies in order to advise on our client’s compliance with the law
- Highlighting possible legal risk areas
We also advise our corporate clients in relation to ad hoc queries on potential breaches of the law and the PDPA, and highlight data protection issues that may arise in the context of employment or HR policies.