Singapore takes business-friendly approach in data protection guidelines

Singapore takes business-friendly approach in data protection guidelines

Summary: Singapore's Personal Data Protection Commission last week published its final advisory guidelines, revealing a business-friendly approach in governing the collection, use, and disclosure of data.


On September 24, Singapore's Personal Data Protection Commission published its final advisory guidelines on how the country's Personal Data Protection Act 2012, which governs the collection, use, and disclosure of personal data, will be interpreted and applied.

Despite widespread fears among local businesses that the guidelines might may onerous compliance rules, the final guidelines adopt a pragmatic and business-friendly approach.

In particular, the final guidelines make it clear that a common-sense approach is to be taken on a wide range of issues. For example, section 9 of the guidelines makes it clear that when assessing whether something is reasonable under the Personal Data Protection Act, an appropriate balance needs to be struck between the need to protect individuals and the need for organizations to collect, use, or disclose data.

Singapore takes more business-friendly approach than Europe

To understand the underlying basis for Singapore's approach (and why it is unlikely to change), it is useful to understand the underlying basis and rationale for its legislation and  how this differs from the European approach.

In Europe, the preamble to the underlying harmonizing directive makes it clear that data protection rules are to implement individuals' right to privacy, contained in article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. This kernel of human rights protection in the European approach pervades national implementing legislation, and significantly constrains European regulators' freedom to interpret the law in a business-friendly way by effectively balancing the interests of business against the rights of individuals.

By contrast, Singapore's Personal Data Protection Act has two objectives

  1. To enhance individual's control over their personal data, but there are no references to a fundamental right of privacy; and
  2. To enhance Singapore's competitiveness and strengthen its position as a trusted business hub.

As most countries with existing data protection prohibit data export to jurisdictions without equivalent data protection legislation, a key driver for the Singapore legislation has been to permit international business to transfer data to the city-state. Support for this view can been seen very clearly in the IDA's plan to develop the country as a hub for data and analytics, which describes the Data Protection Act as a supporting platform and enabler.

In my view, the approach that Singapore has taken can be summarized as putting place the minimum requirements needed to enable data to be exported to the Asian country, while also minimizing the compliance burden on Singapore-based businesses.  

Implications for businesses

The fundamental differences between the European and Singaporean approaches to data protection means that, in general, businesses in Singapore can expect a continuing business-friendly approach to data protection interpretation and enforcement.

While businesses will still need to ensure that they have undertaken a compliance audit and made any necessary changes in Singapore, the incremental compliance requirements for multinational businesses used to operating subject to European data protection rules is minimally low to the extent their operations in Singapore already follows internal international standards.

Topics: Privacy, Security, Singapore

Rob Bratby

About Rob Bratby

International telecoms, media and technology lawyer. Covering South-East Asia from Singapore.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Privacy approach must be cultural too

    Thanks for sharing your comments and opinion about Singapore’s Personal Data Protection Act 2012 Mr. Bratby. I agree with you about the business friendly approach. Definitely Privacy has become an important issue for multinational business managing data and, as long as data continue to spur growth opportunities, Data is the New Oil, the issue will continue to rise.

    Of course, the Asian legal approach to personal data protection is new and it will probably evolve from the foundations of its own cultural perspective in one way or another. I honestly think that a cultural approach to Privacy must be undergone just in the same way as doing business with Asia from a European perspective requires a cultural approach to success.

    In my opinion, business needs to manage data (personal or not) as the asset it is, with the proper coherence. In that sense Data Governance will become the proper tool due to its transversal definition as a strategy applied to data management. Within such a strategic vision to data management, compliance is a pilar yet many others such as quality and security must be included to assure the success of a data governance project.

    From that perspective European professionals can provide experience to emerging Singapore and Asian markets, adding a cultural crossover perspective.