On September 24, Singapore's Personal Data Protection Commission published its final advisory guidelines on how the country's Personal Data Protection Act 2012, which governs the collection, use, and disclosure of personal data, will be interpreted and applied.
Despite widespread fears among local businesses that the guidelines might may onerous compliance rules, the final guidelines adopt a pragmatic and business-friendly approach.
In particular, the final guidelines make it clear that a common-sense approach is to be taken on a wide range of issues. For example, section 9 of the guidelines makes it clear that when assessing whether something is reasonable under the Personal Data Protection Act, an appropriate balance needs to be struck between the need to protect individuals and the need for organizations to collect, use, or disclose data.
Singapore takes more business-friendly approach than Europe
To understand the underlying basis for Singapore's approach (and why it is unlikely to change), it is useful to understand the underlying basis and rationale for its legislation and how this differs from the European approach.
In Europe, the preamble to the underlying harmonizing directive makes it clear that data protection rules are to implement individuals' right to privacy, contained in article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. This kernel of human rights protection in the European approach pervades national implementing legislation, and significantly constrains European regulators' freedom to interpret the law in a business-friendly way by effectively balancing the interests of business against the rights of individuals.
By contrast, Singapore's Personal Data Protection Act has two objectives:
- To enhance individual's control over their personal data, but there are no references to a fundamental right of privacy; and
- To enhance Singapore's competitiveness and strengthen its position as a trusted business hub.
As most countries with existing data protection prohibit data export to jurisdictions without equivalent data protection legislation, a key driver for the Singapore legislation has been to permit international business to transfer data to the city-state. Support for this view can been seen very clearly in the IDA's plan to develop the country as a hub for data and analytics, which describes the Data Protection Act as a supporting platform and enabler.
In my view, the approach that Singapore has taken can be summarized as putting place the minimum requirements needed to enable data to be exported to the Asian country, while also minimizing the compliance burden on Singapore-based businesses.
Implications for businesses
The fundamental differences between the European and Singaporean approaches to data protection means that, in general, businesses in Singapore can expect a continuing business-friendly approach to data protection interpretation and enforcement.
While businesses will still need to ensure that they have undertaken a compliance audit and made any necessary changes in Singapore, the incremental compliance requirements for multinational businesses used to operating subject to European data protection rules is minimally low to the extent their operations in Singapore already follows internal international standards.