S'pore data protection law still under review

Four years after it was announced, work on Singapore's data protection regime continues. Business costs, privacy definitions and culture may be cause for delay, says lawyer.
Written by Vivian Yeo, Contributor on

More than four years after the Singapore government indicated that it was reviewing the country's data protection regime and assessing suitable frameworks, the end is still nowhere in sight.

The Ministry for Information, Communications and the Arts (Mica) informed ZDNet Asia in an e-mail last week that work on Singapore's data protection system is still in progress.

"The Inter-Ministry Committee examined the need for a general data protection law in Singapore, the experience in other jurisdictions that have enacted similar laws, its implications on consumers, businesses and our national interests, and how such a regime should be formulated to fit Singapore's context," a Mica spokesperson said in reference to the progress made since January 2009.

"MICA has since been working with other relevant government agencies to examine the issues in greater detail," she added. "As the issues involved are multi-faceted with extensive impact on all stakeholders, the review is still ongoing."

A long, drawn-out process?
There are a number of factors contributing to the delay of Singapore's data protection legislation, according to a legal expert.

"The issue is not with the wording of the law as the Singapore drafters are quick," noted Bryan Tan, director at Keystone Law Corporation. "The issue must be over the idea and principles behind a data protection law."

One area of concern is the cost to organizations, particularly businesses. With regulations in place, additional investments would have to be made--and borne--by companies, he said. This could be in the form of technology to monitor compliance or the appointment of personnel such as a chief privacy officer.

The post-9/11 world has also made the issue of privacy more complex, he pointed out. Hong Kong, in contrast, instituted its data protection ordinance before the attacks on the United States, and it did not take the economy "that long".

The whole of Asia is behind the West culturally in terms of privacy and data protection, added Tan. Singaporeans, for example, are used to being grilled by relatives or friends about intimate details of their personal lives including their salary, and do not possess the same inhibitions about giving away private information, he explained.

Malaysia, India make headway
Across the Straits, it took nine years for neighbor Malaysia to effect its Personal Data Protection Act 2010. The bill was drafted in 2001, tabled in the Malaysian parliament in October 2009, and finally passed in April this year.

The Malaysian legal framework is aimed at regulating the collection, processing and storing people's personal data, and specifies fines as well as jail terms for misuse of such data.

Over in India, the Personal Data Protection Bill 2006 has since been superseded by a revision of the Indian IT Act, which was established in 2000.

According to Rahul Jain, senior security consultant at the Data Security Council of India, the Indian IT (Amendment) Act, 2008 was passed by parliament in December 2008 and came into force last October.

"Clause 43A of the Indian IT (Amendment) Act, 2008 protects the privacy of an individual by penalizing [a] 'body corporate' that fails to implement reasonable security practices for protecting sensitive personal information of an individual," he said in an e-mail. "Clause 72A of the Indian IT (Amendment) Act, 2008, has provisions on the punishment for disclosure of information in breach of lawful contract."

Editorial standards