Privacy & Information Security Law Blog

On April 27, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) submitted comments to the latest Singapore consultation on proposed personal data protection legislation, the Personal Data Protection Act 2012. The consultation is being conducted by the Ministry of Information, Communications and the Arts and expired on April 30, 2012.

The Singapore government intends to enact the data protection legislation in 2012. The stated purpose of the Act “is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.” The legislation is intended to protect only data that has a “link” to Singapore, and recognizes that data controllers, not data processors, are responsible for compliance with the law. The Ministry aims to put in place forward-looking legislation that will function as part of the infrastructure for cloud computing and modern analytics.

The Centre’s comments focus on two issues:

1. The over-reliance on consent in the legislation; and
2. assuring that the “link” to Singapore is limited to data originating in Singapore, or from Singapore residents while they are physically located in Singapore, and does not include information collected by processing centers in Singapore that receive data from other jurisdictions.

The proposed legislation is consent-based. In most instances, an organization will need to get consent from the individual before his or her information may be processed. Although the Act includes a laundry list of exemptions, there is no mechanism that would allow an organization to invoke its legitimate business interest to process information when consent is inappropriate and there is no other applicable exemption in the law. The Centre suggests more flexibility to allow organizations to balance their needs against potential risks to individuals, and the comments describe how that process might work.

The Centre believes that the plain language of the legislation is not consistent with the legislative objective of restricting the scope to data that is truly Singapore data. The comments highlight the flawed section and suggest it be addressed to meet legislative objectives.