Having put in place internal data protection compliance processes, organizations should begin looking beyond their borders (pun intended), towards establishing group-level privacy compliance.
The need for group-level privacy compliance and data transfer agreements ("DTAs")
In today's globally-connected environment, it is not uncommon for Singapore entities to share data, including personal data, with related entities which may or may not be based in Singapore. Given the increasing international focus on privacy and personal data protection, the well-established privacy regimes in the European Union, and the proliferation of comprehensive data protection laws across Asia over the past five years, it may not be enough to focus solely on localized data protection compliance – companies must adopt a holistic approach to data protection that allows them to share data globally within their group of related companies ("Related Entities").
The Singapore Personal Data Protection Act 2012 ("PDPA") prohibits the sharing of personal data among Related Entities or transfer personal data out of Singapore except in accordance with the PDPA. Where personal data is to be transferred out of Singapore, the transferor is to provide the transferred personal data with a standard of protection comparable to the protection under the PDPA (the "Transfer Obligations"). Therefore, a Singapore-based organization must meet its Transfer Obligations in order to share personal data globally.
The Personal Data Protection Regulations 2014 ("Regulations") require the transferor to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations before transferring personal data. "Legally enforceable obligations" under the Regulations include any law, contract (i.e. a DTA), binding corporate rules ("BCRs"), or any other legally binding instrument.
Deceptively complex Intra-Group DTAs and other "legally enforceable obligations"
A simple bilateral DTA allows entities to exchange personal data on an ad-hoc basis, and can be customized to suit various jurisdictions and obligations that an organization may wish to impose on the recipient, including reduced obligations if the recipient is merely a data intermediary.
Where there are more than 2 Related Entities in a group, multiple bilateral DTAs may or may not meet the group's operational needs. Another option to consider is the Intra-Group DTA. To implement an Intra-Group DTA, a number of questions need to be considered. For example, what is the simplest and most efficient way for a group with a large number of Related Entities to manage DTAs? What is the simplest way for future Related Entities to be bound by legally enforceable obligations after the DTA has been executed? How does the group address differing transfer requirements in various local jurisdictions? Will DTAs restrict the ability of an organization to scale globally?
Given that every organization has unique group-level operational requirements, customised multi-party DTAs or other binding legal obligations will be needed to achieve the group's desired outcomes.