In Singapore, private sector organisations must generally comply with the transfer limitation obligation in the Personal Data Protection Act (the Act). Any transfer of personal data outside Singapore must be in accordance with the Act’s requirements, to ensure that a comparable standard of protection is accorded to that data.
However, where an organisation is a data intermediary, i.e., it processes personal data on behalf of and for the purposes of another pursuant to a written contract, that intermediary is not subject to the transfer limitation obligation, as specified in section 4(2) of the Act.
On 9 October 2019, Singapore’s personal data protection commission issued revised guidelines which clarify the scope of the transfer limitation obligation with respect to data intermediaries:
- When engaging a data intermediary, an organisation should make clear in its contract with that intermediary the latter’s level of responsibilities and the scope of work required to perform “on its behalf and for its purposes”.
- In relation to any personal data that it processes pursuant to such contract, the data intermediary has independent obligations in respect of the protection and retention of personal data.
- The organisation that engaged the data intermediary remains liable for any breach of the Act resulting from any processing by the data intermediary on its behalf and for its purposes.
- By extension, an organisation is responsible for complying with the transfer limitation obligation in the Act in respect of any overseas transfers of personal data. This is the case regardless of whether the data is transferred: (i) by that organization itself to an overseas intermediary; or (ii) by a Singapore-based intermediary that is processing personal data on behalf and for the purposes of the organisation.
- Ultimately, the onus is on the transferring organisation to undertake appropriate due diligence and obtain assurances when engaging a data intermediary, to ensure the latter is capable of protecting personal data transferred overseas to a standard that is comparable to that required under the Act. One way to do this would be to rely on the intermediaries’ data protection policies and practices, including compliance with relevant industry standards and certification such as ISO27001 and Tier 3 of the multi-tiered cloud security certification scheme.
A specific new section on cloud services was also introduced into the advisory guidelines for selected topics. In this section, it was clarified that:
- Where a cloud provider processes personal data on behalf of and for the purpose of another organisation pursuant to a written contract, it is considered a data intermediary and therefore subject to the protection and retention limitation obligations in the Act. This extends to personal data that it processes or hosts for the organisation in data centres even if these are located outside Singapore.
- At the same time, the cloud provider remains an organisation in its own right and thus continues to be responsible for complying with all of the obligations in the Act in respect of activities that it may undertake beyond mere processing under the contract.
- In relation to the transfer limitation obligation, the organisation that engages the cloud provider must ensure that the provider: (i) only transfers data to locations with comparable data protection regimes; or (ii) has legally enforceable obligations to ensure a comparable standard of protection for the transferred data. This can be encapsulated by way of contractual provisions between the organisation and the cloud provider.
- Where such contract is silent as to the locations to which a cloud provider may transfer data that is processed on behalf of an organisation, the organisation is deemed to have complied with the transfer limitation obligation by ensuring that the cloud provider: (i) is based in Singapore and is certified or meets relevant industry standards; and (ii) provides assurances that all the data centres or sub-processors located overseas to which the data is transferred comply with these standards. To this end, an organisation may request the cloud provider to produce technical audit reports such as the SOC-2.
Organisations should pay careful attention to and review any contracts with a potential data intermediary or cloud provider. Among other things, such agreements should include appropriate provisions on the permissible use and transfer or personal data and the identification of overseas locations to which the data may conceivably be transferred, as well as providing assurances with regard to how the data will be protected, such as a right to audit, an industry standard or certification.