In the face of a growing threat of ransomware attacks on businesses and government infrastructure, the government of Singapore has been hard at work updating its data protection and data security laws. In just two months, Singaporean regulators have moved to introduce new laws requiring mandatory data breach notification, regulating cybersecurity forensics firms, certifying cross-border data transfers and domestic data privacy practices, and greatly expanding government involvement in the data security of critical information infrastructure (CII) industries.
As of yet, there is little detail or proposed regulatory guidance to accompany the proposed bills and no clear timetable has been set for enactment or, ultimately, compliance with the laws. However, organizations doing business in Singapore or processing the data of Singaporean residents would do well to familiarize themselves with the wide-ranging updates below, while keeping an eye on compliance down the road.
1. Privacy Law Amendments. The Singaporean Data Protection Commission (PDPC) is currently seeking feedback through September 21, 2017 on two proposed changes to the Personal Data Protection Act of 2012 (PDPA).
- Mandatory Data Breach Reporting. Currently, the PDPA has no formal data breach notification requirements, although the PDPC in the past has encouraged some level of data breach transparency. The PDPC has chosen to clarify and expand such breach reporting obligations:
- Notice is required “as soon as practicable” and, for an incident that involves the data of 500 or more individuals, notice must be sent to the PDPC within 72 hours after learning of the breach.
- Mandatory breach reporting requirements include notifying both the PDPC and affected individuals, where there is risk of impact or harm to affected individuals.
- Organizations are required to report breaches to the PDPC where a breach involves more than 500 individuals.
- Any data intermediary that experiences a breach is required to report the breach immediately to the organization where the data is being processed
The PDPC has yet to propose a penalty scheme for violations of the proposed data breach reporting rules.
2. New Commissioner of Cybersecurity to Oversee Critical Information Infrastructure. On July 10, 2017, the Cyber Security Agency of Singapore (CSA) and Ministry of Communications and Information (MCI) published a draft of the Cybersecurity Act 2017 (the “Act”), with the goal of closely regulating the data security practices of CII industries via a new CSA Commissioner of Cybersecurity. The proposed requirements are extensive:
- Critical Information Infrastructure. CII includes any public or private “computer or computer system that is necessary for the continuous delivery of essential services which Singapore relies on, the loss or compromise of which will lead to a debilitating impact on national security, defense, foreign relations, economy, public health, public safety or public order of Singapore.” § 2(1). The Act names forty-seven “essential services” across the government, security, healthcare, telecommunications, banking and finance, energy, media, and transportation sectors, while vesting the Commissioner with the power to designate any system as CII (via an appealable notice process).
- Data Breach Notice and Prevention Obligations. CII owners must report “significant cybersecurity incidents” to the CSA, while implementing “mechanisms and processes as may be necessary in order to detect any cybersecurity threat in respect of its critical information infrastructure.” § 15. CII owners must also share details of their technical architectures with the Commissioner, conduct regular compliance audits and cybersecurity risk assessments, and participate in national cybersecurity exercises.
- Broad Enforcement and Penalty Authority. The Commissioner will have the power to investigate security incidents, impose remediation orders, and carry out emergency measures to prevent, detect, or counter threats to CII as needed. The maximum proposed penalty for violations of the breach notification requirements of the Act would be fines of up to $100,000 SGD and/or two years’ imprisonment.
3. Updated Consent Framework. The PDPC proposes updating the existing consent requirements under the PDPA. If individual consent is impractical to obtain, for example, notice to an individual disclosing the intended use, collection, or disclosure of their data could substitute for individual consent. Individual consent could also be waived if obtaining consent would undermine public interests. Both proposed methods of alternative consent would also require undertaking a privacy impact assessment.
4. Licensing of Cybersecurity Service Providers. The Act would also establish a mandatory licensing framework for cybersecurity forensics and monitoring service providers.
5. Creation of Singaporean Data Protection “Trustmark” Certification. The PDPC announced that it is in the process of rolling out its own data privacy certification to improve customer confidence in organizations that handle their personal data.
6. Enforcement and Increased Transparency. This month, the PDPC published its inaugural Personal Data Protection Digest. In addition to compiling previously posted enforcement decisions, the Digest notably contains eighteen case summaries of matters where the PDPC found organizations were not in breach of the PDPA. This increased transparency helps shine a light on the developing case law of privacy enforcement in Singapore, a welcome development particularly given the PDPC’s willingness to fine victims of breaches who failed to implement adequate data protection practices.
7. Cross-Border Regime Participation. Singapore issued a Notice of Intent to participate in the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems.