The recent enhanced provisions enacted under the Personal Data Protection Act 2012 (“the PDPA”) has provided some clarity as to the standards of compliance expected of organisations that have to transfer personal data collected in Singapore to a country or territory outside Singapore. The basic principle, known as the Transfer Limitation Obligation, prohibits an organisation from transferring any personal data outside of Singapore except in accordance with requirements prescribed under the PDPA.1 The purpose of such requirements is to “ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under [the PDPA]” (“the Comparable Protection Standard”).
Regulations Specific to International Data Transfers
The new Personal Data Protection Regulations 2014 (“the 2014 Regulations”) issued under the PDPA on 19 May 2014, in particular Regulations 8 to 10, have now set out the conditions under which an organisation may transfer personal data overseas.2
In essence, before personal data is transferred overseas, the transferring organisation must:
- take appropriate steps to ensure that it (the transferring organisation) has complied with the relevant provisions under the PDPA (“Condition (a)”); and
- take appropriate steps to ascertain whether, and to ensure that, the receiving party of the personal data (“the Receiving Party”) is bound by legally enforceable obligations (in accordance with Regulation 10) to apply the Comparable Protection Standard to the transferred personal data (“Condition (b)”).
As the transferring organisation’s obligations under Condition (a) are a given, the more challenging issue is how a transferring organisation is expected to satisfy its obligations under Condition (b). Two points are pertinent.
Firstly, the term “legally enforceable obligations” is defined in Regulation 10 to include obligations imposed on the Receiving Party under any law, any contract, any binding corporate rules, and any other legally binding instrument.3 In particular, a contract or binding corporate rules must require the Receiving Party to apply the Comparable Protection Standard to the transferred personal data.
Secondly, Regulation 9(3)(a)-(g) sets out a number of scenarios where a transferring organisation is presumed to have satisfied Condition (b). One interesting scenario arises under Regulation 9(3)(a), where the presumption is triggered if the individual consents to the transfer of the personal data to the Receiving Party in a foreign country or territory.4
Such consent is only valid5 if:
- before giving his consent, the individual was given a reasonable summary in writing of the extent to which the personal data to be transferred will meet the Comparable Protection Standard;
- the transfer of personal data overseas, where consent to such transfer is required by the transferring organisation as a condition of providing a product or service, is reasonably necessary to provide the product or service to the individual; or
- the transferring organisation did not provide false or misleading information about the transfer of personal data overseas, or used other deceptive or misleading practices.
Also, consent for the transfer of personal data overseas may be withdrawn at any time. 6
Issues Arising from Enhanced Provisions
Whilst the 2014 Regulations helpfully set out the structure that needs to be in place, parties should be aware of the following issues when transferring personal data overseas.
Business and Security Risks
(a) Business Risks
If a transferring organisation seeks to impose, by contract, an obligation on the Receiving Party to apply the Comparable Protection Standard to the transferred personal data, it does not necessarily mean that the transferring organisation can enforce such an obligation in the country of the Receiving Party. Whether such an obligation is enforceable may depend to a large extent on the available remedies in the legal system which the Receiving Party operates. It may also depend on the resources available to the Receiving Party in order to satisfy any such remedies. Enforceability in theory should therefore be distinguished from enforceability in practice.
As such, it may be prudent for the transferring organisation to satisfy itself by conducting appropriate due diligence on the Receiving Party, especially if it is not a transfer between companies within the same group of companies, where binding corporate rules are likely to apply to both the company based in Singapore and its related company overseas.
It may also be prudent to consider having in place measures such as business continuity and data recovery plans to ensure that service can be maintained in case of a disaster or an emergency and that any data loss will be recovered.
Furthermore, the transferring organisation should also look at the possible risks of the insolvency of the Receiving Party, the likelihood that the Receiving Party would either consider a transfer of its relevant business activities or if there is a change of management, ownership or control of the Receiving Party and provide for such possibilities in the contractual relationship.
(b) Security Risks
Transferring organisations should recognise that no system is absolutely fool-proof and constant upgrading and updating is always required. It would be reasonable to assume that most transferring organisations would at least find out, or conduct some form of due diligence on, the system that the Receiving Party has in place to protect the personal data that it receives.
In addition, a regular monitoring process of the security system in place would go some way to help early detection and enable the Receiving Party and/or the transferring organisation to take early and decisive corrective or remedial measures. There are numerous ways to achieve this, but the underlying intention and result should be for the transferring organisation to satisfy itself that it has taken all reasonable steps to ensure that the personal data is housed with a Receiving Party that has a reasonable system of security for the protection of data in place. Needless to say, the Receiving Party having a proper data security policy in place would be a good start. Alternatively, the transferring organisation should consider having regular Threat - Risk - Vulnerability Assessments (“TRVA”) conducted on the security capabilities of the Receiving Party.
Transferring organisations should also be aware of specific compliance requirements. Organisations that are subject to specific regulations (such as the Sarbanes-Oxley Act) should be aware that some of these regulations require regular reporting and audit trails regarding the storage and use of data. Transferring organisations must prepare Receiving Parties to comply appropriately with these regulations.
Apart from the security and compliance issues enumerated above, transferring organisations and their Receiving Parties should consider looking at issues that affect the relationship between them and provide for such terms accordingly. Such issues would include apportionment of liability in the event of a data breach, compromise or loss, or providing for the scenario for the end-of-service and the ultimate return of data to the transferring organisation.
The possibility of insurance coverage is relatively new in this area but should be considered. Data security risks are on the rise, and insurance companies, becoming increasingly aware of such events, are taking steps to provide data owners with coverage to protect against such risks. Transferring organisations should consider insurance coverage as an additional factor to mitigate against the risks of such loss.
The 2014 Regulations do not address every possible data protection risk and were likely not intended to do so. The purpose of the 2014 Regulations is to provide a measure of assurance to individuals whose personal data is being transferred overseas by imposing minimum requirements on the transferring organisation.
However, international data transfers involve cross-border jurisdictional issues and the importance of setting out clearly the minimum contractual obligations of transferring organisations, even where contained in a well-drafted contract, must always be balanced with the ability to enforce such obligations in the country of the Receiving Party.
Of equal practical importance would be the ability to foresee and to prevent such risks through a thorough background investigation of the Receiving Party, and to have in place regular TVRA on the Receiving Party.