Singapore joined the ranks of Asia-Pacific jurisdictions with a data protection regime after its Parliament passed the Personal Data Protection Bill (the Bill) on 16 October 2012. The Bill marks a shift from a sectoral approach to data protection to a regime that applies across the economy in Singapore.
The Bill applies to all private sector organisations in Singapore, as well as any organisations located outside of Singapore but are engaged in data collection, processing or disclosure within Singapore.
Modelled on data protection framework in key jurisdictions including the EU and Hong Kong, the Bill requires organisations to obtain consent from data subjects to the collection, use or disclosure of their personal data. Some exemptions apply, eg processing of personal data which is publicly available, or when consent could not be obtained in a timely manner. Data subjects also have to be provided with information on the purposes for the collection, use or disclosure of their personal data. Organisations could only collect, process or disclose personal data for the purposes outlined in the data subject's informed consent. Data subjects could withdraw his or her consent at any time.
Data subjects may access their personal data and require organisations to make corrections. Organisations are required to make reasonable effort to ensure the accuracy, completeness and protection of the personal data, and to delete personal data that are no longer necessary for the purposes for which it was collected. The Bill requires organisations to have designated individual(s) to ensure data protection compliance.
The Bill includes a requirement for organisation transferring data outside Singapore to ensure that the level of protection afforded to the data transferred continues to be comparable to that offered by the Bill. The standard of protection required has not been specified. However, organisations may apply for an exemption from the Commission.
The Bill establishes a Personal Data Protection Commission (the Commission) to promote data protection awareness in Singapore as well as to cooperate with foreign data protection authorities. It is also responsible for enforcing the Bill, with powers to give "directions" to organisations that are deemed to be non-compliant. These directions, which could be payment of financial penalty of up to SGD 1 million (roughly USD 820,000), could be enforced by a district court in Singapore. Committing an offence under the Bill could lead to a fine of SGD 10,000 (roughly USD 8,200) or up to three years imprisonment, or both.
On the whole, the Bill sketches a data protection framework for Singapore, leaving the finer points to be determined at a later stage. For instance, the Bill does not define "sensitive personal data" nor requires special handling of such data.
Small and medium-sized companies are expected to be more affected than multinational companies, which may already be compliant with the higher standards required in European jurisdictions. In response, Dr Yaacob Ibrahim, Minister for Information, Communications and the Arts, said that measures have been put in place to mitigate such costs. For example, the Bill imposes fewer obligations on data processors. They are only subject to obligations for the care and retention of personal data that they process on behalf of another organisation pursuant to a written contract.
Companies that traditionally use telemarketing to reach out to customers are likely to be hit hardest by the establishment of a Do Not Call Registry (the DNC Registry) by the Bill. Organisations are prohibited from sending messages for marketing purposes to Singapore telephone number which are registered on the DNC Registry.
There will be a 12-month transition period for the DNC Registry provisions to come into force and a 18-month period for the rest of the Bill. These "sunrise" periods are intended to allow organisations to implement the necessary changes to become compliant. Dr Ibrahim confirmed that during this period, the Commission will "focus on building up the capabilities of organisations to comply" with the Bill. It will do so through issuing advisory guidelines, providing educational materials and conducting outreach activities to help organisations better understand the Bill. The Bill is expected to be passed as an Act between January and February 2013.