Singapore’s Personal Data Protection Act (“PDPA”) is currently under review. In 2017, the Personal Data Protection Commission (“PDPC”) launched a public consultation on proposed amendments relating to the general concepts of collection, use and disclosure on personal data, and notifications of data breaches. Separately, the PDPC and Competition and Consumer Commission of Singapore (“CCCS”) jointly issued a paper on 25 February 2019 that discusses the specific issue of data portability (“Discussion Paper”).
This article draws upon the findings in the Discussion Paper and suggests that a data portability requirement should be as technology-agnostic as possible, so that stakeholders are not prevented from relying on emerging technologies where appropriate.
Overview of data portability
Data portability is defined in the Discussion Paper as allowing individuals to “move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to stability”. By extension, the data portability requirement is defined as enabling individuals to request for a copy of their data held by an organisation in a structured, commonly used and machine-readable format, and for the organisation to transmit the data to another organisation.
Further, the PDPC and CCCS opined that data portability “involves an overlap between competition law and data protection law”.From a data protection standpoint, this requirement is intended to give individuals more control over their personal data in connection with choosing goods and services providers. According to the PDPC and CCCS’ findings, individuals are deterred from switching to alternative organisations because they would have to re-submit their personal data again. From a competition perspective, the introduction of a data portability requirement is envisioned to reduce “switching costs” as individuals can simply request that an organisation already in possession of their personal data port it over to a competing organisation.
How blockchain technology complements data portability
In addition to issues of competition law and data protection law, the nexus between data portability and technology and innovation should also be considered. If the desired outcome is to enable individuals to transfer their personal data between organisations easily and securely, a legal requirement of data portability may merely be one of many means to an end. Taking into account the PDPC and CCCS’ reasoning, blockchain technology may be able to complement a data portability requirement in achieving the objectives of data portability.
i) Effecting the porting of data
Administrative difficulties tend to be technologically soluble. Blockchain technology, in particular, has already been employed to offer novel solutions relating to the management of personal data.
Blockchain technology is capable of addressing the issue of “switching costs” in the data portability context because it can facilitate direct relationships and transactions between an individual and multiple organisations.
As a piece of data can be cryptographically secured by a private key, the owner can grant or revoke access by third parties to that data as required. The individual only needs to upload his or her personal data once, and the data may be subsequently reused at his or her discretion. Should the individual wish to switch to a new service provider, the solution would simply be to grant such new service provider permission to access the data. Blockchain applications can therefore make it easier for an individual to reuse their personal data amongst different organisations without having to rely on any organisation to port it.
That being said, the use of blockchain technology alone is unlikely to fully replicate the potential scope of a data portability requirement, as it has been described in the Discussion Paper. Based on the indications in the Discussion Paper, the PDPC and CCCS appear open to adopting a wider interpretation of “data” for the purpose of data portability, which encompasses not just data voluntarily provided by the individual (i.e. “user-provided data”) but also new personal data that organisations have generated based on such user-provided data (i.e. “observed data” and “derived data”). This is because a wider ambit of data that can be ported “increases the incentives and benefits to innovation and competition that are expected to accompany a data portability requirement”, to the extent that observed data and derived data is required by the alternative organisation.
If the data portability requirement does cover a wider scope of data than user-provided data, individuals likely would not be in control or possession of such observed or derived data without first exercising their rights of access to request copies (a right which is subject to exceptions and restrictions).
Furthermore, individuals may find it easier to simply request an organisation to port their data instead of arranging for the porting of data on their own. Depending on the circumstances, a hybrid approach is also possible where the individual independently ports certain data while requesting an organisation to effect the porting of other data sets.
As such, blockchain technology is unlikely to provide a complete alternative to the data portability requirement, but it can certainly complement the introduction of such a requirement.
ii) Monitoring the porting of data
It is also important to consider the need for oversight over the data porting process. In order for an individual to meaningfully rely on the data portability requirement, he or she should also be aware of what is being ported. However, individuals may lack oversight of two related areas.
First, an individual may not know how much of the data controlled by the original organisation needs to be ported to the alternative organisation. In many cases, an individual may not wish to effect a blanket transfer of all the personal data in the control of the first organisation to another. However, he or she could inadvertently agree to the porting of more data than what is required for onboarding, such as for collateral purposes of marketing or research.
Second, an individual may not be able to ascertain what is eventually ported to the alternative organisation and whether it is in accordance with their instructions. The reliance on organisations to effect the data portability requirement means that individuals have to repose their trust in these organisations to act properly and correctly. However, there is a risk that organisations may exceed the individual’s mandate and port personal data beyond the scope of what was intended – whether intentionally or otherwise.
Without the ability to monitor the porting of data between organisations, an individual will face difficulties in identifying lapses, exercising control over their personal data and taking the requisite steps to correct these situations.
One option to address these concerns would be to legislate. Provisions requiring organisations to provide individuals with adequate information have been adopted under the version of the PDPA currently in force, for example in relation to the withdrawal of consent. These provisions prescribe that organisations must provide clear and accessible information on the purposes for which they may collect, use or disclose personal data, so that an individual may withdraw consent for “optional” purposes without concurrently withdrawing consent for “necessary” purposes.
In the context of data portability, the legislative solution could be to prescribe that organisations provide individuals with clear and accessible information on the scope of personal data that needs to be ported for the provision of services. Organisations may also be required to provide individuals with reports on what was actually ported, upon request.
These approaches are again based on the premise that organisations are best placed to inform individuals about the processing of their personal data. However, blockchain-based applications can give individuals oversight of the porting process without the need to impose corresponding obligations on organisations. Ostensibly, an individual would have the most oversight over what is being ported if he or she effects the porting of data independently, since there is a direct individual-organisation relationship.
Even if the individual relies on an organisation to port data, integration of the porting process with blockchain technology can still enable an individual to track the porting independently, reliably and with greater ease. For example, if customer data is stored on blockchain-supported repositories, the porting, modification or other processing of data could each be executed as transactions on the blockchain. Records of these transactions provide individuals with a secure and reliable audit trail. These records will also enable individuals to countercheck reports provided by organisations.
Accordingly, it is important to calibrate any reporting obligations to take into account the possibility of alternative approaches enabled by technology.
In a world where data has arguably become the most valuable resource, the effective implementation of data portability will be instrumental in Singapore’s transformation into a Smart Nation and Digital Economy. At the same time, it is important to not lose sight of the forest for the trees. A singular focus on promoting data flows runs the risk of stifling innovation in other data-related domains. Blockchain-based applications have the potential to achieve the intended outcomes of data portability by reshaping the dynamics between organisations and individuals in relation to personal data. With the growing expectation for organisations to improve the transparency relating to their use of personal data, organisations can also make use of blockchain solutions to demonstrate good data protection practices.
Therefore, if a data portability requirement is eventually adopted in Singapore, it should not preclude the innovative use of new technologies such as blockchain. One suggestion is to expressly state the guiding principles of data portability in the relevant legislation, which will govern the application of legal requirements in practice. For example, if an individual already possesses, or can easily obtain, a copy of its data with an organisation, the organisation should not be additionally required to comply with the data portability requirement. This can help to right-size the data portability requirement and avoid imposing a disproportionate burden on organisations.