All questions

Intellectual property and data protection

Fintech business models and related software may be protected by various intellectual property rights in Singapore. Patent protection may be available, and the Intellectual Property Office of Singapore recently launched a new FinTech Fast Track initiative that facilitates a faster patent application-to-grant process for fintech inventions. Alternatives to patent protection include copyright or protection as trade secrets or confidential information, depending on the nature of the business model. Software would generally be protected by copyright. It is not necessary to carry out any registration in Singapore to obtain copyright protection.

If an employee develops an original work in pursuance of the terms of his or her employment, the default rule is that ownership of the copyright in the original work vests in the employer. If a contractor develops an original work, the default rule is that the contractor continues to own the original work. However, it is common for employees and contractors to be bound by written contractual obligations that specify ownership of the intellectual property they develop, and these default rules may be overridden. Fintech companies should ensure that their employees and contractors enter into such agreements.

The Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) would apply to client data to the extent that it comprises personal data, which is defined as 'data, whether true or not, about an individual who can be identified (a) from that data, or (b) from that data and other information to which the organisation has or is likely to have access'. In brief, there are two key parts of the PDPA:

  1. protection of an individual's personal data, including in relation to requiring consent, granting access and correction rights, requiring reasonable security, and limiting transfers overseas; and
  2. establishment of a do-not-call registry for individuals to opt out from receiving certain types of marketing messages addressed via Singapore telephone numbers.

Internet protocol solutions may still be subject to the do-not-call registry (e.g., one such solution subject to this regime is WhatsApp).

Client data will also be protected by the common-law obligations of confidentiality. A recipient of data would be subject to confidentiality restraints where data or information in question is:

  1. confidential as regards the giver of the data or information; and
  2. imparted under circumstances where the recipient knew or ought to know that the data or information in question was confidential.

If confidential information is disclosed without consent, there is a risk that such disclosure would be in breach of confidence.

Singapore also has banking secrecy and trust secrecy regimes. While there are no special rules specifically focused on regulating the digital profiling of clients, it would be relevant to consider the PDPA and the various other data protection and privacy-related regimes in the implementation of a profiling solution, especially for companies providing financial services.