On 25 February 2019, Minister for Communications and Information announced that Singapore is considering, as part of an ongoing review of the Personal Data Protection Act (PDPA), introducing a data portability requirement that would confer greater control and rights by data subjects over the movement of their personal data across service providers.
In connection with this, a discussion paper on data portability has been made available by the Personal Data Protection Commission in collaboration with the Competition and Consumer Commission of Singapore.
Data portability is a right that is conferred by individuals to request that a copy of their data be transmitted in a structured, commonly used and machine-readable format to another organisation. It is commonly viewed as a natural extension of the individual/data subject’s right to access under data protection law.
Several jurisdictions, including Australia, the EU, India, Japan, the Philippines, New Zealand, and California, in the United States, have either already adopted or are considering adopting the right to data portability. Other jurisdictions including the UK and the U.S. have also implemented sector-wide data portability: for instance, in the financial and health sectors, respectively.
The discussion paper examines the potential impact of introducing data portability to the market in Singapore, and some of these key points are as follows:
- Effects on market competition arising from potentially lower switching costs and barriers to entry and expansion. This is because there would be a reduction in friction involved in moving data for consumers, which lowers the cost of switching. The reduction in switching costs could enhance competition and lower the barriers to entry, since consumers can simply switch to another supplier with a more suitable or attractive offer.
- External benefits arising from increased data use where data portability leads to more data being provided by individuals to organisations. This, the discussion paper noted, could be particularly beneficial for the health care sector and certain financial applications (for example, better risk assessment), as well as in transport and infrastructure planning.
- Higher productivity derived from the ease of combining data from different sources can lower the cost of producing data-enabled products and services.
- Innovation from combining data in new ways across organisations and industries, for instance, in concentrated and adjacent markets where organisations provide complementary products and services. It was also noted that “recombinant” innovation could, over time, become a key benefit as it reduces switching costs of technology adoption and speeds up technological progress.
The discussion paper also highlighted a number of other considerations relating to the implementation of data portability in Singapore, such as the following:
- The limits should be clearly defined to provide certainty to businesses and consumers. For instance, clarity would be needed as to the types of data subject to the data portability requirement – does the data include electronic and non-electronic data, user-provided, observed and derived data, etc., and do they also extend beyond personal data?
- Data portability could be more costly for some businesses compared to others. Hence, there would need to be a concept of proportionality via de minimis threshold for volume of data together with a cap on the frequency of requests (among other things).
- Further details should be provided as to the format specifications of the data and technical standards that would be necessary to achieve interoperability.
- Compliance costs would need to be examined. These may need to factor in the size of the organisation and other associated concerns, such as whether the fee can be imposed and in what circumstances for the porting of data, and if so, how reasonableness of such fee will be assessed.
- Cross-sectoral use cases should be studied to understand how portability yields benefits in varying sectors.
- Data security is another pertinent consideration. Among other factors, there should be sensible limits to any data recipient’s liability, guidance as to when a request to port data may be refused, timeframes within which requests should be complied with and specified powers for the regulator to review any contraventions of these requirements.
- Consumer protection should be considered, including factors such as the information that organisations will be required to provide to consumers to enable them to exercise their rights and protect their interests.
In summary, data portability has to strike the right balance between granting consumers greater control to their data and minimising associated costs to businesses (which could otherwise then be passed onto consumers). The discussion paper aims to provide a framework for further exchanges and future consultations on the relevant issues pertaining to the introduction of data portability in Singapore.