An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition
In 2020 and 2021, Singapore continued to develop its data protection, cybercrime, and cybersecurity regimes. As set out in Singapore's Cyber Landscape 2019 report,2 the government has focused on four pillars of strategy to protect the country from cyberthreats and reinforce Singapore's standing as a leading information systems hub. It is aimed at building a resilient infrastructure, creating a safer cyberspace environment, developing a vibrant cybersecurity ecosystem and strengthening international partnerships. The key legal components in this strategy include the Personal Data Protection Act 2012 (PDPA), Singapore's first comprehensive framework established to ensure the protection of personal data, the Computer Misuse Act (CMA) to combat cybercrime and other cyberthreats, and the Cybersecurity Act 2018 (Cybersecurity Act), which focuses on protecting Singapore's Critical Information Infrastructure (CII) in 11 critical sectors and establishing a comprehensive national cybersecurity framework. In November 2020, Singapore's legislature approved amendments to the Personal Data Protection Act 2012 (PDPA). Amendments to the PDPA are being implemented in phases, with some amendments having taken effect on 1 February 2021.
In this chapter, we will outline the key aspects of the PDPA, the CMA and the Cybersecurity Act. The chapter will place particular emphasis on the PDPA, including a brief discussion of the key concepts, the obligations imposed on data handlers, and the interplay between technology and the PDPA. Specific regulatory areas such as the protection of minors, financial institutions, employees and electronic marketing will also be considered. International data transfer is particularly pertinent in the increasingly connected world; how Singapore navigates between practical considerations and protection of the data will be briefly examined. We also consider the enforcement of the PDPA in the event of non-compliance.
The year in reviewi PDPA developments
There were a number of significant developments related to the PDPA and the Personal Data Protection Commission (PDPC – the body set up to administer and enforce the PDPA) from July 2020 to June 2021.
In November 2020, Singapore's legislature approved important amendments to the PDPA, which took effect in phases, beginning on 1 February 2021. Important changes have been introduced to the PDPA, including the introduction of a mandatory data notification requirement and a new legitimate interests exception. These changes are discussed in detail below.
The PDPC increasingly emphasises the principle of accountability in the context of personal data protection and has provided guidance on how organisations may demonstrate accountability for personal data in their care. The PDPC has also published new guidance and revised existing guidelines to help organisations comply with the new requirements under the amended PDPA, including the Guide on Managing and Notifying Data Breaches (Data Breach Notification Guide) under the PDPA3 and the Advisory Guidelines on Key Concepts in the Personal Data Protection Act.4ii CMA developments and the Cybersecurity Act
Cybercrime and cybersecurity are regulated under the CMA (formerly known as the Computer Misuse and Cybersecurity Act) and the Cybersecurity Act, both of which are closely linked.
The CMA was amended in 2013 and again in 2017 to strengthen the country's response to national level cyberthreats. The amendments broadened the scope of the CMA by criminalising certain conduct not already covered by the existing law and enhancing penalties in certain situations (for example, the amended CMA criminalises the use of stolen data to carry out a crime even if the offender did not steal the data himself or herself, and prohibits the use of programs or devices used to facilitate computer crimes, such as malware or code crackers). The amendments also extended the extraterritorial reach of the CMA by covering actions by persons targeting systems that result in, or create a significant risk of, serious harm in Singapore, even if the persons and systems are both located outside Singapore.
In keeping with the government's emphasis on safeguarding critical information infrastructure, the Cybersecurity Act was enacted on 31 August 2018. The Cybersecurity Act created a framework for the protection of CII against cyberthreats, created the Commissioner of Cybersecurity with broad powers to administer the Cybersecurity Act, established a licensing scheme for providers of certain cybersecurity services, and authorised measures for the prevention, management and response to cybersecurity incidents in Singapore.
While there have been no significant legislative developments in this area since 2018, cross-border enforcement of the Cybersecurity Act remains a challenging problem, particularly for cloud-based service providers. Singapore has signed memorandas of understanding (MOUs) and entered into cooperation arrangements with multiple foreign governments to facilitate international collaboration to address cybersecurity. These MOUs and cooperation arrangements are with Australia, Canada, India, France, Germany, Japan, the Republic of Korea, the Netherlands, New Zealand, the United States and the United Kingdom.iii Recent developments and regulatory compliance
Although the developments with the CMA and the Cybersecurity Act represent significant milestones in Singapore's overall cybersecurity strategy, the key compliance framework from the perspective of companies and organisations remains at this point with data protection and privacy. The CMA is primarily a criminal statute, and the government has not issued any regulations or guidelines for the CMA. The Cybersecurity Act imposes a number of legal requirements on CII owners and cybersecurity service providers, but until the government issues implementing regulations or advisory guidance regarding these new requirements, organisations' focus will be on the PDPA and its related regulations, subsidiary legislation and advisory guidelines.5
Singapore experienced its most serious data privacy breach yet in July 2018 when hackers infiltrated Singapore Health Services' (SingHealth) databases, compromising the personal data of 1.5 million patients, including the outpatient prescriptions of Prime Minister Lee Hsien Loong. The PDPC fined Integrated Health Information Systems (the IT agency responsible for Singapore's public healthcare sector) S$750,000 and SingHealth S$250,000 for breaching their data protection obligations, which led to the breach. Since then, there have been a number of high-profile data breach incidents, as highlighted in Section VII.
The amendments of the PDPA represent an important step in bringing Singapore's data privacy law in line with international standards, such as the GDPR. As outlined above, apart from consent given by an individual, organisations in Singapore now have more legal bases to collect, use or disclose personal data. In particular, the ability for organisations to deem consent by notification will give business more flexibility in managing and using the personal data collected, as organisations may not necessarily be able to foresee all purposes the data collected will be used for at the time of collection. At the same time, certain newly introduced elements, particularly the mandatory data breach notification, also serve to encourage accountability on the part of organisations in the handling of personal data.
Companies that collect personal data in Singapore should pay attention to the future development of the enforcement of the new requirements in the PDPA, as future cases will likely provide further guidance on how the new requirements will be enforced, including, for example, under what circumstances organisations may rely on the legitimate interest exception.