Safeguarding Secrets
Navigating the Intricacies of Data Privacy in Singapore PDPA and EU Laws
This article will explore and compare the data privacy laws between the General Data Protection Regulation (Regulation (EU) 2016/679) and Singapore’s Personal Data Protection Act 2012.
With the exponential emphasis rise of artificial intelligence such as ChatGPT, the ease of connectivity, the thriving e-commerce economy and e-Government services have revolutionised how we live, principles on data protection and privacy will be increasingly relevant.
Backdrop of Data Protection
Over the past few years, the exponential growth of artificial intelligence such as ChatGPT,1https://www.channelnewsasia.com/singapore/chatgpt-ai-chatbot-risks-regulations-cybercrime-phishing-3282896 the ease of connectivity, the thriving e-commerce economy and e-Government services have revolutionised how we live. There is heavy reliance on data by the government, corporations and individuals to perform optimally.
Whilst these have brought social and economic benefits, they have also generated concerns on how our personal data is stored, managed, used and deleted. Hence, there needs to be a balance between setting rules to regulate the way we can continue to enjoy the benefits of this data-rich environment in a secure and transparent way.
This article aims to explore, compare and analyse the differences in privacy laws between the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and Singapore’s Personal Data Protection Act 2012 (PDPA).
As a matter of background, the GDPR is rooted in European legal tradition and reflects a cultural emphasis on individual privacy rights.2Recital 75 (Risks to the Rights and Freedoms of Natural Persons) of the GDPR, accessed here: https://gdpr-info.eu/recitals/no-75/ Meanwhile, the PDPA is influenced by a legal framework that considers the balance between individual rights and economic interests in a technology driven environment.3Section 3 (Purpose) of the PDPA Hence, understanding the cultural and legal context is crucial for analysing and interpreting these regulations effectively.
Types of Data That Are Subject to the Law
Both the GDPR and PDPA define “personal data” although the GDPR has a further provision on sensitive data, which the PDPA is lacking.
The GDPR applies to virtually all types of personal data, being “any information relating to an identified or identifiable natural person”.4Article 4 (Definitions) of the GDPR Meanwhile, the PDPA defines personal data as “data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access”.5Section 2 (Interpretation) of the PDPA
The GDPR introduces specific protection for “special categories” of data, such as health or religious information,6Article 9 (Processing of special categories of personal data) of the GDPR imposing stricter conditions for processing. Meanwhile, there are no specific rules for sensitive personal data although based on past PDPC decisions, certain types of data such as medical data have been considered as more sensitive data.7Advisory Guidelines on Selected Topics, accessed here: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-the-PDPA-for-Selected-Topics-17-May-2022.pdf
Types of Organisations That Are Subject to the Law
The GDPR applies to a broad range of entities. It applies to both the private sector and public sector entities.8Article 3 (Territorial Scope) of the GDPR In contrast, the PDPA applies to a narrower range of entities. It does not apply to public agencies or organisations acting on their behalf.9Section 2(1) (Interpretation) of the PDPA
The reason in the discrepancy is that the public sector entities already have its own set of data protection rules and the Singapore government actively ensures that the officers comply with them.10Second Reading on the Personal Data Protection Bill, accessed here: https://sprs.parl.gov.sg/search/email/link/?id=023_20121015_S0003_T0002&fullContentFlag=false On the other hand, the GDPR aims to impose similar obligations on both the private and public sector entities.
Consent
Both the GPDR and PDPA have a requirement of consent prior to the collection of data. However, they have differing standards.
GDPR sets high standards for obtaining valid consent, requiring it to be freely given, specific, informed and an unambiguous indication of the individual’s wishes.11Article 7 (Conditions for Consent) of the GDPR Meanwhile, the PDPA mandates consent as one of the bases for data processing but may not have as detailed requirements as the GDPR.
To elaborate, GDPR requires consent to be “freely given, specific, informed and unambiguous”.12Recital 32 (Conditions for Consent) of the GDPR It sets out six legal bases for processing personal data. Organisations, which are termed “data controllers” under the GDRP, are required to identify one of the six bases as their legal basis for data processing. The six grounds are as follows: (i) consent, (ii) when processing is necessary for the performance of a contract, (iii) to protect the vital interest of the data subject or of another natural person, (iv) performance is carried out in the public interest, (v) for the legitimate interest of the data controller when this does not override the fundamental right of the data subject.13Article 9 (Processing of special categories of personal data) of the GDPR”
In comparison, consent under the PDPA can be deemed if an individual “voluntarily provides the personal data to the organisation for that purpose” or if “it is reasonable that the individual would voluntarily provide the data”. Additionally, consent will be deemed if it is “reasonably necessary for the conclusion of the contract” between the individual and the organisation.
The PDPA does not explicitly outline the legal basis for personal data processing, although it does provide that the collection, use or disclosure can be done without the consent of the individual only if it is required or authorised under the PDPA or any other written law.14Section 13 (Consent required) of the PDPA These exceptions can be found in the First and Second Schedule of the PDPA and include the following: (i) to protect the vital interests of individuals, (ii) where the processing concerns public matters, (iii) for the legitimate interests of the data controller or another person, (iv) for the purposes of carrying out business asset transactions, and (v) for business improvement purposes.
The PDPA acknowledges the importance of consent but allows for a more pragmatic approach, allowing for innovation without unduly burdening businesses.15Second Reading on the Personal Data Protection Bill, accessed here: https://sprs.parl.gov.sg/search/email/link/?id=023_20121015_S0003_T0002&fullContentFlag=false This is because in Singapore, alongside the protection of consumer’s personal data, another key aim of the PDPA is to “support Singapore’s ambition to be an innovation and commercial hub.” To elaborate, 99% of all enterprises in Singapore are Small and Medium Enterprises, which employ over 70% of worders and contribute to over 40% of national GDP.16Singapore Economy (2022) accessed here: https://www.singstat.gov.sg/modules/infographics/-/media/Files/visualising_data/infographics/Economy/singapore-economy13022023.pdf This is as compared to EU, where there is a greater focus on “protecting fundamental rights and freedoms of natural persons” by offering a more detailed legislation on the protection of personal data as laid out in Article 8 of the EU Treaty on Fundamental Rights.
Regulatory Reporting Requirements
Both the GDPR and PDPA outline regulations in connection with an obligation to notify the authorities in the event of a data breach within a set timeline.
GDPR mandates organisations to report certain types of personal data breaches to the supervisory authority within 72 hours.17Article 34 (Communication of a personal data breach to the data subject) of the GDPR In contrast, the PDPA requires organisations to notify the Personal Data Protection Commission (PDPC) of a data breach if it is likely to result in significant harm to the affected individuals or of a significant scale (involving the personal data of 500 or more individuals).18Section 25 (Protection of personal data) of the PDPA; Part VIA of the Personal Data Protection (Notification of Data Breaches) Regulations 2021 Notification to the PDPC must be no later than three calendar days after the organisation makes an assessment that a data breach is a notifiable breach.
The difference in reporting timelines and criteria highlight the distinct regulatory priorities. GDPR’s strict timeline reflects a sense of urgency, while Singapore’s approach focuses on the potential harm to individuals, allowing for a more contextual assessment.
Enforcement
Both the GDPR and PDPA set out the imposition of monetary penalties in cases of non-compliance. The GDPR’s maximum limit for monetary penalties is much higher than that of the PDPA.
Depending on the nature of the non-compliance with the GDPR, an organisation can be issued with a fine of up to EUR 20 million or 4% of the organisation’s worldwide annual turnover (whichever is greater), or up to EUR 10 million or 2% of the organisation’s worldwide annual turnover (whichever is greater).19Article 83 (General conditions for imposing administrative fines) of the GDPR
In comparison, under the PDPA, the PDPC can impose fines of up to S$1 million or 10% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds S$10 million (whichever is higher), for non-compliance with the data protection requirements in the PDPA.20Section 48J (Financial Penalties)of the PDPA
GDPR’s enforcement culture is characterised by significant fines for non-compliance, fostering a deterrent effect and emphasising on strict adherence to data protection principles. In contrast, the PDPA adopts a more consultative enforcement approach, encouraging organisations to work with the Personal Data Protection Commission (PDPC) to achieve compliance.
Conclusion
In conclusion, while there are similarities between both the GDPR and PDPA, there are also differences to provide for the social, economic and political background of the country.
Endnotes
| ↑1 | https://www.channelnewsasia.com/singapore/chatgpt-ai-chatbot-risks-regulations-cybercrime-phishing-3282896 |
|---|---|
| ↑2 | Recital 75 (Risks to the Rights and Freedoms of Natural Persons) of the GDPR, accessed here: https://gdpr-info.eu/recitals/no-75/ |
| ↑3 | Section 3 (Purpose) of the PDPA |
| ↑4 | Article 4 (Definitions) of the GDPR |
| ↑5 | Section 2 (Interpretation) of the PDPA |
| ↑6 | Article 9 (Processing of special categories of personal data) of the GDPR |
| ↑7 | Advisory Guidelines on Selected Topics, accessed here: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-the-PDPA-for-Selected-Topics-17-May-2022.pdf |
| ↑8 | Article 3 (Territorial Scope) of the GDPR |
| ↑9 | Section 2(1) (Interpretation) of the PDPA |
| ↑10 | Second Reading on the Personal Data Protection Bill, accessed here: https://sprs.parl.gov.sg/search/email/link/?id=023_20121015_S0003_T0002&fullContentFlag=false |
| ↑11 | Article 7 (Conditions for Consent) of the GDPR |
| ↑12 | Recital 32 (Conditions for Consent) of the GDPR |
| ↑13 | Article 9 (Processing of special categories of personal data) of the GDPR |
| ↑14 | Section 13 (Consent required) of the PDPA |
| ↑15 | Second Reading on the Personal Data Protection Bill, accessed here: https://sprs.parl.gov.sg/search/email/link/?id=023_20121015_S0003_T0002&fullContentFlag=false |
| ↑16 | Singapore Economy (2022) accessed here: https://www.singstat.gov.sg/modules/infographics/-/media/Files/visualising_data/infographics/Economy/singapore-economy13022023.pdf |
| ↑17 | Article 34 (Communication of a personal data breach to the data subject) of the GDPR |
| ↑18 | Section 25 (Protection of personal data) of the PDPA; Part VIA of the Personal Data Protection (Notification of Data Breaches) Regulations 2021 |
| ↑19 | Article 83 (General conditions for imposing administrative fines) of the GDPR |
| ↑20 | Section 48J (Financial Penalties)of the PDPA |
Woo Mei Yi Angeline’s experience in banking includes advising and assisting local and foreign banks in connection with banking and finance documents, security documents and foreign legal opinions.
Some of her notable transactions include assisting and acting for a foreign bank in relation to uncommitted facilities of up to US$ 40 million to a major food and agri-business company and issuing Singapore legal opinions to foreign banks on the legality, enforceability and validity of documents.
She is well versed in both English and Chinese.
