Teaching Us to Fish – An Important Step Forward
Comments to the Personal Data Protection Commission’s Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy
In yet another display of its progressive approach to working with various stakeholders, the Personal Data Protection Commission (PDPC) of Singapore had on 1 February 2018 released its “Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy” (the Response). The Response shows the recognition of an important point: that the law’s impact is shaped by context, and so must be balanced, nuanced and flexible.
As a starting point, even considering updates to the law is a welcome move. Given the ever-changing digital economy and increasing security risks, it is timely for PDPC to propose an enhanced framework for collection, use and disclosure of personal data and the proposed mandatory breach notification regime to protect individual’s personal data in Singapore.
Having heard views from the public received through July to October last year, the PDPC’s strategy has been to aim for greater flexibility of application while anchoring the rules to a core set of principles. The unspoken but obvious aim is to provide more avenues by which organisations can fairly and transparently leverage the data they have to address the demands of the present economy.
Moreover, PDPC has also promised that it will provide more guidelines beyond the overarching principles enunciated in the proposed changes and its Response. And this is a good thing. It is hoped that the guidelines will provide details of case studies or examples on what types of processes are acceptable. Nothing drives home a point more than real-life hypotheticals.
Notably, the anchor principle of ensuring responsible data use is also maintained. The obligation to conduct a risk and impact assessments such data protection impact assessments (DIPA) is cited. Here, again, it will be useful for PDPC to specify what types of assessment are acceptable or what type of factors must be taken into account. This is especially given that whilst risk and impact assessments are important, they exist in many forms, some being more applicable to certain situations than others. It is important that any impact assessment serves its intended purpose. One suggestion would therefore be for the guidelines to have a fixed list of criteria or factors that are to be considered, and examples of how such an assessment is implemented.
Equally importantly, the PDPC’s has also taken the view that such assessment need not be made available to the public or to individuals on request but it does reserve right to require disclosure of the assessment for the PDPC’s consideration.
The PDPC also intends to provide for “Legitimate Interest” as a basis to collect, use or disclose personal data regardless of consent, but by referring to a “legitimate” interest, it has made clear that such an exception will be tempered one. One could say this sounds like a “woolly” concept. How does one apply the criteria in real life scenarios?
One would certainly look for guidance, perhaps criteria for public consumption and understanding. After all, the idea of legitimate expectation might apply to both organisations and the data subjects affected by their decisions. Perhaps this, as well as another concept referred to (ie, “openness”) in the Response, might be detailed in practical examples and discussions in further guidelines. For now, the “openness” requirement seems to be targeted at having organisations disclose (to the public) its reliance on “Legitimate Interest” as a ground for collection, use or disclosure and make available a document justifying such reliance.
The PDPC has also proposed instituting a mandatory breach notification requirement. The PDPC intends to implement a cap of 72 hours for affected organisations to notify PDPC of a breach. However, this is not quite as compressed as it may appear at first glance. In the right circumstances, an assessment period of up to 30 days for an organisation to assess its eligibility for notification may apply and if so then, organisations seem to have more time to assess if they need to issue notifications of the breach. Having said that, we will have to wait to see how the assessment period of 30 days and the 72 hour cap can be implemented together and if PDPC will issue further guidelines in this respect. What is made clear, however, is where data intermediaries are involved, the data intermediary is required to notify, without undue delay from the time the data intermediary becomes aware of a breach, the organisation that it processes personal data for.
Reading through the response, one might come away with an impression that the positions taken involve an increased reliance on generalisations and the use of abstractions which may seem frustrating to those looking for specificity. But whilst specificity may help, it can also hinder, narrowing concepts to the point of robotic simplicity.
Instead, the current strategy appears to be stating principles and both supplementing the rules with additional practical guidance and allowing clear minds to digest and work out what is truly practical, what is truly fair and reasonable. For all our faith in technology, there is still no substitute for a reasoned and well thought out rubric.
To paraphrase an old saying: give us a fish, and you have fed us for day but teach us to think, and we can be on the road to nurturing a true culture of data protection.
The Law Society will to continue to watch this space but for now, the PDPC appears to have taken a balanced approach towards resolving the conundrum of balancing business costs/requirements against the increasing need to safeguard the personal data of individuals. and the practice committee stands ready to assist and contribute to this growing area of legal practice.