Singapore's Personal Data Protection Act 2012: Scope and Principles (with so Many Exemptions, it is only a ‘Known Unknown’)
Privacy Laws & Business International Report, Issue 120, December 2012, pgs 1, 5-7
5 Pages Posted: 7 Feb 2013
Date Written: January 25, 2013
Abstract
Singapore’s legislature enacted the Personal Data Protection Act on 15 October 2012, making it the tenth jurisdiction in Asia to enact a data privacy law. It is the fourth data privacy law enacted in the ASEAN (Association of South East Asian Nations) region. This article explains the scope of Singapore’s Act, and its data privacy ‘General Rules’.
Singapore’s Act now implements all of the OECD privacy guidelines (with very substantial exemptions and qualifications), and adds some extra protections. The complex provisions defining the scope of the Act, providing many exceptions, reveal some of its weaknesses as data protection. These exemptions make the scope of the Act a ‘known unknown’. Many aspects are quite balanced. While the Act exempts data intermediaries, it make data controllers vicariously liabile for their acts. Similarly, data exports may be allowed, but may also carry vicarious liability. The exceptions to the collection, use and disclosure principles are extremely extensive. The overall result appears to be a minimal version of a ‘normal’ data privacy law, but an Act that is more more holes than cheese.
The article will be followed in the next issue with an examination of the Act’s enforcement measures.
Keywords: Asia, Singapore, privacy, data protection
Suggested Citation: Suggested Citation