Regulations with Data Export Limitations Bring Singapore's Data Privacy Law into Force

Greenleaf, Graham

Download This Paper

Open PDF in Browser

Add Paper to My Library

Regulations with Data Export Limitations Bring Singapore's Data Privacy Law into Force

(2014) 130 Privacy Laws & Business International Report, 1-4

UNSW Law Research Paper No. 2014-60

4 Pages Posted: 31 Oct 2014 Last revised: 19 Jul 2015

See all articles by Graham Greenleaf

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: August 30, 2014

Abstract

On 2 July 2014, the data protection provisions of Singapore’s Personal Data Protection Act 2012 (PDPA) came into force, following an 18 month transition period for companies to prepare for compliance. To complete the process, the Personal Data Protection Regulations 2014 (PDPR) were made on 15 May 2014.

This article considers the most important aspects of the Regulations, which concern personal data exports. Singapore’s approach is very thorough and not easily classified – it is sui generis. The Act requires that data exports should only be to recipients bound by legally enforceable obligations comparable to those found in Singapore, and also includes some elements of extraterritoriality. Regulation 10 specifies that ‘legally enforceable obligations’ may include laws, contracts, binding corporate rules (BCRs) or ‘any other legally binding instrument’. It probably gives individual data subjects few opportunities to protect themselves against unprotected exports, unless an export becomes publicly notorious. However, it does impose obligations on companies which, if not observed, could result in PDPC enforcement action if something goes badly wrong.

Other aspects of how the PDPA is being brought into force are also explained, including regulations concerning deceased persons, various draft Guidelines, and exemptions promulgated by the Monetary Authority of Singapore which illustrate a major weakness of the PDPA. They have a common feature that businesses involved with Singapore need to be aware of considerable regulatory detail or there are considerable risks involved.

Keywords: data protection, privacy, Singapore, Asia, BCR, binding corporate rules, data exports

Suggested Citation: Suggested Citation

Greenleaf, Graham, Regulations with Data Export Limitations Bring Singapore's Data Privacy Law into Force (August 30, 2014). (2014) 130 Privacy Laws & Business International Report, 1-4, UNSW Law Research Paper No. 2014-60, Available at SSRN: https://ssrn.com/abstract=2516735