Regulations with Data Export Limitations Bring Singapore's Data Privacy Law into Force
(2014) 130 Privacy Laws & Business International Report, 1-4
4 Pages Posted: 31 Oct 2014 Last revised: 19 Jul 2015
Date Written: August 30, 2014
Abstract
On 2 July 2014, the data protection provisions of Singapore’s Personal Data Protection Act 2012 (PDPA) came into force, following an 18 month transition period for companies to prepare for compliance. To complete the process, the Personal Data Protection Regulations 2014 (PDPR) were made on 15 May 2014.
This article considers the most important aspects of the Regulations, which concern personal data exports. Singapore’s approach is very thorough and not easily classified – it is sui generis. The Act requires that data exports should only be to recipients bound by legally enforceable obligations comparable to those found in Singapore, and also includes some elements of extraterritoriality. Regulation 10 specifies that ‘legally enforceable obligations’ may include laws, contracts, binding corporate rules (BCRs) or ‘any other legally binding instrument’. It probably gives individual data subjects few opportunities to protect themselves against unprotected exports, unless an export becomes publicly notorious. However, it does impose obligations on companies which, if not observed, could result in PDPC enforcement action if something goes badly wrong.
Other aspects of how the PDPA is being brought into force are also explained, including regulations concerning deceased persons, various draft Guidelines, and exemptions promulgated by the Monetary Authority of Singapore which illustrate a major weakness of the PDPA. They have a common feature that businesses involved with Singapore need to be aware of considerable regulatory detail or there are considerable risks involved.
Keywords: data protection, privacy, Singapore, Asia, BCR, binding corporate rules, data exports
Suggested Citation: Suggested Citation