Is Singapore Mulling Data Privacy Legislation?Industry Leaders Seem to Favour New Privacy and Breach Legislation
Singapore seems to be taking the lead in the Asia Pacific region in carefully studying the European Union's recently passed General Data Protection Regulation. The nation may be one of the pioneers in the region to come out with legislation of a similar nature - given that there is strong support from data privacy proponents who are influencing the government to issue a law mandating reporting of data breaches, as well as data protection laws in line with "mature jurisdictions" along the lines of those in U.S., Canada and Europe (see: Australia, New Zealand Still Mulling Data Breach Laws ).
Unlike the U.S. or Europe, where regulatory bodies such as the Securities and Exchange Commission require disclosure from victimised firms and have also brought enforcement action against firms whose systems were deficient, Singapore works differently (see: Mandatory Breach Notifications: Europe's Countdown Begins ). Institutions in Singapore are expected to report any breach to Singapore's Personal Data Protection Commission, which would take action and guide the firm (see: Singapore Debates Breach Disclosure ).
The Act is expected to clearly define the severity of data loss that could trigger a breach notification, although at this point in time there is no clarity on what kind of data loss or leakage would require notification.
Recently, Yaacob Ibrahim, minister for Communications and Information, told the Parliament that Singapore would soon have a cybersecurity bill, and the proposed law will ensure that operators of Singapore's critical information infrastructure take active steps to secure such systems and report incidents (see: Singapore to Introduce Cybersecurity Bill ).
The Act is expected to clearly define the severity of data loss that could trigger breach notification, although at this point in time there is no clarity on what kind of data loss or leakage would require notification.
Impact of EU's Regulation
EU's regulation comes at a time when Singapore is revising its data protection laws to incorporate the data breach and privacy aspects.
To this effect, Wong Yu Han, director of strategy at Singapore's Cyber Security Agency, recently said that it's critical to revise its data protection laws as the measures to counter data leaks are complex.
There is a need to amend the law as the government has not defined any parameters for organizations to report a breach for consumers or enterprises to take necessary precautions. Another reason is that the Singapore government has not segregated a clause around personal and corporate data, which has resulted in confusion when it comes to reporting a data leak.
Experts believe that considering Singapore already has a comprehensive data protection act in place, EU's new data protection enactment might reinforce Singapore's data protection initiative and offer guidance in achieving compliance.
Anthony Lim, vice chairman and senior cybersecurity adviser for Frost & Sullivan and vice chairman of the application security council at (ISC)2, says there's indeed some speculation in the industry as experts watch the government rolling out a data breach disclosure norm as it currently studies the EU's regulation carefully to include specific clauses.
"The Singapore government can emulate best practices from California SB 1386, which pioneered the practice of creating mandates for reporting data breaches and also some components of EU's new GDPR regulations, to come up with an idealistic legislation," he says.
Data Privacy and Protection Challenges
Although Singapore's Personal Data Protection Act, which came into force in 2014, contains new rules on collection, use or disclosure of individuals' personal data and imposes a number of additional requirements on businesses - including an obligation to provide individuals with access to their own data upon request - it faces certain challenges.
The key challenge is that it does not mandate entities to report breaches, and as the chairman of Singapore's Personal Data Protection Commission Leong Keng Thai candidly said, the act is still in the early phase of implementation, and organizations require more guidance in achieving compliance.
Lack of appropriate enforcement norms and lack of public awareness, especially among corporations, SMEs and individuals, is a big challenge.
Many argue that the policing of compliance policies and the cost are a challenge.
Any Time Soon?
Lim says the basic takeaway is that the EU directive is quite thorough and comprehensive, which would enable Singapore to borrow some sections and incorporate into its Act.
However, the only challenge would be to modify based on the local privacy and legal frameworks. Privacy leaders are quite optimistic about Singapore rolling out a legislation soon and also guess it would be just a year from now. Lena Ng, Singapore-based counsel and consultant at Clifford Chance, a risk management firm, observes it would be a positive gesture to have a data protection and breach disclosure norm soon.
"Monetary Authority of Singapore works with PDPC in determining risk and put in place regulations that facilitate disclosure of information that consumers could rely on in making financial decisions, which is a good sign," she says.
Besides, working with financial sector, PDPC is also working with the other industry verticals to establish a data protection norm.
Another positive step is PDPC's direction to secure compliance under the Section 29(1) of the PDPA, which prescribes rules to comply with any of the data protection provisions and Section 20(2) of the Act, which spells o ut penalties for non-compliance to any of the data protection provisions.
Given that the ministry will table its new Cybersecurity Bill in Parliament next year (2017), it will pave the way for establishing its revised data protection and breach disclosure law.
The proponents suggest government should work with the private sector to raise public awareness of the importance of data protection and help them inculcate the discipline in reporting breaches as a natural and logical process.
So, what's your take on Singapore rolling out its data privacy and protection legislation?