July 26, 2016
In a connected world, data moves across borders everyday, and most of us do not have any concerns. However, since Singapore’s data protection law came into effect on 2 January 2013, organisations in Singapore have to be mindful of the prohibitions under the law against the transfer of personal data out of Singapore.
Section 26 of the Personal Data Protection Act (No. 26 of 2012) (PDPA) prohibits the transfer of personal data to a country or territory outside of Singapore except in accordance with requirements prescribed under the Act to ensure that the standard of protection accorded to the personal data transferred is comparable to the protection offered under the PDPA.
Section 26 does not apply to:
(a) Business contact information which is defined as an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes;
(b) a Data intermediary (or “data processor” in the European Union) in respect of its processing of personal data on behalf of and for the purposes of another organisation. “Processing data” means the carrying out of any operation or set of operations in relation to the personal data, and includes:
(iii) organisation, adaptation or alteration;
(vi) transmission; and
(vii) erasure or destruction.
Hence, if an organisation appoints a data processor (a subsidiary or an unrelated third party), then the data processor may transfer the personal data outside Singapore in the course of its processing of the personal data. However, the organisation itself will not be permitted to transfer the personal data to a facility outside Singapore (even if the facility is owned by the organisation).
Prescribed requirements for permissible transfer out of Singapore
The Personal Data Protection Regulations (Regulations) provide that before an organisation transfers personal data to a country or territory outside Singapore, it must:
(a) take appropriate steps to ensure that it remains in compliance with all the other provisions of the PDPA as regards the transferred personal data; and
(b) take appropriate steps to ensure that, the recipient of the personal data is bound by legally enforceable obligations to provide the transferred personal data with a standard of protection that is at least comparable to the protection under the PDPA.
If the requirements (a) and (b) are complied with, then an organisation may transfer the personal data out of Singapore without restriction.
The Regulations set out certain circumstances under which a transferring organisation is deemed to be in compliance with the two requirements above. However, these circumstances are unlikely to be applicable in most cases. Hence, it is necessary for organisations to take appropriate steps (including entering into binding agreements and obtaining the requisite consents) to comply with requirements (a) and (b).
In the following paragraphs, we set out the circumstances under which requirements (a) and (b) are deemed to be complied with.
Where the personal data is in the public domain or if the personal data is in transit in Singapore (and is not being accessed or used or disclosed while in Singapore), both requirements (a) and (b) are deemed to be complied with. Hence, organisations are free to transfer such personal data outside of Singapore without restrictions. The personal data handled by most organisations is unlikely to fall within these circumstances.
Further, requirement (b) is deemed to be complied with in the following circumstances:
if the individual consents to the transfer of personal data;
the transfer of the personal data is necessary for the performance of a contract between the individual and the transferring organisation, or to do anything at the individual’s request with a view to the individual entering into a contract with the transferring organisation;
the transfer of the personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party which is entered into at the individual’s request;
the transfer of the personal data to the recipient is necessary for the conclusion or performance of a contract between the transferring organisation and a third party if a reasonable person would consider the contract to be in the individual’s interest;
the transfer of the personal data to the recipient is necessary:
and the transferring organisation has taken reasonable steps to ensure that the personal data so transferred will not be used or disclosed by the recipient for any other purpose.
in the interest of the individual if consent cannot be obtained in a timely way;
in an emergency that threatens the life, health and safety of the individual/another individual;
in the national interest; or
to contact the next of kin or friend of an individual who is injured, ill or deceased;
An organisation will still have to comply with requirement (a) even if circumstances exist such that the organisation is deemed to be in compliance with requirement (b).
An organisation may also apply to the Personal Data Protection Commission (PDPC) for exemption from Section 26.
In applying for exemption, it is necessary to provide the following information:
the period(s) for which the exemption is sought;
the identity of person(s)/organisation(s) or class of persons/organisations seeking the exemption, details of the type and volume of personal data intended to be transferred, and all relevant circumstances of the transfer;
detailed explanation of the reasons for seeking the exemption and evidence supporting those reasons; and
detailed explanation of the reasons why the organisation is unable to rely on the avenues provided for in the Regulations to comply with section 26 of the PDPA.
As any contravention of the PDPA attracts penalties of up to S$1 million, organisations in Singapore should review their internal operations to ensure that there is no inadvertent transfer of personal data out of Singapore in contravention of the provisions of the PDPA.