On May 16, 2014, the Singapore Personal Data Protection Commission (the “Commission”) published advisory guidelines for the implementation of its Personal Data Protection Act (the “PDPA”) for two industry sectors. The guidelines were published on the same day on which the Commission held its well-attended Personal Data Protection Seminar focusing on international perspectives on data governance. The advisory guidelines generally have the following content:
- The Advisory Guidelines for the Telecommunications Sector were developed in consultation with the Info-communications Development Authority of Singapore. They address issues and circumstances that may apply to enterprises in the telecommunications sector when they seek to comply with the PDPA. The guidelines discuss, for example, whether telephone numbers constitute personal data and in what circumstances an Internet protocol address or international mobile equipment identity number may constitute personal data.
- The Advisory Guidelines for the Real Estate Agency Sector were developed in consultation with the Council for Estate Agencies. They address circumstances that real estate agencies may face in complying with the PDPA. The guidelines discuss the use of anonymized and aggregated personal data and business contact information.
The publication of these two advisory guidelines illustrates the overall structure under which Singapore will implement its PDPA. In general, the PDPA functions as the baseline framework data protection law, with regulations, guidelines and rules applicable to particular industry sectors or topics published and applied on a sector-by-sector (or topic-by-topic) basis. The publication of these guidelines also illustrates the seriousness and focus with which Singapore and its Commission are preparing for the effectiveness and implementation of the PDPA.
More advisory guidelines can be expected in the near future for the educational, health care and social service sectors, as well as for the specific topic of photography. Perhaps most significantly at this time, on May 16, 2014, the Commission also published a note announcing the closing of its public consultation for the PDPA regulations. Based on this note, it appears that when those regulations are formally promulgated, they will include significant provisions on how entities may properly effect a cross-border data transfer from Singapore, as well as provisions expounding on access and correction rights. The cross-border transfer restrictions likely will require the transferor to take appropriate steps (which may not necessarily be contractual) to ensure that the data will receive the same level of protection in their destination country as would have applied in Singapore. The restrictions, however, would allow transfers made with the consent of the data subject, or transfers made for the purpose of performing a contract made with the data subject, to proceed more readily.
The promulgation of the PDPA regulations may be the next significant step in the implementation of the PDPA. We will promptly report on that development when it occurs.
The personal data protection provisions of the PDPA come into effect on July 2, 2014.