New Singapore data protection law places emphasis on businesses to develop compliant policies, says expert

A proposed Personal Data Protection Bill (83-page / 222KB PDF) in Singapore received its first reading in the country's Parliament on Monday.

Data protection law specialist Rosemary Lee of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, the law firm behind Out-Law.com, said that it requires businesses to devise their own practices and policies around data protection that meet the requirements of the new law. This is because the Bill does not explicitly outline what businesses require to do to comply, Lee said.

"With the coming of the proposed law, Singapore data protection compliance will become a concern for organisations collecting and handling large amounts of their customers' personal data," Lee said. "So many companies may need to either build or look at their data protection strategies to ensure compliance with new obligations."

"The Bill is presented as a framework law and does not purport to be prescriptive. Companies are expected to develop and implement the policies and practices that are necessary for compliance and there are no preferred solutions or mechanisms for doing so. In this regard, companies will retain the ability to flexibly apply the law so that compliance with new data protection obligations can be built into their existing business processes," she said.

"Companies increasingly operate on an international basis – both internally within global group structures and externally with their suppliers and customers. In this networked world, cross-border transactions and data flows are inevitable. Singapore's adoption of data protection laws will certainly boost its business reputation," Lee added.

The Personal Data Protection Bill governs the collection, use and disclosure of personal data by organisations. However, activities by government agencies in Singapore are not covered by the Bill.

Under the Bill a new Personal Data Protection Commission would be set up in Singapore. The Commission would be responsible for promoting awareness of data protection in the country, and administering and enforcing the proposed law. The Commission's powers would include being able to fine businesses up to SIN$100,000 for obstructing its performance of duties. Businesses that falsify personal data records, or information regarding the collection, use or disclosure of personal data, face being fined up to SIN$50,000.

The Bill also provides for the establishment of a new 'Do Not Call Register'. Individuals would be able to apply to have their telephone number added to the register in order to opt out of receiving "specified messages" from marketers. Organisations would generally be barred from sending specified messages to individuals listed on the register. Those that fail to comply with the protocol around specified messages face being fined up to SIN$10,000.

Singapore's Ministry of Information, Communications and the Arts had previously launched a consultation on the Personal Data Protection Bill in March.