Partnership Announcement: Mato Kotwani

(This article was first published in the Volume 9 of RT ASEAN’s Review Times)

In Singapore, personal data is protected under the Personal Data Protection Act 2012[1] (“PDPA“), which is administered by the Personal Data Protection Commission of Singapore (“PDPC“).

With the advent of cloud computing and the ubiquity of cloud storage services being utilised by organisations across various industries in today’s Internet Age, the PDPC published Chapter 8 to its Advisory Guidelines on the PDPA for Selected Topics[2] (“Guidelines“) in October 2019, specifically pertaining to the use of cloud services. The Guidelines do not have the force of law, but are helpful in clarifying the obligations that organisations in Singapore must comply with when engaging the services of a Cloud Service Provider (“CSP“) who may host or process personal data within or outside of Singapore.

Chapter 8 of the Guidelines clarifies that any organisation that engages the services of a CSP still remains responsible for complying with the PDPA in respect of personal data processed (which includes the holding and retrieval of data) by its CSP on its behalf and for its purposes.

For instance, organisations should ensure that reasonable security arrangements are put in place to protect the personal data that the organisation possesses or transfers to its CSP. In December 2019, Honestbee Pte Ltd was sanctioned with a fine of $8,000 for omitting to put in place the necessary security measures necessary to protect personal data that was placed in its Amazon Web Services (“AWS“) file repository. Honestbee had mistakenly placed personal data into a file folder without access restrictions, thereby allowing anyone with AWS’s command line to gain access to the personal data.[3]

Where a CSP hosts or processes data outside of Singapore, the organisation engaging such CSP must also comply with transfer limitation obligations under the PDPA for any overseas transfer of personal data. In particular, the organisation must ensure that its CSP only transfers personal data to locations with data protection regimes of a standard which is comparable to the standards of the PDPA, or include terms in the agreement between the CSP and the organisation to establish a standard of protection comparable to that of the PDPA for any personal data transferred to local or overseas locations.

In light of the above, organisations in Singapore that wish to engage the services of CSPs must familiarise themselves with their obligations under the PDPA and carefully consider the following when selecting its CSP:

1. Whether the jurisdiction(s) in which the CSP hosts or processes data has/have in place data protection regimes that are comparable to the PDPA; and
2. Whether the CSP is or will be bound by legally enforceable obligations to ensure a standard of data protection comparable to that of the PDPA.

It should be noted that the Personal Data Protection (Amendment) Bill 2020[4] (“PDP Bill“) has been introduced and read for the first time in the Singapore Parliament on 5 October 2020. The PDP Bill introduces a slew of key amendments to the PDPA, including but not limited to:

1. Introduction of a right for individuals to request for their data to be transmitted to another service provider;
2. Obligations to report data breaches to the PDPC and affected individuals;
3. Expansion of the concept of deemed consent to the processing of personal data;
4. Introduction of new exceptions to consent; and
5. Increased financial penalties for breaches of the PDPA.

While none of the proposed amendments under the PDP Bill have a direct impact on the information set out above, organisations are advised to familiarise themselves with the changes proposed in the new PDP Bill prior to its anticipated enactment in the near future.

[1] The Personal Data Protection Act 2012 (Act 26 of 2012) may be accessed at: https://sso.agc.gov.sg/Act/PDPA2012.

[2] The Advisory Guidelines on the PDPA for Selected Topics may be accessed at: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-PDPA-for-Selected-Topics-9-Oct-2019.pdf?la=en. Chapter 8 on Cloud Services can be found at pages 56-58.

[3] A summary of the PDPC’s decision on Honestbee Pte Ltd’s breach of the PDPA may be found at: https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-honestbee.

[4] The PDP Bill can be accessed at https://www.mci.gov.sg/-/media/mcicorp/doc/public-consultations/public-consultation-on-pdp-amendment-bill—14may2020/pdp-amendment-bill.ashx.