Delivered in Parliament on 2 November 2020
Mr Deputy Speaker,
Before I speak, I would like to declare my interest as a director and shareholder of a technology company which manages and safeguards customers’ personal data.
The protection of personal data is a concern of all Singaporeans, particularly when they learn about mass data breaches suffered by public agencies and private companies, both here and abroad. There is now greater public awareness among members of the public and organisations of the need to safeguard personal data.
The public has a right to demand strong protections of their personal data. At the same time, policymakers have to be aware of the business cost of complying with stringent regulations. It is thus necessary to make periodic amendments to the Personal Data Protection Act (PDPA) and the Spam Control Act to bring our data privacy regulations more in line with current realities and global norms.
I will focus on three areas in my speech:
First, ensuring that personal data is protected where it matters to citizens, yet without unnecessarily burdening businesses with regulations.
Second, aligning the PDPA with the GDPR, the European Union (EU)’s General Data Protection Regulation, to avoid conflicting rules.
And third, harmonising the Government’s data protection rules with the PDPA, to ensure that government agencies safeguard personal data the same way that it expects private sector companies to.
Protecting what matters
Everyone wants their personal data protected from prying eyes and unwanted marketers. No one likes being interrupted by unsolicited phone calls from people they don’t know, trying to sell them things they don’t want, or tricking them into sharing confidential information. They certainly don’t want scammers using their NRIC, address or credit card numbers to take up unauthorised loans, buy stolen goods, or—worst of all—sell their personal data on the Dark Web.
We have made good progress in personal data protection since the introduction of the PDPA in 2012. However, some things are still slipping through. For example, despite being on the do-not-call registry since its 2013, I still get phone calls or text messages from individuals offering cheap loans, access to illegal gambling sites or asking me to pick up packages which I never ordered. More than 46,000 complaints on unsolicited calls and text messages have been made to the Personal Data Protection Commission (PDPC) since 2017 .
I have met residents who were scammed of tens of thousands of dollars by swindlers who persuaded them over the phone to reveal their internet banking passwords or one-time PINs. Still others had loans in their name taken out with loan sharks because their NRICs were misused. For most Singaporeans, these are the biggest concerns with regard to personal data privacy.
On the other hand, fewer people are concerned about what kind of cookies a website is using to track them, and many find the cookie notices on websites nowadays more of an irritant than a privacy-protection measure. There is a debate going on about how to stop Big Tech companies from hoovering up our personal data in order to serve us tailored advertisements. This is a valid concern, but not something that keeps the average citizen awake at night.
Privacy regulations should therefore give greater focus to the areas of data privacy that matter most to citizens.
PDPA and GDPR
I will now move on to discussing the PDPA and GDPR. The General Data Protection Regulation is a wide-ranging personal data protection legislation from the EU, which has extra-territorial effect.
The GDPR applies not only to European companies, but also to Singapore companies that offer goods and services to individuals in the EU, even if those companies do not have an EU presence.
The PDPA covers much of the GDPR, but there are many requirements in the GDPR that are more stringent than that of the PDPA. For example, the GDPR provides extra protection for “special categories of data”, which includes data about an individual’s race, religion, political opinions and health information. The PDPA does not specifically define what constitutes sensitive personal data, although guidance from the PDPC suggests that personal data of a sensitive nature should be accorded a higher level of protection as a matter of good practice.
The GDPR also sets a more stringent standard for consent, which must be obtained in a clear, open, specific and transparent manner. The PDPA is less strict in this respect.
Despite its less prescriptive approach compared to the GDPR, the PDPA’s model may be preferred by countries whose approach towards privacy is closer to Singapore’s than the EU’s. However, we should guard against the PDPA acquiring a reputation of providing a “GDPR-minus” standard of personal data protection. It would be much better if the PDPA were known internationally as a law that strikes the right balance between data protection and business efficiency.
While the PDPA may not be identical to the GDPR, it should not have provisions or interpretations which are in conflict with the GDPR. This way, Singapore businesses which need to comply with the GDPR will be able to rest easy knowing that they also comply with the PDPA. Based on my analysis of the PDPA, I am glad to note that
this currently appears to be the case. I hope that this approach will continue through future amendments to the PDPA.
PDPA and the Government
My last point concerns the personal data protection obligations of the Government. Unlike the GDPR, the PDPA specifically exempts the Government from having to comply with it. The Government has explained that this is because it has its own set of data privacy standards, which are set out in the Public Sector (Governance) Act (PSGA), the Official Secrets Act (OSA), the Banking Act, the Income Tax Act (ITA), the Statistics Act and the Instruction Manual 8 (IM8), among others .
I have worked with the government, both as a civil servant and a government contractor, and am well aware of the robust rules and practices in place to safeguard personal data. However, complying with a different set of data protection rules from the private sector is problematic for several reasons.
First, the data protection provisions in the various Acts differ in their standard of protection. For example, the maximum fines for violations of the different statutes range from $1,000 to $250,000. This is not surprising, since these laws were enacted long before the PDPA, and without the specific purpose of general data protection in mind. Having public data controllers governed by a hodgepodge of separate legislation is likely to lead to differing standards and gaps in coverage.
Second, the lack of a single set of rules governing privacy leaves individual data owners unclear as to what level of personal data protection they are entitled to. Most individuals concerned about privacy would be more familiar with the protections provided for under the PDPA, than what is provided for under the PSGA, OSA, ITA, IM8 and others. In fact, the IM8 is not even a public document that ordinary citizens can access.
The Government’s exemption from the PDPA could lead to concerns among citizens about how their sensitive data is being used by the Government. For example, many are now worried about how the information collected by SafeEntry and TraceTogether will be processed. Others continue to worry about how our security services may be collecting and sharing sensitive information about citizens with little independent oversight.
Third, the government regulations cover mainly internal checks on the government ministries and agencies, and criminal or disciplinary consequences for individual officers. A citizen who has incurred damages as a result of a data breach by a government agency has little recourse to pursue civil remedies against that agency. The PDPA, on the other hand, grants such recourse against offending organisations. This could be seen as a lower threshold of accountability on the part of the government.
Why should public data controllers be treated differently from private data controllers? I believe there is merit in having a universal standard of personal data protection that applies to both private as well as public data controllers. If there is a
need to maintain discretion because of national security reasons, these exemptions can be explicitly written into the PDPA.
I hope the Government can eventually harmonise the data protection clauses in the separate legislations and bring them under the umbrella of the PDPA, and make the PDPA apply to government agencies as well.
Mr Deputy Speaker, the overarching goal of data protection legislation is to ensure that personal data is not misused in a way that causes harm to the individual. This can be achieved without causing undue inefficiencies in the functioning of businesses or the Government. We need to continue to update the PDPA to keep up with realities on the ground. The Government should hold itself to the same level of data privacy standards, procedures and accountability it expects of private sector companies.
Sir, I support the Bill.