25 Jun 2014

Singapore PDPA - remaining provisions come into force 2 July 2014

Linkedin
Background

The Personal Data Protection Act (PDPA) was passed by the Singapore Parliament at the end of 2012 and sets out a framework for personal data protection with similarities to that provided in Europe by the EU Data Protection Directive (95/46/EC). A sunrise period of 18 months before implementation of the main provisions of the PDPA was set to give organisations time to comply and to give the appointed regulator, the PDPC, time to consult and issue guidance. That sunrise period expires on 2 July 2014.

Key provisions

The PDPA is based on the three key concepts of consent, purpose limitation and reasonableness – echoing similar concepts in the EU DP Directive. In essence, and subject to certain exemptions, organisations must have consent to handle personal data, have issued transparent notice of the purposes for which the data will be used and such purposes must be reasonable. For a more detailed analysis of the PDPA, and how it compares to the UK Data Protection Act 1998.

What's happened so far?

The provisions of the PDPA which relate to direct marketing - so-called "Do Not Call" provisions - entered into force on 2 January 2014 - since which time the PDPC has investigated over 600 organisations for alleged breach of those provisions. The PDPC has also issued advisory guidelines on Key Concepts and Selected Topics in the PDPA (which were updated in May) as well as more specifically in respect of the Telecommunication and Real Estate sectors. The level of enforcement shown by the PDPC in relation to DNC and its activity otherwise suggests it will be an active regulator in enforcing the Act more widely from July.

What's happening next?


The PDPA is designed to act as a framework with further sector-specific advisory guidelines and requirements expected for areas such as healthcare and social services. In addition, the recent guidance of the PDPC envisages formal PDPA Regulations to be issued which will further specify how certain provisions – notably the restriction on cross-border data transfers - may be satisfied in practice.
Linkedin

KEY CONTACT

Tom Platts

Tom Platts
Partner

T:  +65 6622 9641 M:  Email Tom | Vcard Office:  Jakarta, Singapore

OTHER CONTACTS