The Personal Data Protection Act (PDPA) was passed by the Singapore Parliament at the end of 2012 and sets out a framework for personal data protection with similarities to that provided in Europe by the EU Data Protection Directive (95/46/EC). A sunrise period of 18 months before implementation of the main provisions of the PDPA was set to give organisations time to comply and to give the appointed regulator, the PDPC, time to consult and issue guidance. That sunrise period expires on 2 July 2014.
The PDPA is based on the three key concepts of consent, purpose limitation and reasonableness – echoing similar concepts in the EU DP Directive. In essence, and subject to certain exemptions, organisations must have consent to handle personal data, have issued transparent notice of the purposes for which the data will be used and such purposes must be reasonable. For a more detailed analysis of the PDPA, and how it compares to the UK Data Protection Act 1998.
What's happened so far?
The provisions of the PDPA which relate to direct marketing - so-called "Do Not Call" provisions - entered into force on 2 January 2014 - since which time the PDPC has investigated over 600 organisations for alleged breach of those provisions. The PDPC has also issued advisory guidelines on Key Concepts
and Selected Topics in the PDPA (which were updated in May) as well as more specifically in respect of the Telecommunication
and Real Estate
sectors. The level of enforcement shown by the PDPC in relation to DNC and its activity otherwise suggests it will be an active regulator in enforcing the Act more widely from July.
What's happening next?
The PDPA is designed to act as a framework with further sector-specific advisory guidelines and requirements expected for areas such as healthcare and social services. In addition, the recent guidance of the PDPC envisages formal PDPA Regulations to be issued which will further specify how certain provisions – notably the restriction on cross-border data transfers - may be satisfied in practice.