28 May 2018
The European Union's General Data Protection Regulation ("GDPR") was approved by the EU Parliament on 14 April 2016 and came into effect on 25 May 2018.
The GDPR is most significant piece of privacy regulation to emerge in the EU in over 20 years.
The GDPR has its roots in the Organisation for Economic Co-operation and Development's ("OECD") Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (the "OECD Guidelines") – a set of recommendations that were endorsed by the EU and US that established a framework for protecting personal data. The OECD guidelines, adopted in 1980, were hugely influential in articulating the privacy principles that would underpin regulatory frameworks emerging in the decades to come, including Singapore's own Personal Data Protection Act (the "PDPA").
The EU issued the Data Protection Directive 95/46/EC (the "Directive"), with the goal of harmonizing data protection laws across the EU, and regulating the transfer of personal data to “third countries” outside of the EU. It also established Data Protection Authorities as regulatory agencies in each EU member state. However, being a Directive, each member state had room for interpretation as it attempted to codify the Directive into local law. As such, data protection laws across the EU were not as harmonized as they needed to be, particularly in light of the improvements in data transfer speeds, emergence of social media, and rising ubiquity of smart devices.
The GDPR differs from the Directive in that it is a Regulation – a stronger piece of EU legislation which became immediately enforceable as law in all member states as soon as it came into effect. This will improve harmonization as the GDPR itself is the codification of the privacy laws and, unlike the Directive, it needs no further transposition into local law.
Key changes in the GDPR and comparisons with the PDPA
The GDPR applies to (i) all data controllers and processors in the EU, regardless of whether the personal data processing itself takes place within the EU; and (ii) the processing of personal data of individuals in the EU, regardless of whether the data controllers or processors are established in the EU, if the data processing activities relate to the provision of goods and services in the EU or activities of an individual in the EU.
Comparison with PDPA: The PDPA does not define "organization" or "personal data" in terms of geographical location. In substance, the PDPA applies to any organization in Singapore processing personal data from anywhere, and organizations outside of Singapore processing personal data from individuals in Singapore. Unlike the GDPR, the PDPA does not limit its scope of extra-territorial jurisdiction based on the nature of the data processing activities.
Organizations in breach of the GDPR can be fined up to 4% of annual global turnover or EUR 20 million, whichever is greater.
Comparison with PDPA: The Personal Data Protection Commission ("Commission") has the power to, amongst other things, direct breaching organizations to pay a financial penalty of up to S$1 million. Offenders under the PDPA are also generally liable on conviction to a fine of up to S$10,000, imprisonment for up to 3 years, or both. In the case of continuing offences, a further fine of up to S$1,000 per day can be levied for every day or part thereof during which the offence continues after conviction.
Consent must be clear and use plain language, should be intelligible and easily accessible, and should be distinguishable from other matters.
Comparison with PDPA: Unlike the GDPR, the PDPA does not prescribe the type of language that must be used in order to obtain consent. However organizations should be mindful that if the language used to obtain consent is very vague, the Commission may, in the course of an investigation, take the view that a layperson would be unable to reasonably give consent and therefore that consent was not obtained. Organizations should therefore take a common-sense approach to obtaining consent and provide consent notification language in a clear and easily-understandable manner.
It will be mandatory for a data controller to notify the regulatory authority of breaches of personal data where such breaches are likely to "result in a risk to the rights and freedoms of natural persons".
Comparison with PDPA: The PDPA currently does not have any breach notification provisions. However the Commission's Public Consultation on Approaches to Managing Personal Data in the Digital Economy (issued 27 July 2017, with a response to the feedback issued by the Commission on 01 February 2018) proposes implementing a mandatory breach notification regime, and the PDPA is likely to be updated in due course with this (and other) changes.
Right to access
Data subjects have a right to obtain information about whether, what, and where personal data is being processed, and for what purposes. This information must be provided for free.
Comparison with PDPA: The PDPA also provides individuals with access rights – organizations must provide information on what personal data is being held by them and the ways in which it has/may have been used or disclosed by the organization a year before the request. Unlike the GDPR, organizations may charge a reasonable administrative fee for providing access.
Right to be forgotten
Under the GDPR, data subjects have a right to make organizations erase their data upon certain grounds, one of them being where the data subject withdraws their consent on which the processing is based, and where there are no other legal grounds for processing the personal data.
Comparison with PDPA: The PDPA has no equivalent or analogous provision. However organizations are obligated not to retain personal data if it is no longer required for the purpose for which it was collected, and if there are no business or legal reasons to retain it.
The GDPR introduces a right of data portability – data subjects have a right to receive their personal data in a commonly-used machine-readable format, and they can transmit this to another controller.
Comparison with PDPA: The PDPA has no equivalent or analogous provision. While individuals have a right of access to their personal data, organizations are required under the Personal Data Protection Regulations 2014 to provide the personal data in documentary form, allow the individual to examine the personal data if providing it in documentary form is impracticable, or provide it in any other form that the individual requests, which is acceptable to the organization. While there is no express right to transmit personal data to another organization, such a right may not be needed as the individual always has the option of volunteering his/her personal data to other organizations.
Privacy by design
The GDPR requires data controllers to implement technical and organizational measures to ensure that the data protection principles, including the minimal use of personal data, are upheld. This must be done both at the data processing stage as well as when the means of processing is determined. By default, only personal data necessary for each specific purpose of the processing should be used in the processing. In essence, all systems handling personal data must now be designed from the outset with privacy in mind.
Comparison with PDPA: The PDPA has no equivalent or analogous provision and does not prescribe whether systems must be built with privacy in mind. However, privacy-by-design may remain a relevant consideration and a mitigating factor in the Commission's decisions relating to breaches of the PDPA.
Data Protection Officers
Data Protection Officers ("DPOs") under the GDPR must have expert knowledge of personal data protection law, their contact details must be provided to the relevant data protection supervisory authority, and they must be provided with adequate resources to fulfil their duties and maintain their expert knowledge. Additionally, DPOs must report to the highest management level and are required to perform their tasks in confidence. While DPOs may undertake other tasks, they are prohibited from engaging in tasks that result in conflicts of interest.
Comparison with PDPA: The PDPA does not require DPOs to have expert knowledge of personal data protection laws, although in practice, some knowledge of this will be required for DPOs to carry out their duties. While the Commission strongly encourages organizations to register their DPOs, there is currently no legislative requirement for this. There is also no requirement that DPOs perform their tasks in confidence, avoid conflicts of interest, or report to the highest management level. It is clear that DPOs in the EU are envisioned as being part of high-level management while DPOs in Singapore are permitted to take on a supporting or ancillary role.
Contact us if you need assistance with personal data protection compliance.
Associate Director, BR Law Corporation
Post date. Edit this to change the date post was posted. Does not show up on published site. 28/5/2018
Subscribe to our Newsletter
Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.