BR Law Corporation
br@brlawcorp.com +65 6899 9888
  • Our Team
  • Practice Areas
  • News and Insights
  • Join Us
  • Contact Us
br@brlawcorp.com +65 6899 9888

New Transfer Limitation Guidelines – Are "Legally Enforceable Obligations" Really Just About Consent?

 
16 May 2014
Dharma Sadasivan
Picture
​The Personal Data Protection Commission ("PDPC") released new advisory guidelines (the "Guidelines") today concerning the Transfer Limitation obligation.
Briefly, the Transfer Limitation obligation refers to an obligation in the Personal Data Protection Act 2012 ("PDPA") that requires any organisation transferring personal data out of Singapore to ensure that the personal data receives a comparable standard as that which it would receive under the PDPA in Singapore. This particular obligation is aimed at preventing scenarios where organisations transfer personal data out of Singapore in order to abuse it without breaching Singapore personal data protection laws.

So far, the position has been that an organisation may transfer personal data if the recipient is bound by legally enforceable obligations ensuring that the personal data transferred receives a standard of protection that is comparable to that which it would receive under the PDPA.

The Guidelines reinforce this position by describing "legally enforceable obligations" as including obligations imposed on the recipient under:
  1. any law;
  2. a contract;
  3. binding corporate rules; and
  4. any other legally binding instrument.

In practice, this means that if you were transferring personal data to an overseas third-party, you would enter into an agreement to ensure that the third party recipient will abide by the PDPA. If you were transferring personal data to an overseas branch or office of the same organisation, you would put in place binding corporate rules that require all branches and offices of the organisation to abide by the PDPA.

Here's where the Guidelines get confusing.

Section 19.3 of the Guidelines states that an organisation will be taken to have satisfied the requirement to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations if:
  1. the individual whose personal data is to be transferred gives his consent to the transfer of his personal data (but for this to apply, the organisation needs to explain to the individual how his/her personal data will be protected to PDPA standards outside of Singapore);
  2. the transfer is necessary for the performance of a contract between the organisation and the individual, or to do anything at the individual’s request with a view to his entering a contract with the organisation;
  3. the transfer is necessary for the conclusion or performance of a contract between the organisation and a third party which is entered into at the individual’s request, or which a reasonable person would consider to be in the individual’s interest;
  4. the transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA, such as use or disclosure necessary to respond to an emergency that threatens the life, health or safety of an individual. In such cases, the organisation may only transfer personal data if it has taken reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose;
  5. the personal data is data in transit; or
  6. the personal data is publicly available in Singapore.

These points (with the exception of Point 5) strike me as relating to the issue of consent rather than ensuring that a legally enforceable obligation is in place.

Point 1 clearly relates to consent. 

Points 2 and 3 suggest that where a transfer is necessary, you can imply consent or consent would be deemed to have been given. 

Point 4 is an exception to the requirement to obtain consent. It echoes the Third and Fourth Schedules of the PDPA which state that consent is not necessary for use or disclosure of personal data if such use or disclosure is necessary to respond to those types of emergencies. 

Point 5 is a technical issue in which data passing through another country on its way to its final destination is not considered to be transferred to the country through which it is transiting. 

Point 6 is an exception to the requirement to obtain consent. It echoes the Second, Third and Fourth Schedules of the PDPA which state that consent is not necessary for the collection, use or disclosure of personal data if the data is publicly available.

None of the points seem to relate directly to imposing any sort of legally enforceable obligation upon the recipient even though at first glance they may give the appearance of creating exceptions to the types of "legally enforceable obligations" described earlier (i.e. law, contract, binding corporate rules or any other legally binding instrument).

For clarity, perhaps point 5 should be addressed by defining "transfers" under the PDPA more specifically, while the remaining points can be addressed through the definitions of or exemptions to consent (whether express, deemed or implied). In the meantime, we look forward to further clarifications and updates from the PDPC.


Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com

Post date. Edit this to change the date post was posted. Does not show up on published site. 16/5/2014


Your comment will be posted after it is approved.


Leave a Reply.

    We're Here To Help

    Our team welcome any comments or questions and will gladly assist you with your enquiry. You can call us on +65 6899 9888 or fill out our simple contact form. 

    Disclaimer

    The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission.

    Subscribe to our Newsletter

    Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
    Subscribe to Newsletter

    RSS Feed

    Categories

    All
    Awards And Accolades
    Commercial Transactions
    Conveyancing
    Corporate Law
    COVID19
    Criminal Law
    Dispute Resolution
    Family And Matrimonial Law
    Intellectual Property
    International Law
    Personal Data Protection
    Probate And Administration
    Technology
    Wills And Trusts

    Archives

    May 2020
    April 2020
    January 2020
    October 2019
    June 2019
    March 2019
    February 2019
    January 2019
    December 2018
    August 2018
    July 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    September 2017
    August 2017
    January 2017
    September 2016
    March 2015
    January 2015
    July 2014
    June 2014
    May 2014
    April 2014

Firm Brochure

Download
Brochure in Japanese
Brochure in Mandarin

Our ecosystem

We now also offer a spectrum of legal-related services for estate planning and secure document storage. Visit our dedicated BR Family Assets and BRIEFCASE websites.
 
BR Family Assets
​BR - IG Consulting
BRIEFCASE

Awards and Accolades

Picture
Picture

Practice Areas

Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
Subscribe to Newsletter

Contact Us

+65 6899 9888 Telephone
+65 6338 5377 Fax
 
br@brlawcorp.com
 
4 Battery Road #29-00
Bank of China
Singapore 049908
Terms of Use​  •  Privacy Statement
​© Copyright 2018 BR Law Corporation. Registered in Singapore (UEN: 200312051N).