16 May 2014
The Personal Data Protection Commission ("PDPC") released new advisory guidelines (the "Guidelines") today concerning the Transfer Limitation obligation.
Briefly, the Transfer Limitation obligation refers to an obligation in the Personal Data Protection Act 2012 ("PDPA") that requires any organisation transferring personal data out of Singapore to ensure that the personal data receives a comparable standard as that which it would receive under the PDPA in Singapore. This particular obligation is aimed at preventing scenarios where organisations transfer personal data out of Singapore in order to abuse it without breaching Singapore personal data protection laws.
So far, the position has been that an organisation may transfer personal data if the recipient is bound by legally enforceable obligations ensuring that the personal data transferred receives a standard of protection that is comparable to that which it would receive under the PDPA.
The Guidelines reinforce this position by describing "legally enforceable obligations" as including obligations imposed on the recipient under:
In practice, this means that if you were transferring personal data to an overseas third-party, you would enter into an agreement to ensure that the third party recipient will abide by the PDPA. If you were transferring personal data to an overseas branch or office of the same organisation, you would put in place binding corporate rules that require all branches and offices of the organisation to abide by the PDPA.
Here's where the Guidelines get confusing.
Section 19.3 of the Guidelines states that an organisation will be taken to have satisfied the requirement to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations if:
These points (with the exception of Point 5) strike me as relating to the issue of consent rather than ensuring that a legally enforceable obligation is in place.
Point 1 clearly relates to consent.
Points 2 and 3 suggest that where a transfer is necessary, you can imply consent or consent would be deemed to have been given.
Point 4 is an exception to the requirement to obtain consent. It echoes the Third and Fourth Schedules of the PDPA which state that consent is not necessary for use or disclosure of personal data if such use or disclosure is necessary to respond to those types of emergencies.
Point 5 is a technical issue in which data passing through another country on its way to its final destination is not considered to be transferred to the country through which it is transiting.
Point 6 is an exception to the requirement to obtain consent. It echoes the Second, Third and Fourth Schedules of the PDPA which state that consent is not necessary for the collection, use or disclosure of personal data if the data is publicly available.
None of the points seem to relate directly to imposing any sort of legally enforceable obligation upon the recipient even though at first glance they may give the appearance of creating exceptions to the types of "legally enforceable obligations" described earlier (i.e. law, contract, binding corporate rules or any other legally binding instrument).
For clarity, perhaps point 5 should be addressed by defining "transfers" under the PDPA more specifically, while the remaining points can be addressed through the definitions of or exemptions to consent (whether express, deemed or implied). In the meantime, we look forward to further clarifications and updates from the PDPC.
Associate Director, BR Law Corporation
Post date. Edit this to change the date post was posted. Does not show up on published site. 16/5/2014
Subscribe to our Newsletter
Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.