New Transfer Limitation Guidelines – Are "Legally Enforceable Obligations" Really Just About Consent?

16 May 2014

Dharma Sadasivan

​The Personal Data Protection Commission ("PDPC") released new advisory guidelines (the "Guidelines") today concerning the Transfer Limitation obligation.

Briefly, the Transfer Limitation obligation refers to an obligation in the Personal Data Protection Act 2012 ("PDPA") that requires any organisation transferring personal data out of Singapore to ensure that the personal data receives a comparable standard as that which it would receive under the PDPA in Singapore. This particular obligation is aimed at preventing scenarios where organisations transfer personal data out of Singapore in order to abuse it without breaching Singapore personal data protection laws.

So far, the position has been that an organisation may transfer personal data if the recipient is bound by legally enforceable obligations ensuring that the personal data transferred receives a standard of protection that is comparable to that which it would receive under the PDPA.

The Guidelines reinforce this position by describing "legally enforceable obligations" as including obligations imposed on the recipient under:

1. any law;
2. a contract;
3. binding corporate rules; and
4. any other legally binding instrument.

In practice, this means that if you were transferring personal data to an overseas third-party, you would enter into an agreement to ensure that the third party recipient will abide by the PDPA. If you were transferring personal data to an overseas branch or office of the same organisation, you would put in place binding corporate rules that require all branches and offices of the organisation to abide by the PDPA.

Here's where the Guidelines get confusing.

Section 19.3 of the Guidelines states that an organisation will be taken to have satisfied the requirement to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations if:

1. the individual whose personal data is to be transferred gives his consent to the transfer of his personal data (but for this to apply, the organisation needs to explain to the individual how his/her personal data will be protected to PDPA standards outside of Singapore);
2. the transfer is necessary for the performance of a contract between the organisation and the individual, or to do anything at the individual’s request with a view to his entering a contract with the organisation;
3. the transfer is necessary for the conclusion or performance of a contract between the organisation and a third party which is entered into at the individual’s request, or which a reasonable person would consider to be in the individual’s interest;
4. the transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA, such as use or disclosure necessary to respond to an emergency that threatens the life, health or safety of an individual. In such cases, the organisation may only transfer personal data if it has taken reasonable steps to ensure that the personal data will not be used or disclosed by the recipient for any other purpose;
5. the personal data is data in transit; or
6. the personal data is publicly available in Singapore.

These points (with the exception of Point 5) strike me as relating to the issue of consent rather than ensuring that a legally enforceable obligation is in place.

Point 1 clearly relates to consent. 

Points 2 and 3 suggest that where a transfer is necessary, you can imply consent or consent would be deemed to have been given. 

Point 4 is an exception to the requirement to obtain consent. It echoes the Third and Fourth Schedules of the PDPA which state that consent is not necessary for use or disclosure of personal data if such use or disclosure is necessary to respond to those types of emergencies. 

Point 5 is a technical issue in which data passing through another country on its way to its final destination is not considered to be transferred to the country through which it is transiting. 

Point 6 is an exception to the requirement to obtain consent. It echoes the Second, Third and Fourth Schedules of the PDPA which state that consent is not necessary for the collection, use or disclosure of personal data if the data is publicly available.

None of the points seem to relate directly to imposing any sort of legally enforceable obligation upon the recipient even though at first glance they may give the appearance of creating exceptions to the types of "legally enforceable obligations" described earlier (i.e. law, contract, binding corporate rules or any other legally binding instrument).

For clarity, perhaps point 5 should be addressed by defining "transfers" under the PDPA more specifically, while the remaining points can be addressed through the definitions of or exemptions to consent (whether express, deemed or implied). In the meantime, we look forward to further clarifications and updates from the PDPC.


Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com