Written by Moo Wen Si, Amelia | Edited by Josh Lee Kok Thong
We’re all law and tech scholars now, says every law and tech sceptic. That is only half-right. Law and technology is about law, but it is also about technology. This is not obvious in many so-called law and technology pieces which tend to focus exclusively on the law. No doubt this draws on what Judge Easterbrook famously said about three decades ago, to paraphrase: “lawyers will never fully understand tech so we might as well not try”.
In open defiance of this narrative, LawTech.Asia is proud to announce a collaboration with the Singapore Management University Yong Pung How School of Law’s LAW4032 Law and Technology class. This collaborative special series is a collection featuring selected essays from students of the class. Ranging across a broad range of technology law and policy topics, the collaboration is aimed at encouraging law students to think about where the law is and what it should be vis-a-vis technology.
This piece, written by Moo Wen Si, Amelia, seeks to examine the sufficiency of the PDPA in today’s world. In a technologically advanced world where e-commerce, cloud computing and data mining are flourishing, data has become one of the most valuable assets in the economy. This has raised concerns as to whether our data is being fully protected from misuse and the remedial actions available in cases of data breaches. In response, the Singapore Parliament enacted the Personal Data Protection Act 2012 (“PDPA”) seeking to protect individuals’ data from misuse by organisations in the private sectors. The PDPA, aimed to be a comprehensive data protection law, is however severely lacking in the protection it affords to individuals. This paper seeks to argue how the PDPA is insufficient to protect one’s data from being misused and the limited recourse that individuals have even when their data privacy has been compromised.
Introduction
Privacy has become a buzzword in recent times. With technology taking a primary role in Singapore’s economic and social landscape, we find ourselves giving away our data more frequently on the Internet. Nowadays, we can perform a wide range of activities online, due to the ease of access and connectivity. In the midst of these, we are knowingly, or unknowingly, giving away our most personal data to the e-commerce, e-Government or e-health platform. This has invoked concerns as to whether our data privacy is being sufficiently protected.
In response, the Singapore Parliament enacted the Personal Data Protection Act 2012 (“PDPA”)[1] laying down certain guidelines to prevent private entities from misusing consumer’s data.[2] The PDPA was amended in 2021 to keep up with the advances in technology and the rising importance of data privacy.[3] However, it seems that the PDPA, with its new amendments and guidelines, is still unable to sufficiently protect our data privacy.
Firstly, I will be examining whether the PDPA is sufficient to prevent our data from being misused or leaked. Thereafter, I will be looking at the remedial actions which are available to data subjects when their data has been misappropriated. In both sections, suggestions will be proposed to improve our data protection laws. Finally, I conclude that the PDPA, though seemingly enacted to protect consumers’ data, is insufficient to protect the public’s data privacy as its primary aim is to maintain the stability and aid the flourishing of Singapore’s economy.
Preliminarily, it bears noting that Singapore does not recognise an absolute right to privacy.[4] Accordingly, the PDPA’s main aim is not to protect one’s privacy;[5] this much can be gleamed from the PDPA.[6] Instead, it is meant to make Singapore a more attractive business hub by ensuring that organisations do not misuse personal data.[7]
PDPA does not sufficiently protect individuals’ data from being misused
Lack of transparency over public agencies’ collection, use and disclosure of data
The PDPA has several exceptions and exemptions which already put individuals at a disadvantage. Notably, no obligations are imposed under the PDPA on public agencies.[8] Excluding public agencies would no doubt lead to a lack of transparency as to how these agencies are handling our data. Professor Eugene Tan, speaking at the Parliamentary Debates (as a former Nominated Member of Parliament), noted that “the public sector, collectively, has a lot of information about individuals living on this island. Further, given the range and intensity of surveillance technology at the disposal of the Government, the need to regulate how the public sector collects, uses, shares and disseminates personal information takes on greater importance.”[9]
It is widely accepted that public agencies may “need to access data for legitimate reasons of law enforcement and national interest”. However, “greater transparency of what constitutes legitimate access is now a major issue that we cannot ignore”.[10] Citizens are also concerned about how the Government is “collecting and sharing sensitive information about [them] with little independent oversight.”[11] Individuals may not have any recourse when public agencies violates their rights to data privacy.[12]
These concerns arose once more during the debate on the 2020 Amendments to the PDPA. Dr Janil Puthucheary, Senior Minister of State for Communications and Information, emphasised that there are already guidelines and statutes in place to govern public agencies’ use and disclosure of personal data. Further, citizens can always raise their concerns to the Government Data Security Contact Centre.[13]
However, unlike the PDPA, these provisions are scattered over several different statues with the maximum financial penalty for violations “ranging from $1,000 to $250,000”. This raises concerns as to the “differing standards and gaps in coverage”,[14] the exact penalty that the errant agency would face remains unclear. This also indicates the varying weight and importance, or lack thereof, that public agencies may attach to data privacy. Those that face less severe sanctions would likely not attach much significance to the protection of individuals’ data. The existence of multiple statutes further confuses the public as to the “level of personal data protection they are entitled to”. Some of these internal guidelines are not even available in the public forum for the public to scrutinise.[15]
Furthermore, it is unlikely that individuals would know how the Government is sharing their data. Thus, if their data had been misused by any public agencies, individuals would likely be kept in the dark. This shows that the public is essentially unaware about how their data is handled by public agencies. It seems like once we have surrendered our data to the Government via any of its organisations, we are essentially surrendering our data privacy to them due to this lack of transparency. Member of Parliament (“MP”) Mr Gerald Giam surmised that the effect of the exclusion of public agencies from the PDPA “could be seen as a lower threshold of accountability on the part of the Government should data beaches occur”.[16]
This seemingly general lack of accountability by public agencies has prompted suggestions to remove the exemptions for public agencies.[17] Instead, public agencies can go under the “Vital interests of individuals” exception enumerated in the First Schedule of the PDPA where express consent is unnecessary and can be deemed. For example, if they need to process our data for the purposes of national security, paragraph 2 of the First Schedule would enable them to do so. It is further possible for the Legislature to carve out more exceptions to allow public agencies to collect and use individuals’ data with greater flexibility if it is to carry out their statutory functions instead of completely exempting public agencies from liability under the PDPA. The inclusion of public agencies would not conflict with the existing statutes or guidelines because the PDPA “is set up as a baseline law that is not intended to affect rights and obligations under existing laws”.[18] This inclusion would instead lead to a “unified regime” that will “provide more robust protection of personal data”.[19] It will also erase doubts as to accountability of Government agencies over the use of individuals’ most sensitive data.
Limited compliance by organisations
Organisational compliance with the PDPA is low. Organisations seem to be unaware of how they should comply. Even if they are, they may not implement the proper measures until a breach occurs. This is illustrated in several cases of data breaches where the companies were already aware that their data protection measures were lacking yet did not take any action to improve them and keep them in line with the level of protection mandated.
One such case is the data breach of HMI Institute of Health Sciences (“HMI”). The Personal Data Protection Committee (“PDPC”) fined HMI $35,000 for failing to implement “reasonable security arrangements to protect personal data stored in its server” which resulted in the data being vulnerable to ransomware.[20] The PDPC found that the vulnerability in its system had been known by HMI for more than four years, however during this period, nothing was done to remedy the situation.[21] Moreover, the PDPC was only made aware of their non-compliance when a data breach had already occurred. This points to another possibly problematic feature of the PDPA which leads to insufficient protection of our data: the complaint-based regime. Even though there is a positive obligation to ensure proper collection and use of individual’s data, there are no measures in place to ensure that the organisation is actually complying with the PDPA until a breach has occurred. Further, the onus is on the organisation to report such breaches to the PDPC. By the time the PDPC is alerted, it would already have been too late as the data collected by the organisation would already have been misused or leaked.
ChampionTutor’s flawed data security had been apparent to the firm for at least three months prior to the data breach. Despite this, it did not follow up to remedy the security flaw.[22] This was ChampionTutor’s second breach in a span of three years, it had been previously been fined by the PDPC for failing to implement internal data protection policies and failing to appoint any Data Protection Officers, which offends sections 12 and 11(3) respectively of the PDPA.[23]
I pause here to note that certain authorities like the Ministry of Health do conduct regular checks and audits on relevant organisations to ensure that these organisations “have taken reasonable actions to implement appropriate and adequate safeguards for the integrity and confidentiality”[24] of users’ data. However, this is only limited to institutions in certain sectors. Although it is true that these institutions handle one’s most confidential data, such as our medical records, other organisations like telecommunication companies also have access to sensitive data such as our residential addresses and identification numbers.
It is submitted that local authorities should conduct regular inspections and audits to ensure that private firms in other sectors comply with the PDPA. This would also act as a signal to firms of the importance of compliance with the PDPA. Firms would then have more incentive to take prompt and immediate actions to remedy any vulnerabilities in their system or data servers, voluntarily engaging in strengthening their cybersecurity. This would be a better approach aimed at preventing data breaches rather than just penalising organisations after the breach has occurred.
No right to request for destruction of personal data from organisation’s system
According to s16 of the PDPA, an individual may withdraw his consent at any time. When the organisation is informed of such withdrawal, it has to cease collection, use or disclosure of the data. However, the data may still be stored in the system and we cannot request for a complete deletion of our data. The organisation’s retention of data only ceases if the purpose for which the data was collected is no longer served by retention of it or if retention is no longer necessary for legal or business purposes.[25] That is to say that organisations may still retain one’s data even though consent has already been withdrawn. This would leave our data in their possession, hence essentially causing data subjects to relinquish all control over their own data.
PDPA does not sufficiently accord individuals with remedial actions in cases of data breaches
Individuals may not be notified when their data has been compromised
As noted, the PDPC is only informed of an organisation’s possible non-compliance when the data breach has already occurred. Under the amended PDPA, organisations must now notify the PDPC and individuals if the breach is of a “significant scale” or if “there is a risk of significant harm”[26] to affected individuals.[27] This means that there is a possibility that one’s data could have been misused without one’s knowledge of such a breach occurring. There is no positive obligation on the part of organisations to notify affected users for all breaches – the obligation only arises if the breach affects at least 500 individuals[28] or if it relates to sensitive information such as full name or identification number.[29] It is noted that not all data breaches would likely be significant and the PDP Regulations seemingly cover every type of sensitive data that would raise security concerns should such data be misused. However, users would likely wish to be informed of every data breach as it relates to their personal data, no matter how minor the breach is or how insignificant such data may seem to be.
A prime example would be if one’s social media account has been compromised. In response to a query on whether such breaches would be notifiable, Minister for Communications and Information, Mr S Iswaran, reiterated that organisations would only have an obligation to notify in cases of “significant breaches”.[30] In single cases of hacking, he merely places the responsibility on the platform. He noted that there are already measures put in place by certain platforms and recommends that others follow suit, but he did not go so far as to impose a legal obligation to do so.[31] However, given the prevalent use of social media, this would be one of the more pressing issues. One’s social media account likely contains some of one’s more intimate data such as the friends in their social circle and places they may frequent. Should such data be leaked, there may potentially be dire consequences about one’s safety and wellbeing. Therefore, it is suggested that the responsibility imposed on social media platforms should be raised to a legal obligation. Although some platforms have mechanisms to handle such situations, imposing a legal obligation would be the most effective way of ensuring that all platforms notify an individual should one’s account be compromised.
No incentive for organisations to comply with PDPA
Next, the PDPA does not accord sufficient protection for individuals’ data as it is insufficient in ensuring that their data from the particular organisation will not be leaked again even if the PDPC has penalised them for previous breaches. This is apparent from the number of repeat offenders fined or penalised by the PDPC including Grab Holdings Inc, which had breached the PDPA four times in the span of two years but was merely fined $10,000 for the latest violation.[32] This could result partly from the PDPC’s reluctance (as the examples below suggest) to heavily penalise repeat offenders and the low financial penalty that organisations may face. This is despite the significant scale of the data breach even where gravity of the breach and prior convictions are relevant considerations when determining the fine.[33] In what the Government terms “Singapore’s largest data breach”[34] where personal data of approximately 5.9 million users of hotel booking site RedDoorz was leaked, the PDPC merely fined the website operator $74,000, which is significantly lower than the maximum fine of $1 million stipulated in the PDPA.[35] This can also be gleaned from the low fines imposed on repeat offenders, such as the mere $10,000 that Grab[36] and ChampionTutor[37] had to bear despite their prior convictions.
In fact, even the maximum fine of $1 million seems insufficient when compared to the maximum financial penalty imposed under the other data protection regimes like the General Data Protection Regulation (“GDPR”)[38] or Personal Information Protection Law (“PIPL”)[39] where severe breaches can attract up to tens or even hundreds of millions of dollars in fines.[40] Surely higher financial penalties would incentivise companies to take measures to comply with the provisions of the PDPA.
One possible reason for the PDPC’s reluctance may be to avoid burdening organisations with exorbitant compliance costs. They seem to be concerned that strict compliance would increase operating costs. However, this may be the exact reason for why firms are disincentivised to change their data protection measures. As the compliance costs are higher than the financial penalties they may face, there is simply not enough incentive for organisations to take our data protection laws seriously and adhere strictly to the PDPA. As pointed out by then-MP Desmond Lee, companies must genuinely realise the importance of data protection, “[otherwise], if this is seen as just yet another cost to manage, then there will only be lip-service compliance or, worse, creative compliance.”[41] If the PDPC repeatedly shows leniency on repeat offenders and cases of significant data breaches, this will effectively signal to organisations that data protection takes a backseat in view of commercial and public policy interests.
Comparative Analysis: How the PDPA measures up to the GDPR
One can observe from the PDPC website that it mainly deals with data breaches caused by external hackers, unlike the EU authorities where most cases concern organisations’ breach of GDPR provisions.[42] The PDPC seems to focus more on cybersecurity breaches by external hackers, they may thus overlook organisations’ own internal policies and whether it is in compliance with the PDPA. It can be inferred that the GDPR affords more protection to individuals’ data privacy especially since the EU has data protection committees which conduct extensive investigations to ensure organisations’ compliance with data protection laws, thereby according maximum protection of citizens’ personal data.
This can be illustrated via the recent case where WhatsApp was issued a €225 million fine in August 2021 over GDPR infringements. The Irish Data Protection Committee (“IDPC”) had been conducting investigations into WhatsApp’s privacy policy for over two years after receiving complaints over the latter’s lack of transparency in handling users’ and non-users’ data as well as how information is shared between WhatsApp and Facebook.[43] WhatsApp was found guilty of not explicitly specifying, inter alia, “information about which categories of personal data are being processed”[44] and the basis for processing such information. Aside from imposing a heavy fine of €225 million (approximately S$350 million), the IDPC also ordered WhatsApp to take corrective actions to ensure strict compliance, including clear directions on “how users can lodge a complaint with a supervisory authority”. [45]
In contrast, it is unlikely that WhatsApp’s privacy policy would have violated the PDPA. When one downloads and uses WhatsApp, one would likely have seen its privacy policy and expressly agreed to it, as this is a pre-requisite to setting up an account. Mere notification of purpose in line with s 20 would suffice for the purpose obligation under s 18(b). WhatsApp would also have fulfilled the requirement to obtain consent from users under s 13. WhatsApp would thus not have breached the PDPA even if its privacy policy did not state the purpose clearly or would likely result in misuse of users’ data. Further, WhatsApp’s processing and sharing of personal data to other entities like Facebook would also not breach the PDPA, even if these were not clearly indicated in the privacy policy as WhatsApp can avail itself of the “business improvement” exception to increase operational efficiency, improve or enhance its services.[46]
As seen from above, WhatsApp’s privacy policy was clearly found to be lacking transparency by the IDPC. However local authorities and individuals would likely have no recourse since users had expressly consented to such terms and conditions. Further, the amended PDPA now allows for deemed consent by notification as long as individuals do not withdraw their consent during the stipulated opt-out period.[47] Local authorities seem to put the burden on individuals to read through pages of fine print with legal and technical jargon. Considering how the IDPC, with its resources and expertise, needed at least two years to conclude their investigations, to place such a burden on laypersons might be too onerous. Although the purposes for both acts have their differences, both are similar in that they value individuals’ control over one’s own personal data. The extent of protection offered by the PDPA largely pales in this respect since, according to the PDPA, as long as consent is given, or deemed to be given, the organisation can be said to have properly dealt with one’s data. This is so even if the organisation’s own policy is lacking.
Conclusion
Given the above criticisms of the PDPA and the WhatsApp case study, the PDPA is plainly insufficient to protect individuals’ data. This is because public agencies lack accountability and transparency over the use of one’s most sensitive data, and one also surrenders control over existing data in organisations’ database once consent is provided. Organisations also have little incentive to comply with the PDPA. In any case, they can freely invoke the expanded exceptions of legitimate interests and business improvement in the PDPA[48]. Moreover, individuals have limited options for recourse if their data was really compromised.
Notably, in enacting the PDPA, Parliament placed emphasis on protecting business’ interests and enhancing Singapore’s competitiveness as a business hub. Commercial interests may have taken precedence over individuals’ right to data privacy, despite the promise to strike a balance between the two.[49] Accordingly, the PDPA is insufficient to protect one’s data and suggestions have been proposed to strengthen Singapore’s data protection regime.
This piece was published as part of LawTech.Asia’s collaboration with the LAW4032 Law and Technology module of the Singapore Management University’s Yong Pung How School of Law. The views articulated herein belong solely to the original author, and should not be attributed to LawTech.Asia or any other entity.
[1] Personal Data Protection Act 2012 (No. 26 of 2012).
[2] Singapore Parliamentary Debates, Official Report (2 November 2020), vol 95, (Accessed 1st December 2021), (S Iswaran, Minister for Communications and Information).
[3] Ibid.
[4] [2021] SGHC 125 at [72].
[5] Ibid at [76].
[6] Supra n 1, at s3
[7] Id, at [75].
[8] Supra n 1, s4(1)(c).
[9] Singapore Parliamentary Debates, Official Report (15 October 2012), vol 89, at p 852, (Accessed 1st December 2021) (Tan Kheng Boon Eugene, NMP).
[10] Id, at p 847, (Jessica Tan Soon Neo, MP for East Coast GRC).
[11] Supra n 2, (Gerald Giam Yean Song, MP for Aljunied GRC).
[12] Supra n 9, at p857, (Chen Show Mao, MP for Aljunied GRC).
[13] Supra n 2, (Janil Puthucheary, Senior Minister of State for Communications and Information).
[14] Ibid.
[15] Ibid.
[16] Ibid.
[17] Supra n 9, (Tan Kheng Boon Eugene, NMP).
[18] Supra n 12.
[19] Supra n 9, at p852, (Chen Show Mao, MP for Aljunied GRC).
[20] HMI Institute of Health Sciences Pte. Ltd. [2021] SGPDPC 4, at [1].
[21] Id, at [5].
[22] Dominic Low, “Tuition agency, owner of home services website fined over leaks of personal data”, The Straits Times (18 October 2021) https://www.straitstimes.com/tech/tech-news/tuition-agency-owner-of-home-services-website-fined-over-leaks-of-personal-data (accessed 13 January 2022).
[23] ChampionTutor Inc. [2019] SGPDPC 25, at [10]-[14].
[24] Singapore Parliamentary Debates, Official Report (14 September 2021), vol 95, (Accessed 1st December 2021) (Ong Ye Kung, Minister for Health).
[25] Supra n 1, at s25.
[26] Id, at s26B(1).
[27] Id, at s26D.
[28] Personal Data Protection (Notification of Data Breaches) Regulations 2021 (“PDP Regulations”), s4.
[29] Id, at s3(1)(a).
[30] Singapore Parliamentary Debates, Official Report (1 February 2021), vol 95, (Accessed 1st December 2021) (S Iswaran, Minister for Communications and Information).
[31] Ibid.
[32] Supra n 2, (Melvin Yong Yik Chye, MP of Radin Mas SMC).
[33] Supra n 1, at s48J(6).
[34] Kenny Chee, “Data of 5.9m customers of RedDoorz hotel booking site leaked in Spore’s largest data breach”, The Straits Times (15 November 2021) < https://www.straitstimes.com/tech/tech-news/59m-customers-of-reddoorz-hotel-booking-site-leaked-in-spores-largest-data-breach> (Accessed 1st December 2021).
[35] Supra n 1, at s48J(3).
[36] Ibid.
[37] Supra n 22.
[38] General Data Protection Regulation (EU) Art 83(4) and 83(5).
[39] Personal Information Protection Laws (China) Art 66.
[40] Ibid; Supra n 32, at Art 83(5).
[41] Supra n 9, at p860, (Desmond Lee, MP of Jurong GRC).
[42] See < https://www.pdpc.gov.sg/Commissions-Decisions>. Cf < https://gdpr-info.eu/>.
[43] Helen Bourne & Garrett Moore, “Irish data regulator fines Whatsapp €225m for GDPR infringements”, Clyde&Co (24 September 2021) <https://www.clydeco.com/en/insights/2021/09/irish-data-regulator-fines-whatsapp-%E2%82%AC225m-for-gdpr> (Accessed 1st December 2021).
[44] Ibid.
[45] Stephanie Bodoni & Katherine Gemmell, “WhatsApp Fined $266 Million Over Data Transparency Breaches”, Bloomberg (2 September 2021) < https://www.bloomberg.com/news/articles/2021-09-02/whatsapp-fined-266-million-over-data-transparency-violations> (Accessed 1st March 2022)
[46] Supra n 1, Second Schedule, Division 2, paragraph 1.
[47] Id, at s15A.
[48] Supra n 1, First Schedule.
[49] Supra n 9, at p884, (Yaacob Ibrahim, Minister for Information, Communications and the Arts).