On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.
The concept of data portability is something that I saw for the first time in the General Data Protection Regulation, the GDPR. The basic idea is that data portability gives individuals more control over their own personal data. It enables an individual to receive the personal data about them that an organisation has been processing and transmit it to another organisation.
This may, for example, make it easier for an individual to transfer their business from one organisation to another more competitive organisation that offers them lower prices, without the individual having to go through a great deal of hassle in getting the new organisation familiar with their past history of transactions, preferences or other relevant factors.
Evidently, the Commission has been keen on exploring the concept of data portability in Singapore for at least a year and, quite possibly, much longer. It issued a consultation paper on it in May 2019 and received quite a bit of feedback. Now we see its final proposals in the form of data portability provisions in the draft amendment bill. The consultation document says that the data portability will give individuals greater choice and control over their personal data, prevent consumer lock-in and enable switching to new services.
To do this, the draft amendment bill would insert a new Part VIB – Data Portability into the PDPA. However, almost everything of substance under the new rules is yet to be 'prescribed' by regulation. Perhaps it is correct to say therefore that Part VIB establishes an outline for data portability. But the details are yet to be filled in and until that happens a Data Protection Officer cannot figure out what might need to be done to get their organisation ready for data portability.
So that it is possible to keep track, each time the word prescribed is used, that is how I am going to show it!
The purpose of Part VIB of the PDPA is stated to be to:
The basic rule is that an individual may give a porting organisation a data porting request asking it to transmit to a receiving organisation any applicable data specified in the data porting request. This basic rule applies only to applicable data that:
This basic rule does not affect any prohibition or restriction on the disclosure of any personal data in the possession or under the control of an organisation under any other written law (that is, under any law that is not the PDPA).
Immediately, we meet our first three uncertainties:
Without the legalese, this means that there has to be regulations made under the PDPA to 'prescribe' – that is, to identify:
Yes. And no.
A 'porting organisation' must be an organisation that is within the scope of the PDPA. This is because regulations made under the PDPA could not prescribe a 'porting organisation' that is not an organisation, as defined in the PDPA - any attempt to do so would simply be 'beyond the power' of the person or body / public agency making the regulations.
The proposed Part VIB also defines a 'receiving organisation'. It means an organisation that receives applicable data from a porting organisation, where the organisation is:
You might spot that this is the same as the definition of 'organisation' in the PDPC, except for the reference to an 'applicable country'.
'Applicable country' means a country or territory outside Singapore that is prescribed. So, again, we come up against the need for regulations that could have the outcome that personal data can be ported by an organisation within Singapore to a recipient outside of Singapore. But we do not know which country or countries.
Note: When 'applicable countries' have been prescribed, porting organisations will need to keep the transfer limitation obligation under the PDPA in mind.
Subject to the rules below, a porting organisation must, upon receiving the data porting request, transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any requirements prescribed.
If a porting organisation does not transmit any applicable data about an individual as requested, the porting organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the refusal.
Here are the rules to which this requirement is subject:
1. The requirement applies only if:
2. The requirement does not apply if any applicable data about an individual relates to any excluded class of applicable data prescribed
3. The porting organisation must not transmit any applicable data about an individual if:
The following rules apply where giving effect to a data porting request in respect of personal data about an individual (P) would transmit personal data about another individual (T) to a receiving organisation.
1. a porting organisation may disclose personal data about T to a receiving organisation without T's consent only if the data porting request:
2. a receiving organisation which receives from a porting organisation any personal data about T must use that personal data only for the purpose of providing any goods or service to P
Note that we meet two new concepts here that are defined in the PDPA for the first time:
Written by Lyn Boxall, Director, Lyn Boxall LLC
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.