II. Recent Developments and Impact of the GDPR
Singapore
As the staunchest promoter of data protection and cybersecurity in the ASEAN region, it comes as no surprise that Singapore has the most comprehensive data protection framework among the three jurisdictions, and its regime most closely aligns with international data protection standards. The PDPC has been actively engaging with industry players and has issued advisory guidelines which are fairly extensive and set out step-by-step instructions to businesses on how to comply with the Data Protection Provisions. Although the advisory guidelines are not legally binding,the Commission has indicated that they will illustrate the manner in which the Commission will interpret the Data Protection Provisions.
The PDPC is a highly active regulator in Singapore. As of June 2020 there have already been 17 enforcement cases where PDPC initiated and took enforcement actions (for example, by imposing a financial penalty or issuing compliance directions) on persons found in breach of the Singapore PDPA. The PDPC also adopts a “name and shame” policy where it publishes on its official portal all of its enforcement actions against companies found to have breached the Data Protection Provisions under the Singapore PDPA.
In 2019, the PDPC imposed a penalty of SGD 1 million (approximately US$ 720,000), its highest penalty ever levied since the legislation’s entry into force. The penalty was levied on SingHealth and IHiS (in the public healthcare sector), which were determined by the PDPC to have failed to establish adequate security arrangements to protect their patients’ personal data.
The incident was dubbed “the worst breach of personal data in Singapore’s history” as, due to a cyberattack on SingHealth’s patient database system, it led to the theft of 1.5 million patients’ personal data records and nearly 160,000 patients’ outpatient prescription records.
The PDPC’s vigorous enforcement actions since the coming into force of the Singapore PDPA have created high public awareness of data protection issues among businesses in Singapore. Compliance is also made easier for businesses as they are guided almost every step of the way by the PDPC through its extensive guidelines which are regularly review and updated in line with global trends and business practices.
The concepts in the GDPR are not unfamiliar to Singapore, as existing data protection regulations are in line with the predecessor of the GDPR, the 1995 EU Data Protection Directive. To keep pace with the very latest standards, in May 2020 the PDPC issued an amendment bill to include data subjects’ rights to data portability, as well as mandatory data breach notification, in the Singapore PDPA. Singapore’s progressive attitude can be seen in that even the public was invited to contribute feedback via the PDPC’s online consultation forum.
Malaysia
The key principles in the Malaysia PDPA are also akin to those in the 1995 EU Data Protection Directives. Data users have to comply with the seven Processing Principles, which align with those set out in the ASEAN Framework on Personal Data Protection adopted by all ASEAN Member States in 2016.The regulator’s focus in the first few years since the entry into force of the Malaysia PDPA has been on educating and fostering awareness among businesses. The shift to enforcement actions has only recently begun, the majority of which has focused on ensuring registration by the specific class of data users required to register with the Commission. Based on its updates publicized on various platforms, the Commission has been conducting inspections in the form of “audits” at business premises to assess levels of compliance.
After almost a decade since the passage of the Malaysia PDPA, the Minister of Communications and Multimedia announced in 2019 that a series of consultations would be held to discuss possible amendments to the Malaysia PDPA. The proposed amendments aim to strengthen data protection in Malaysia and align with international requirements of personal data protection, with the goal of keeping up with the rapidly evolving digital economy and the pace of technology development.
The Commissioner subsequently published a consultation paper in February 2020 to seek feedback from the general public (the “Paper”). The Paper took the laws of various jurisdictions into consideration including the Philippines, Singapore, Japan, and the EU. More than half of the proposals in the Paper are concepts included in the GDPR, including:
- data subjects’ right to data portability in order to move their data across different service providers;
- obligation to appoint a DPO;
- obligation to report any data breach;
- introduction of the concept of “Privacy by Design,” requiring consideration of privacy by data users at the development stage of any products or services;
- direct liability of data processors;
- expansion of the application of Malaysia PDPA to data users outside of Malaysia that monitor and profile the personal data of Malaysian data subjects; to non-commercial activities; and to federal and state governments; and
- data subjects’ rights to pursue civil litigation against a data user.
Some key concepts in the Singapore PDPA, for example the establishment of the Do-Not-Call Registry and exemption of business contact information from the data protection provisions, are also introduced in the Paper for public feedback.
Considering the fast-paced development of technology in the past ten years, the review of this legislation is a commendable effort. The proposals in the Paper, if passed, will completely change how businesses in Malaysia handle data, as they envisage a data protection standard that is much higher than the country’s current existing regime. In general, businesses in Malaysia, small and medium-sized enterprises in particular, tend to take a more lax approach to handling personal data given that the regulator only began taking enforcement actions fairly recently, and these actions have thus far been focused only on specific data users. It will therefore be a huge step for businesses in Malaysia, involving considerable costs and resources to comply with the new standard by rolling out a compliant data protection program and IT security arrangements.
Whether or not these proposals will have the intended effect of becoming enforceable laws in Malaysia remains to be seen.
Myanmar
In Myanmar, data privacy obligations are scattered across several pieces of legislation protecting data through confidentiality provisions and consent requirements. This means that personal information will primarily remain protected as confidential information through contractual obligations or through private claims being brought by individuals for breaches of confidentiality.
In comparison to Singapore and Malaysia, Myanmar still has a relatively old-fashioned legal framework in respect of privacy and data protection laws. The absence of a specific legislation on data protection and the lack of a dedicated data protection authority has to date resulted in limited or no opportunities for individuals to seek information on their privacy rights or the protection of their personal data, and it also hampers their ability to seek redress or compensation in cases where such rights are violated. While the concept of personal data and protection thereof has been added to the ET Law, such addition is not comprehensive considering the changing times. We hope to see a dedicated law on data protection in line with international standards in the coming years.
With the continuous progress of society and technology, the concept of privacy has significantly transformed and evolved. From using internet services to social interactions to cloud computing, every activity requires revealing personal data. The public in Asia as in the rest of the world has increasing concern about how their personal data is being used and stored. This heightens the importance of adequately protecting personal data, which calls for legislation and enforcement.
The increased dependence on technology and an ever-increasing information boom calls for the establishment of a sound data protection regime. As this discussion has noted, several Asian countries are out in front protecting their residents’ data, while others have longer to travel. To adequately protect the interests of all stakeholders – citizens, companies, as well as the government - the enactment and proper enforcement of data protection laws is essential.