chevron-down Created with Sketch Beta.

International Law News

International Law News, Winter 2022

Data Privacy in the ASEAN Region

William Greenlee

Summary

  • During these daunting days of widespread economic disruption and global pandemic, many governments are striving to strike a balance between promoting a vibrant local business environment, ensuring adequate cyber-security, and protecting people's personal data.
  • These interests are often at odds and can occasionally be in direct conflict with one another. There is however, growing pressure to be more proactive in protecting individual's personal data.
  • The European Union's landmark General Data Protection Regulation, which came into force on May 25, 2018, replaces the 1995 EU Data Protection Directives and sets out higher and stricter international standards of data protection for businesses.
Data Privacy in the ASEAN Region
JimmyFam via Getty Images

Jump to:

During these daunting days of widespread economic disruption and global pandemic, many governments are striving to strike a balance between promoting a vibrant local business environment, ensuring adequate cyber-security, and protecting people’s personal data. These interests are often at odds and can occasionally be in direct conflict with one another. There is however, growing pressure to be more proactive in protecting individual’s personal data.

Thus far, Europe has been on the cutting edge of data protection. The European Union’s landmark General Data Protection Regulation (“EU GDPR”), which came into force on May 25, 2018, replaces the 1995 EU Data Protection Directives and sets out higher and stricter international standards of data protection for businesses. The EU GDPR introduced ground breaking concepts including a person’s right to be forgotten, right to data portability, and the requirement on data users to observe “privacy by design and by default.” These steps marked a huge leap in strengthening individuals’ right to privacy.

This rising tide has not been confined to Europe. In the wake of the EU GDPR, many other governments have begun initiating consultation processes and reviewing their relevant legislation to emulate the high benchmark set by the European Union (the “EU”) and to assuage growing concerns of consumers regarding their data security and privacy. Several US states also have proposed strong data protection laws. Most notably, within a month of the EU GDPR entering into force, California passed the first and one of the United States’ most sweeping pieces of consumer data privacy protection legislation, the California Consumer Privacy Act (“CCPA”). In 2018, Brazil published its first comprehensive data protection law, the General Data Protection Law (the Lei Geral de Proteção de Dados, or LGPD), which is largely aligned with the EU GDPR and CCPA.

With the EU being ASEAN’s second largest trading partner, it comes as no surprise that in 2020 several ASEAN jurisdictions launched a series of public consultations seeking feedback from privacy experts and the general public to further enhance data protection in their local regulatory frameworks.

Nonetheless, the vast majority of ASEAN member states have yet to institute data protection laws. Singapore, Malaysia, and the Philippines remain the only countries with some relevant enforceable data protection regulations and functioning data protection regulatory bodies. Thailand’s data protection legislation was passed in May 2019, but it is now in a two year grace period before enforcement kicks in. Other ASEAN countries like Cambodia, Myanmar, and the Lao PDR continue to use laws with broader application, typically transactional and/or telecommunications-related, in providing some privacy protection to their citizens.

In view of the global momentum toward enhance data privacy, this article provides a broad look at how data security is currently regulated in three ASEAN jurisdictions: Singapore, Malaysia, and Myanmar. Each has varying levels of sophistication in their respective data protection regimes, which will also shed light on where these jurisdictions stand with data protection regulations in the global context. In detailing the data protection regulations in the three vastly different jurisdictions, this article will also touch upon the impact of less apparent societal realities between them, which impact the regulations themselves. For example, cultural attitudes toward the rule of law, the role of government, and role of companies and the internet. These underlying socio-cultural factors may smooth implementation of (or complicate) regulation.

The first part of the article will set out the data protection regulatory framework in each of these countries. The second part consists of a comparison chart to highlight the differences in data protections and recent developments in each framework. The article closes with some reflections on the current significant shifts in global data protection standards.

Third of a Three-Part Series

Overview of the Regulatory Framework of Data Protection

Singapore

A. Personal Data Protection Act 2012

The Singapore Personal Data Protection Act 2012 (“Singapore PDPA”) is the principal legislation regulating the collection, use, and disclosure of personal data by organizations in Singapore. The Singapore PDPA is administered by the Personal Data Protection Commission (the “PDPC”) which is part of the Infocomm Media Development Authority, under the purview of the Ministry of Communications and Information.

The Singapore PDPA does not apply to personal data that is contained in a record that has been in existence for at least 100 years; or to personal data about a deceased individual who has been dead for more than ten years.

Parts III and IV of the Singapore PDPA also exclude the application of its main data protection provisions (i.e., provisions governing the collection, use, disclosure, access, retention or cross-border transfer of personal data – the “Data Protection Provisions”) to:

  • any individual acting in a personal or domestic capacity;
  • any employee acting in the course of his or her employment with an organization;
  • any public agency or organization acting on behalf of any public agency; and
  • business contact information (name, position name or title, business telephone number, business address, business e-mail address, or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes).

Categories of Protected Data

(a) Personal data

The Singapore PDPA defines “personal data” as data, whether true or not, about an individual who can be identified from that data; or from that data with other information to which an organization has or is likely to have access.

(b) Sensitive personal data

The Singapore PDPA does not have a separate category or definition for “sensitive personal data” but the concept is introduced in recent advisory guidelines and decisions issued by the PDPC.

Key Concepts under the Singapore PDPA

The Singapore legislation uses generic terms in referring to data controllers, data subjects, and data processors, they are:

  • (a) Organization,” which broadly covers any individual, company, association, or body of persons, corporate or unincorporated, that carries out activities involving personal data whether or not (i) they are formed or recognized under the laws of Singapore; or (ii) are resident or have a place of business in Singapore.
  • (b) Individual,” referring to a natural person, whether living or deceased.
  • (c) Data intermediary,” referring to an organization which processes personal data on behalf of another organization but does not mean an employee of that other organization.

The terms “process” or “processing” mean the carrying out of any operation or set of operations in relation to personal data and includes recording, holding, organization, adaptation or alteration, retrieval, combination, transmission, erasure, or destruction of personal data.

1. Data Protection Provisions

The Singapore PDPA focuses on three main concepts:

  • Consent: Organizations may collect, use, or disclose personal data only with the individual’s knowledge and consent (with exceptions);
  • Purpose: Organizations may collect, use, or disclose personal data in an appropriate manner in particular circumstances, but only if they have informed the individual of the purposes for the collection, use, or disclosure; and
  • Reasonableness: Organizations may collect, use, or disclose personal data only for purposes that would be considered appropriate to a reasonable person in the given circumstances.

In line with the concepts above, the Data Protection Provisions of the Singapore PDPA set out nine main obligations with which organizations must comply if they undertake any activities relating to the collection, use, or disclosure of personal data. Each of these obligations is explained in comprehensive detail in the Key Concepts Guidelines issued by the PDPC. In summary, these guidelines lay out the following obligations:

  • General rules (Part III): An organization must develop and implement appropriate policies and practices to meet obligations under the Singapore PDPA; accept and respond to complaints; communicate to staff regarding the policies and practices; and make such information available on request.
  • Collection, use, and disclosure of personal data (Part IV): When handling personal data, an organization must have reasonable purposes, provide notification of such purposes, and obtain prior consent from individuals for the collection, use, or disclosure of personal data.
  • Access and Correction (Part V): An organization must, upon request, allow individuals to access and correct their personal data and provide information about the ways in which the data has been used/disclosed during the year before the request. An organization must carry out the requested correction unless such a request can be refused in line with prescribed exceptions under the Singapore PDPA.
  • Care of personal data (Part VI): An organization must take care of personal data (which relates to ensuring accuracy of data), protect personal data (including protection in the case of cross-border transfers), and not retain any personal data no longer needed.

2. Transfer of personal data outside of Singapore

The cross-border transfer of personal data is subject to the following restrictions:

  • (a) the transferring organization must comply with the Singapore PDPA while the transferred personal data remains in its possession; and
  • (b) the transferring organisation must ensure that the recipient is bound by legally enforceable obligations to afford the data a standard of protection that is at least comparable to that under the Singapore PDPA.

The mechanisms to achieve the above include obtaining the individual’s prior consent for the overseas transfer; entering into a data transfer agreement imposing on the recipient of the data a standard of protection that is comparable to that under the Singapore PDPA (data users may refer to model clauses recommended by the PDPC for this purpose), or where the transfer is necessary for circumstances listed under the Singapore PDPA.

3. Data intermediary’s liability

The Data Protection Provisions are generally imposed on organizations and not the data intermediaries. Data intermediaries are only independently subject to the Data Protection Provisions relating to protection and retention of personal data and not to any other Data Protection Provisions.

As such, although processing of the data may be carried out by a third party data intermediary, the organization will remain fully responsible in respect of the personal data processed on its behalf as if the personal data had been processed by the organisation itself.

Therefore, when engaging a third party service provider or contractor to process data on its behalf, an organization should ensure that the responsibility and scope of work of the service provider are clearly stipulated in the contract in compliance with the Singapore PDPA. In addition, it is a good practice for the organization to undertake an appropriate level of due diligence beforehand, to ensure that the potential data intermediary is capable of complying with the Singapore PDPA.

4. Do-not-call Registry

In addition to data protection, the Singapore PDPA also provides for the establishment of a national Do Not Call (“DNC”) Registry which allows individuals to register their Singaporean telephone numbers to opt out of receiving any marketing phone calls, mobile text messages, or faxes from any organizations in Singapore (“DNC Provisions”).

Among others, organizations must comply with the following stipulations when sending marketing messages to any Singapore telephone numbers:

  • Check the relevant DNC registries to confirm the telephone number is not listed, unless clear and unambiguous consent for the sending of such messages has been given;
  • Provide information identifying the sender of the marketing message and how the recipient can contact the sender; and
  • Neither conceal nor withhold the calling line identity of the sender of the marketing message.

The PDPC has also issued extensive Advisory Guidelines on the DNC Provisions to help businesses comply with these provisions. Among others, the guidelines set out the types of messages that are covered and excluded from the DNC Provisions, the time period to retain documentary evidence of individuals’ consent to marketing messages, and other related matters.

5. Obligation to appoint a data protection officer

Every organization is required to appoint at least one data protection officer (“DPO”) to oversee the data protection responsibilities within the organization and ensure compliance with the Singapore PDPA. The registration of DPOs with the PDPC remains a voluntary (though recommended) procedure.

A. Sector-specific obligations

Certain categories of data are subject to sector-specific legislation, such as customer information obtained by financial institutions under the Banking Act (Cap. 19) and user information under the Securities and Futures Act (Cap. 289), both of which are under the purview of the Monetary Authority of Singapore.

These sector-specific laws operate alongside the Singapore PDPA. In other words, in handling personal data, organizations have to comply with the Singapore PDPA in addition to the specific requirements applicable to their respective industry. In the event of any inconsistency, the Singapore PDPA provides that the provisions of sector specific laws will prevail.

In consultation with industry players to address the unique issues that may arise in certain specific sectors, the PDPC has also issued advisory guidelines for:

  • (a) Telecommunications;
  • (b) Real estate agencies;
  • (c) Education;
  • (d) Health care; and
  • (e) Social services.