PERSONAL DATA PROTECTION

The GDPR And Its Impact In Singapore

The General Data Protection Regulation (“GDPR”) is a data privacy law passed by the European Parliament in 2016 and put into effect on 25 May 2018. One of the most important features of the GDPR is its extra-territorial scope, which implies that the GDPR can apply to businesses based outside the EU.   

“With the GDPR, Europe is signalling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence.”1

– Ben Wolford, Editor in Chief GDPR EU

Scope of the GDPR

Article 3 of the GDPR stipulates the territorial scope of the GDPR. The GDPR would apply if:

  1. The company is in the EU even if its personal data processing takes place outside the EU.
  2. The company is not in the EU but offers goods and services, regardless of whether payment is necessary, to the people in the EU.
  3. The company is not in the EU but monitors the online behaviour of the people in the EU in relation to their behaviour in the EU.

For situations 1 and 2 above, the key issue is whether the company is intentionally targeting the people in the EU. Thus, if a Singaporean company only provides services exclusively in Singapore but such service remains accessible in the EU, the Singaporean company will not be subject to the GDPR.

In situation 2 above, the intention of the company to offer goods and services to the people in the EU is key. The mere fact that the company’s website can be accessed in the EU, or that the company’s website is in a language that is commonly used in the EU, is insufficient to find an intention to offer goods and services to the people in the EU.2

However, if the use of a language or currency that is commonly used in the EU is coupled with the possibility of ordering such goods and services in that language or currency, this may lead to the finding that the company intends to offer goods and services to the people in the EU.3

Under situation 3 above, the key is to ascertain whether natural persons are being tracked online. In this regard, the use of personal information processing techniques such as profiling a person to determine their preferences is relevant.4 Apart from tracking on the Internet, the use of other forms of technology to track such as through wearables and smart devices would be considered.5

Examples where the GDPR is likely to apply:6

  1. A Singapore-based online store selling personalised family photo albums. The store’s website is available in French, Spanish and German, and payment can be made in Euros. The website also indicates that the albums would be shipped by post mail in France, Germany and Spain.
  2. A Singapore-based consultancy firm providing advice on retail layout to a shopping centre in Germany. The firm analyses shoppers’ movements in the shopping centre through Wi-fi tracking.
  3. A Singapore-based travel agency offering tours in Asia with tour guides speaking English, German and French. The agency’s website advertises the tours in English, German and French and allows for payment to be made in Euros.

Examples where the GDPR is unlikely to apply:7

  1. A Singapore-based school offering online courses in German. The courses are available to any student with a sufficient level of German language skills. The school does not specifically advertise to students in the EU and only takes payment in Singapore dollars.
  2. A news content app developed by a Singaporean company which tracks users’ preferences and interest. The app is exclusively directed at the Singapore market, as evident from how it offers mostly Singapore-related content, and the subscription payment is only available in Singapore.
  3. A Singaporean bank which has customers holding EU citizenships but currently residing in Singapore. The bank provides services only in Singapore.

Lawful data processing

Article 6 of the GDPR stipulates the instances where a company is legally allowed to process personal data. Data processing is justified if:

  1. The person whose data is being used has given specific, unambiguous consent to process the data.
  2. It is necessary to enter into a contract.
  3. It is necessary to comply with a legal obligation.
  4. It is necessary to protect the vital interests of the person.
  5. It is necessary in the performance of a task of public interest.
  6. The company has a legitimate interest in such data processing.

In situation 1 above, for data processing to be lawful, the GDPR requires that the consent given be specific, informed, unambiguous and freely given. The consent must also be given by a clear affirmative act. Therefore, silence, pre-ticked boxed or inactivity do not constitute consent. Additionally, the request for consent must be presented separately from other matters, using clear and plain language. Consent given can also be withdrawn at any time.8 After consent is withdraw, the individual has the right to have their data deleted.

However, in Singapore, the Personal Data Protection Act (“PDPA”) allows companies to rely on the concept of “deemed consent” to justify their data processing. An individual is deemed to have given consent so long as they have voluntarily provided their personal data to the company, or when they did not opt out after knowing their data is being collected and used. Additionally, consent can only be withdrawn with reasonable notice.9 After consent is withdrawn, there is no right for an individual to request for their data to be deleted. However, while data can still be retained, such data can no longer be collected, used, or disclosed.10

Special categories of data

According to Article 9, the processing of the following types of data is prohibited:

  1. Data revealing racial or ethnic origin;
  2. Data revealing political opinions;
  3. Data revealing religious or philosophical beliefs;
  4. Data revealing trade union membership;
  5. Genetic data;
  6. Data concerning health;
  7. Data concerning a natural person’s sex life or sexual orientation.

The above prohibition does not apply if:11

  • The individual whose data is being collected and processed has given explicit consent.
  • Processing is necessary to protect the vital interests of the person.
  • It is in the public interest to process the data, in particular processing data in the field of employment law, social protection law and for health security.
  • It is necessary for reasons of public health such as in the management of health-care services.
  • It is necessary for scientific or historical research purposes or statistical purposes.
  • It is necessary for the establishment, exercise or defence of legal claims.

Under Singapore’s PDPA, there is no separate category for “sensitive” personal data, and no specific prohibition in relation to the processing of such data. However, the PDPC has recommended that personal data of sensitive nature should be subjected to a higher standard of protection. This includes implementing additional measures when processing sensitive personal data.12

Transferring data out of the EU

According to Article 45, personal data can only be transferred out of the EU to a recipient country, in the instance where the European Commission has decided that the recipient country provides an adequate level of protection.

A list of recipient countries which the European Commission has approved for transfer can be found in the Official Journal of the European Union. 

Under Singapore’s PDPA, transfer is allowed so long as the recipient country has a comparable standard of data protection as the PDPA.13

Reporting data breach

According to Article 33, the company must notify the supervisory authority of the data breach no later than 72 hours after becoming aware of the breach, unless such breach is unlikely to pose a risk to the rights and freedoms of natural persons. 

According to Article 34, the company must also, if the breach is likely to pose a high risk to the rights and freedoms of natural persons, notify the affected individuals of such breach.

Penalties

Article 83 stipulates the penalties for infringements of the GDPR.

For severe violations (such as unlawful data processing in breach of Article 6, or breaching the conditions of consent under Article 7), a company is subject to administrative fines of up to 20 million Euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

For less severe violations (such as failure to implement data-protection measures in accordance with Article 25, or the failure to report a data breach timely in accordance with Article 33), a company is subject to administrative fines of up to 10 million Euros or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Since its implementation, several major companies have been at the receiving end of GDPR’s harsh sanctions. In May 2023, tech giant Meta was issued with a record-breaking fine of 1.2 billion Euros by the Irish Data Protection Commission for its transfer of personal data from the EU to the US without adequate data protection measures.14

Conclusion

The extra-territorial scope of the GDPR implies that Singapore-based businesses can be subject to the GDPR. Thus, it is important for Singapore businesses to be well-informed of the GDPR and ensure compliance should they fall within the reach of the GDPR.

It bears to note that there are significant differences between the GDPR and Singapore’s PDPA. Thus, compliance with the PDPA does not automatically equate to compliance with the GDPR. Singapore businesses with substantial European dealings or presence may need to first ascertain whether the GDPR applies to them and if so, take steps to implement relevant measures to ensure compliance with the GDPR in addition to the PDPA.  

For PDF version of this article, please click here.

References

[1] Ben Wolford, “What is GDPR, the EU’s new data protection law?” <https://gdpr.eu/what-is-gdpr/ > (accessed 15 February 2024)
[2] Recital 23 of the GDPR.
[3] Ibid.
[4] Recital 24 of the GDPR.
[5] European Data Protection Board, “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) Version 2.1” (12 November 2019)
[6] Ibid.
[7] Ibid.
[8] Recital 32 of the GDPR.
[9] Personal Data Protection Commission, “How the PDPA applies to individuals” < https://www.pdpc.gov.sg/Overview-of-PDPA/Data-Protection/Individual/Individuals-Overview > (accessed 14 February 2024)
[10] Personal Data Protection Commission, “Top 5 FAQs on PDPA” < https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Resource-for-Individuals/poster—top-5-faqs-on-pdpa.pdf > (accessed 15 February 2024)
[11] Recital 52 of the GDPR.
[12] DPO Connect – Personal Data Protection Commission, “Being Accountable to Stakeholders” < https://www.pdpc.gov.sg/-/media/Files/PDPC/DPO-Connect/Sept-19/Being-Accountable-To-Stakeholders#:~:text=Identify%20and%20protect%20personal%20data,is%20of%20a%20sensitive%20nature. > (accessed 15 February 2024)
[13] Personal Data Protection Commission, “Advisory Guidelines on Key Concepts in the PDPA (revised 27 July 2017)” < https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/the-transfer-limitation-obligation—ch-19-(270717).pdf > (accessed 15 February 2024)
[14] Dan Milmo and Lisa O’Carroll, “Facebook owner Meta fined €1.2bn for mishandling user information” (22 May 2023) <  https://www.theguardian.com/technology/2023/may/22/facebook-fined-mishandling-user-information-ireland-eu-metal > (accessed 19 February 2024)

At Infinity Legal LLC, we help clients navigate through a variety of legal issues relating to personal data protection and privacy.

© Infinity Legal LLC 2024

The content of this article is for general information purposes only, and does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances. Infinity Legal LLC does not accept any responsibility for any loss which may arise from reliance on information or materials published in this article. Copyright in this publication is owned by Infinity Legal LLC. This publication may not be reproduced or transmitted in any form or by any means, in whole or in part, without prior written approval.

Infinity Legal LLC thanks and acknowledges Intern Valencia Wan for her contribution to this article.

 [Last Updated: 20February 2024, 5:27pm]