Singapore may soon mandate data breach notifications and data portability via amendments to the Singapore Personal Data Protection Act, or PDPA. The PDPA applies to all organizations that collect, use and disclose data in Singapore, and the PDPA has extraterritorial effect as it applies to all organizations collecting, using or disclosing personal data from individuals in Singapore (whether or not the company has a physical presence in Singapore).
The Personal Data Protection Commission (PDPC) issued a statement on March 1 confirming its intent to introduce a mandatory breach notification regime. The notification mandate would require organizations to notify both affected individuals and the PDPC when a data breach risks harm to individuals involved in the breach as well as notify the PDPC regardless of potential impact when there has been a significant data breach (when more than 500 individuals’ personal data is affected).
This proposal received widespread public support during recent public consultations. The PDPC also released a discussion paper on the benefits of data portability in late February 2019, signaling an intent to address data portability in future PDPA amendments.
Data portability allows individuals to have greater control over their personal data by requesting copies of their data held by an organization in a commonly used format as well as requesting that the organization transmit the data to another organization.
Allowing a copy of an individual’s data to be provided to another service provider at the option of the consumer avoids data silos, promotes consumer rights in the data context and boosts the flow of data in the economy. Companies can expect to see a draft bill with these changes from Singapore’s PDPC as early as 2020.
