On 19 March 2012, Singapore's Ministry of Information, Communications and the Arts (MICA) published its third consultation in relation to proposed new data protection laws for the country. The new consultation phase runs until 30 April 2012 and the final draft is then expected to be put before Parliament in the third quarter of this year. This article sets out some of the key things you need to know about the new proposals.
Why have a data protection law?
A consolidated data protection law offers many advantages for Singapore. For individuals, the change will bring protection in relation to privacy and use of personal information that other citizens in other countries around the world already enjoy including Hong Kong, Europe and Australia. As data becomes an ever more valuable commodity for businesses and the digital world means that it can be collected, used and disclosed on an ever increasing and instantaneous scale, individuals want to know that those that are behind such activities are subject to scrutiny and enforcement in how they conduct their activities.
From an economic perspective, data is big business and only getting bigger. In order to compete on an international scale, Singapore needs to be able to demonstrate that it is a good and safe place to do business in relation to data as much as it already does in other areas. International companies wanting to source suppliers or for example to locate data centres in particular need to know that the choice they make ensures that data will be held securely and processed responsibly in order to comply with the laws of their own territories as well as to make transfers of such data easier.
What has changed since the last draft?
MICA conducted a robust consultation as well as analysis into various data protection regimes already existing internationally. The new draft incorporates various amendments as a consequence of such process.
One key change is the inclusion of a distinction between data controllers - being those who control personal data and are subject to the legislation - and data "intermediaries". The latter being those who simply act on behalf of the data controllers and don't have primary responsibility or liability. The previous draft had made no such distinction.
Other key changes include giving protection to the data of deceased individuals up to 10 years from the date of death, the inclusion of new exceptions for collection use and disclosure for artistic and literary purposes and a confirmed sunrise period of no less than 18 months from the date the law is passed to allow for implementation. In addition, more details have been included around the "Do not call registry" which will now apply to specific communications (currently for marketing purposes although this could later be extended) and will include the ability for businesses to register as well as individuals.
Sign up for CIO Asia eNewsletters.