Who will need to comply with the new law?
Any organisation that collects or uses personal data that has a link to Singapore (for example is from a person who is present in Singapore or where data is used there). "Organisation" extends to individuals, companies, associations and body corporates but the focus is on the private sector. Therefore government agencies and individuals acting in a domestic capacity are not caught.
It is also interesting that MICA has confirmed that the new law would extend to organisations even where they are not physically located in Singapore. For example therefore, a UK e-commerce company which accepts orders from a Singaporean customer and uses their data to provide the service and perhaps to send them marketing communications would need to comply. MICA has accepted however that investigation and enforcement outside of Singapore may be difficult or indeed impossible.
What impact will it have on Singapore businesses?
For most companies in Singapore, this law is big news and will involve time and cost in order to ensure that new procedures are in place to ensure compliance. Many international organisations operating in Singapore will already be familiar with navigating data protection regimes however and this change will simply mean that Singapore operations will need to be brought into the mix. In such a case, it is important to note that the Singaporean data protection law is not just a "copycat" piece of legislation and it does contain some important differences from laws in other countries.
Over time, the rules may actually make business easier however as consumer confidence grows with the added protections provided and cross-border opportunities open up where Singapore is recognised as providing adequate protections for companies wishing to transfer data to or through Singapore.
What do I need to do now?
The legislation is still in draft form so there is no compliance required now. Once the consultation closes at the end of April, a few more changes could be made but it is not anticipated that these would be major amendments at this stage given the consultation already undertaken. If the law is passed towards the end of this year, organisations will also still be given around 18 months to ensure they are compliant.
However organisations would be urged to seek advice now as to the key areas in which their business may be affected - particularly if they may be undertaking internal re-structuring, systems or procurement decisions over the next year or two where such issues should be taken into account now in order to avoid potentially costly moves.
The author is a partner at Olswang in Asia.
Sign up for CIO Asia eNewsletters.