The Personal Data Protection Commission launched a public consultation discus...

Insights

PDPC Consults on Data Portability and Data Innovation Provisions

Date
June 27, 2019
Author
OrionW

Provisions

The Personal Data Protection Commission (PDPC) launched a public consultation on the proposed data portability and data innovation provisions (the Consultation).  The Consultation supplements the data portability discussion paper previously issued in February 2019 and runs from 22 May to 17 July 2019.  

Data Portability Obligation

The Consultation expands on the proposed data portability obligation where an organisation must, when requested, provide an individual’s data held in its possession or control to be transmitted to another organisation with a presence in Singapore in a commonly used machine-readable format.  This obligation will apply to any organisation that collects, uses or discloses personal data in Singapore, with the exception of: (a) any individual acting in a personal or domestic capacity; (b) any employee acting in the course of employment; (c) any public agency; or (d) any organisation in the course of acting on behalf of a public agency.  Additionally, the obligation will not apply to a data intermediary, but applies to the organisation that engages the data intermediary.

The PDPC proposes that the obligation shall apply only to data held in electronic form, regardless of the method of data collection, which are provided by an individual to the organisation (user provided data) such as personal contact details and generated by an individual’s activities when using the organisation’s product or service (user activity data) such as transaction or search logs.  User provided data and user activity data may be personal data of third parties.  Unlike the current provisions of the Personal Data Protection Act (PDPA), the obligation will apply to business contact information (BCI).

The PDPC proposes exemptions to the data portability obligations for:

  • data which, if disclosed, would reveal confidential commercial information that could harm the competitive position of the organisation;
  • derived data, which refers to new data created through the processing of other data by applying business-specific rules. Examples include suggested posts on social media platforms or customised packages based on analysed data of an individual’s history; and
  • other grounds similar to the grounds for refusing an access request under the PDPA, including requests relating to opinion data or data subject to legal privilege.

When receiving and responding to a data porting request, an organisation must:

  • provide an avenue for individuals to submit requests;
  • verify and ensure the veracity of the request;
  • verify and review data to be ported before transmission;
  • inform the individual of the fees payable and period when data will be ported;
  • use easily accessible and affordable formats;
  • inform the individual of any rejection of request and the reason(s) for it;
  • preserve the requested data; and
  • take reasonable steps to cease transmission in the case of a request withdrawal.

The PDPC may also issue legally binding codes of practice that will apply to certain industries or sectors.  These codes of practices would include matters such as consumer safeguards, counterparty assurance, interoperability, and security of data.

In enforcing the provisions, the PDPC will have the power to review an organisation’s refusal to port data, failure to port data within a reasonable time and fees for porting data pursuant to a request.  On completion of the review, the PDPC is empowered to uphold the organisation’s refusal to port data or fees charged, or direct the organisation to port the data, reduce the fees charged, or suspend transmission of data where porting may not be desirable such as risk of fraudulent activity.

Data Innovation Provisions

The PDPC recognises that organisations may need to use personal data to (a) improve operational efficiency and service; (b) develop products and services; or (c) understand customers (collectively, business innovation purposes).  Therefore, to promote business innovation, the PDPC proposes to amend the PDPA to:

  • Allow organisations to use personal data for business innovation purposes without notifying individuals and obtaining their consent to use data for such purposes.  However, notification and consent would still be required to collect or disclose such personal data, unless an exception under the PDPA applies.
  • Clarify that organisations may retain data for business innovation purposes.
  • Exempt derived data from access and correction obligations.

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Please read our Privacy Policy. You can unsubscribe at any time.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
contact us
OrionW LLC
Level 37, 16 Collyer Quay
Collyer Quay Centre
Singapore 049318

OrionW is a boutique law firm specialising in Singapore and cross-border corporate, commercial and regulatory matters, with a focus on technology, media and telecommunications (TMT) and financial technology (FinTech). We are dedicated to providing excellent legal service to clients at the leading edge of their markets.

OrionW LLC (UEN 201505714C) is a Singapore law practice incorporated with limited liability.