Data Protection in Singapor
In order to transfer the personal data of EU residents, it is essential that the country is recognised as providing adequate protection. This is not the case for Singapore, the CNIL indicates that the transfer of data to that country requires the use of tools. However, the city-state has legislation, why is it considered insufficient?
The Personal Data Protection Act
Personal data is governed by the PDPA, the personal data protection act of 2012. This text provides a framework for the collection, use, disclosure and protection of data. Data subjects have the right to access and modify their data. Companies have the right to collect, use and disclose personal data only for use and disclose personal data only for legitimate and reasonable reasons.
It applies to companies that collect and process personal data of citizens of Singapore. The aim of this text is to strengthen the competitiveness of Singapore but also guarantee its reliability for large companies
Protection based on three pillars
The PDPA website outlines 3 fundamental pillars on which the legislation is based. These are consent, purpose and reasonableness. The consent pillar requires organizations to obtain the consent of the data subject in order to collect, use or disclose personal data.
Secondly, the goal pillar requires them to justify acts on personal data but above all to inform the persons concerned of the purposes of collection, use and disclosure. Then, last pillar, that of reasonableness, the collection and processing of personal data must be carried out only for purposes deemed appropriate by a reasonable person.
An incomplete protection regime
It’s not for nothing that Singapour is not considered to provide adequate protection. Unlike the GDPR, the personal data protection act is not complete, many important points are not addressed.
For example, GDPR provides eight golden rules: The lawfulness of the processing, the purpose of the processing, the minimisation of data, the protection of sensitive data, the limited retention of data, security, transparency and the right of the data subjects. However, in the legislation provided for in Singapore, there are only provisions for the lawfulness, the purpose of processing, the preservation and the right of persons.
In addition, penalties for non-compliant organizations are not high enough. It’s a $500,000 maximum, and when you’re dealing with large groups, it’s very small and it’s not really punitive, and it’s unnecessary.
Thereby, Singapore is far from having legislation recognized as adequate for data transfers.