User Name:     Password:        Join Us
  • 1
  • 2
  • 3
  • 4
  • 5
▪ China’s Market Regulator Reined in Internet Commercial Ads
▪ Stricter than the GDPR, China’s Privacy Law Provides Prohibitive and Control Oblig
▪ China kicked off the 1st national security review on DiDi
▪ Non-prosecution for compliance under ISO 37301 - Dentons lawyers take the world’s
▪ China’s Data Security Law is anything but frightening
▪ Alibaba fined USD 2.68 billion for abusing dominant market position in China
▪ China’s new “Blocking Statute” and the concerns it raised
▪ Survey result: how is bribery risk managed in China?
▪ China’s Administrative Punishment Law Awards Meaningful Credits for Compliance Eff
▪ Salon | How Would the Sanction on Pompeo and Blocking Measures Impact Foreign Comp
▪ Fees to speakers: academic exchange or commercial bribery
▪ China’s Personal Information Protection Law (2)
▪ China’s Personal Information Protection Law (1)
▪ Reading Into China’s Export Control Law
▪ English Translation of Export Control Law of China
▪ China Issued Its List of Unreliable Entities
▪ Demystify Corporate Social Credit System in China
▪ China is deploying “Operation Skynet” to further “Fox Hunt”
▪ China is to award whistleblowers heavily – foreign companies are more vulnerable t
▪ 130 Chinese headhunters arrested, involving breach of 200 million personal info
▪ Corporate Compliance Programs Evaluation Issued by US DOJ (Chinese Translation)
▪ The prospect is promising to commercialize Level-3 autonomous driving in China
▪ Intelligent and digital infrastructures are scheduled to accompany automatic vehic
▪ Will China illegalize VIEs?
▪ You cannot miss the gold rush under China's new Foreign Investment Law
▪ Classified Protection Under China's Cyber Security Law
▪ China is to fast-track law-making in autonomous driving
▪ What compliance obligations to meet to transfer data from within China?
▪ Chinese government uses digital forensics technology to dig bribery evidence
▪ A Chinese medical device distributor fined CNY 50,000 for bribing with Moutai
▪ How would Chinese E-commerce Law affect you (1)?
▪ Conflict between the culture and the Party’s rules: $70 gift money got a director
▪ "Excessive Pricing" from perspective of Competition Law
▪ Does China prohibit cross-border transfer of scientific data?
▪ Hypermarket Caesar jailed for ten years for giving “reward for go-between”
▪ How is environmental protection tax collected in China?
▪ China Redefined Bribery Anticompetitive in Nature
▪ China is to amend its Constitution
▪ Chinese government vowed to crack down on bribe givers more harshly
▪ China has its own Dodd-Frank; the award for whistleblower could be US$ 80K
▪ Chinese government may LIUZHI a suspect of wrongdoing
▪ Cooking clinical trial data is rampant and now criminally punishable in China
▪ 5th Viadrina Compliance Congress
▪ Does a compliance bird eat nothing?
▪ How Are Drugs Being Sold in China Despite the Anti-Corruption Crusading
▪ Chinese whistle-blower lauded while French boss fled out of China
▪ Life Sentence for Deputy Chief Justice of China
▪ Why Is Chinese Anti-bribery Law a Very Important Compliance Obligation?
▪ The Report on Corporate Compliance Management in China (2016)
▪ Use of "predictive coding" in eDiscovery document review…best friend or job replac
 
Home > Personal Information
Transfer of Personal Data Overseas from Singapore: Recent Enhanced Provisions
By Wun Rizwi | 2014/7/14 18:57:23


The recent enhanced provisions enacted under the Personal Data Protection Act 2012 (“the PDPA”) has provided some clarity as to the standards of compliance expected of organisations that have to transfer personal data collected in Singapore to a country or territory outside Singapore. The basic principle, known as the Transfer Limitation Obligation, prohibits an organisation from transferring any personal data outside of Singapore except in accordance with requirements prescribed under the PDPA.[1] The purpose of such requirements is to “ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under [the PDPA]” (“the Comparable Protection Standard”).

 

Regulations Specific to International Data Transfers

 

The new Personal Data Protection Regulations 2014 (“the 2014 Regulations”) issued under the PDPA on 19 May 2014, in particular Regulations 8 to 10, have now set out the conditions under which an organisation may transfer personal data overseas.[2]

 

In essence, before personal data is transferred overseas, the transferring organisation must:

 

(a)   take appropriate steps to ensure that it (the transferring organisation) has complied with the relevant provisions under the PDPA (“Condition (a)”); and

 

(b)   take appropriate steps to ascertain whether, and to ensure that, the receiving party of the personal data (“the Receiving Party”) is bound by legally enforceable obligations (in accordance with Regulation 10) to apply the Comparable Protection Standard to the transferred personal data (“Condition (b)”).

 

As the transferring organisation’s obligations under Condition (a) are a given, the more challenging issue is how a transferring organisation is expected to satisfy its obligations under Condition (b). Two points are pertinent.  

 

Firstly, the term “legally enforceable obligations” is defined in Regulation 10 to include obligations imposed on the Receiving Party under any law, any contract, any binding corporate rules, and any other legally binding instrument.[3] In particular, a contract or binding corporate rules must require the Receiving Party to apply the Comparable Protection Standard to the transferred personal data.

 

Secondly, Regulation 9(3)(a)-(g) sets out a number of scenarios where a transferring organisation is presumed to have satisfied Condition (b). One interesting scenario arises under Regulation 9(3)(a), where the presumption is triggered if the individual consents to the transfer of the personal data to the Receiving Party in a foreign country or territory.[4]

Such consent is only valid[5] if:

 

·        before giving his consent, the individual was given a reasonable summary in writing of the extent to which the personal data to be transferred will meet the Comparable Protection Standard;

·        the transfer of personal data overseas, where consent to such transfer is required by the transferring organisation as a condition of providing a product or service, is reasonably necessary to provide the product or service to the individual; or

·        the transferring organisation did not provide false or misleading information about the transfer of personal data overseas, or used other deceptive or misleading practices.

 

Also, consent for the transfer of personal data overseas may be withdrawn at any time.[6]

 

Issues Arising from Enhanced Provisions

 

Whilst the 2014 Regulations helpfully set out the structure that needs to be in place, parties should be aware of the following issues when transferring personal data overseas.

 

(1)             Business and Security Risks

 

(a)             Business Risks

 

If a transferring organisation seeks to impose, by contract, an obligation on the Receiving Party to apply the Comparable Protection Standard to the transferred personal data, it does not necessarily mean that the transferring organisation can enforce such an obligation in the country of the Receiving Party. Whether such an obligation is enforceable may depend to a large extent on the available remedies in the legal system which the Receiving Party operates. It may also depend on the resources available to the Receiving Party in order to satisfy any such remedies. Enforceability in theory should therefore be distinguished from enforceability in practice.

 

As such, it may be prudent for the transferring organisation to satisfy itself by conducting appropriate due diligence on the Receiving Party, especially if it is not a transfer between companies within the same group of companies, where binding corporate rules are likely to apply to both the company based in Singapore and its related company overseas.

 

It may also be prudent to consider having in place measures such as business continuity and data recovery plans to ensure that service can be maintained in case of a disaster or an emergency and that any data loss will be recovered.

 

Furthermore, the transferring organisation should also look at the possible risks of the insolvency of the Receiving Party, the likelihood that the Receiving Party would either consider a transfer of its relevant business activities or if there is a change of management, ownership or control of the Receiving Party and provide for such possibilities in the contractual relationship.

 

(b)             Security Risks

 

Transferring organisations should recognise that no system is absolutely fool-proof and constant upgrading and updating is always required. It would be reasonable to assume that most transferring organisations would at least find out, or conduct some form of due diligence on, the system that the Receiving Party has in place to protect the personal data that it receives.

 

In addition, a regular monitoring process of the security system in place would go some way to help early detection and enable the Receiving Party and/or the transferring organisation to take early and decisive corrective or remedial measures. There are numerous ways to achieve this, but the underlying intention and result should be for the transferring organisation to satisfy itself that it has taken all reasonable steps to ensure that the personal data is housed with a Receiving Party that has a reasonable system of security for the protection of data in place. Needless to say, the Receiving Party having a proper data security policy in place would be a good start. Alternatively, the transferring organisation should consider having regular Threat - Risk - Vulnerability Assessments (“TRVA”) conducted on the security capabilities of the Receiving Party.

 

(2)             Compliance requirements

 

Transferring organisations should also be aware of specific compliance requirements. Organisations that are subject to specific regulations (such as the Sarbanes-Oxley Act ) should be aware that some of these regulations require regular reporting and audit trails regarding the storage and use of data. Transferring organisations must prepare Receiving Parties to comply appropriately with these regulations.

 

(3)             Contractual issues

 

Apart from the security and compliance issues enumerated above, transferring organisations and their Receiving Parties should consider looking at issues that affect the relationship between them and provide for such terms accordingly. Such issues would include apportionment of liability in the event of a data breach, compromise or loss, or providing for the scenario for the end-of-service and the ultimate return of data to the transferring organisation.

 

(4)             Insurance

The possibility of insurance coverage is relatively new in this area but should be considered. Data security risks are on the rise, and insurance companies, becoming increasingly aware of such events, are taking steps to provide data owners with coverage to protect against such risks. Transferring organisations should consider insurance coverage as an additional factor to mitigate against the risks of such loss.

 

Conclusion

 

The 2014 Regulations do not address every possible data protection risk and were likely not intended to do so. The purpose of the 2014 Regulations is to provide a measure of assurance to individuals whose personal data is being transferred overseas by imposing minimum requirements on the transferring organisation.

 

However, international data transfers involve cross-border jurisdictional issues and the importance of setting out clearly the minimum contractual obligations of transferring organisations, even where contained in a well-drafted contract, must always be balanced with the ability to enforce such obligations in the country of the Receiving Party.

 

Of equal practical importance would be the ability to foresee and to prevent such risks through a thorough background investigation of the Receiving Party, and to have in place regular TVRA on the Receiving Party.

 

For more information, please contact:

 

Wun Rizwi

Partner

(65) 6381 6818

rizwi.wun@rhtlawtaylorwessing.com

[1] Section 26 of the PDPA.

[2] These provisions should be read together with Chapter 19 of the Advisory Guidelines on Key Concepts in the PDPA, as revised on 16 May 2014.

[3] Regulation 10(1) of the 2014 Regulations

[4] Regulation 9(3)(a) of the 2014 Regulations.

[5] Regulation 9(4) of the 2014 Regulations.

[6] Regulation 9(5) of the 2014 Regulations.

Tweet Like Email LinkedIn
There are no comments for this journal entry. To create a new comment, use the form below.
    Enter your information below to add a new comment.
Author:   
Email:    (optional)
URL:    (optional)
Content:  
    
  Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.
The Compliance Reviews COPYRIGHT © 2013-19 All Rights Reserved. Supported by International Risk and Compliance Association and International Risk and Compliance Institute Limited. 沪ICP备10034943号-8
沪ICP备19033746号-4
沪公网安备31010502002477号