Overview
Singapore has long been a regional banking and trading hub, but in recent years, as multinational companies in other sectors have moved their regional headquarters to Singapore, it is also emerging as a regional data hub.
This shift has implications for companies involved in US compliance and investigation activities in the Asia-Pacific region. US authorities require and expect that legal and compliance personnel will use data to support their work in these areas. For example, the DOJ's updated 2020 Guidance on the Evaluation of Corporation Compliance Programs describes its expectations that companies use data analytics in monitoring, assessing, and testing their compliance programs. These expectations are also reflected in the updated FCPA Resource Guide, published in July 2020. See our previous alerts on these topics here and here. Accordingly, to meet these expectations, companies operating in Asia Pacific will very likely have to deal with the collection and review of data located or hosted in Singapore.
In this advisory, we discuss Singapore's data protection policies, including data localization. We will also focus on the impact of the recent amendments to Singapore's main data protection legislation, the Personal Data Protection Act (PDPA), which took effect on February 1, 2021, including the new "legitimate interests" exception, for companies conducting data driven compliance reviews and investigations involving Singapore-based data.
The Landscape of Data Protection in Singapore and its Policy on Data Localization
The PDPA governs an organization's collection, use, and disclosure of personal data in Singapore. In most cases, the PDPA requires the individual’s consent for collecting, using, and disclosing personal data.
When it comes to transferring data outside the country, Singapore, like the United States, has a long-standing policy against data localization. The reason for this lies in Singapore's reliance on data driven services as a critical component of its economy, particularly the financial services industry. In a joint statement with the US Treasury Department in February 2020, in opposition to "generally applicable data localization requirements," the Monetary Authority of Singapore (MAS) stated that:
[d]ata localization requirements can increase cybersecurity and other operational risks, hinder risk management and compliance, and inhibit financial regulatory and supervisory access to information. Data mobility in financial services supports economic growth and the development of innovative financial services and benefits risk management and compliance programs, including by making it easier to detect cross-border money laundering and terrorist financing patterns, defend against cyberattacks, and manage and assess risk on a global basis.
As such, Singapore's policy on cross-border data transfers leans towards protecting data through "data adequacy" requirements. The transfer limitation obligation under the PDPA provides that data can be transferred outside Singapore if it would be accorded a standard of protection comparable to that afforded domestically by Singapore. It also relies on accountability frameworks, such as the Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems, certifications under which were recently recognized as according the requisite standard of protection for cross-border data transfers under the PDPA.
What Does This Mean for US Investigations?
A company undertaking an investigation that requires collection, processing, review, and disclosure of Singapore-based personal data will generally follow the chain of inquiry described below to ensure compliance with the PDPA:
First, the company will confirm that it has obtained the requisite consent from relevant individuals. Most multinational companies should have in place a privacy policy which includes a general notice that any personal data they collect may be disclosed to foreign law enforcement agencies in relation to an investigation. Depending on the scope of the contractual language, this will usually satisfy the requirement for consent for collecting, using, or disclosing personal data.
Second, where the company is unable to obtain consent from relevant individuals, it will conduct a legal analysis to determine if an exception under the PDPA would apply. If the company's policies do not contain the requisite contractual language, the following exceptions to consent may apply under the PDPA: (a) the collection, use or disclosure of the personal data is "necessary for any investigation or proceedings" (the "investigations exception"); or (b) the collection, use or disclosure of the personal data is "necessary for the provision of legal services by the organization to another person, or for the organization to obtain legal services" (the "legal services exception"). Both exceptions will require the company to determine that such collection, use or disclosure is indeed necessary in the circumstances.
Lastly, the company will put in place measures to ensure that transferred personal data is accorded adequate protection by the recipient of the personal data outside of Singapore. When transferring the personal data out of Singapore, companies may rely on data transfer agreements (see below) and binding corporate rules to ensure they comply with the transfer limitation obligation under the PDPA.
While a company may engage data intermediaries, such as forensic experts, to collect, process, review, or transfer the personal data on its behalf, the company remains responsible for compliance with the PDPA. Thus, the company remains liable for any breach of the PDPA by its data intermediaries. As a result, companies usually include provisions in their written contracts with the data intermediaries that:
- Set out the obligations in relation to the personal data in question.
- Impose specific obligations on the data intermediaries, including restricting what the data intermediaries may do with the personal data, and mandating security measures to protect the personal data to a standard comparable with that under the PDPA.
- Ensure that the data intermediaries comply with relevant industry standards and certifications (e.g., APEC CBPR and PRP certifications, ISO 27001 certification on information security management).
- Provide for audits and inspections to ensure that the data intermediaries are complying with the PDPA.
Amendments to Singapore's Data Protection Laws and the Implications for Compliance Activities
On November 2, 2020, the PDPA was amended for the first time since its passage in 2012. Shortly thereafter, on November 20, 2020, Singapore's Personal Data Protection Commission (PDPC) introduced draft advisory guidelines on the PDPA's key amendments. The amendments will take effect in phases, beginning February 1, 2021. As the Singapore Parliament explained at the second reading of the PDPA's amendment bill, "profound changes in the data landscape, most notably in the sheer variety and volume of data that is being generated and its economic significance," gave impetus to the amendments, which would ensure that "[Singapore's] regulatory architecture… [evolves] and [keeps] pace with these magnitudinal shifts."
Key amendments include the following:
- Additional exceptions to the requirement for express consent, including: (1) the use of personal data for business improvement purposes; and (2) when it is in the organization’s legitimate interest to collect, use, or disclose an individual’s data (the "legitimate interests exception").
- Additional scenarios where an individual is deemed to have provided consent.
- A new obligation to transmit an individual's data to another organization when requested.
- A new mandatory requirement to report data breaches.
- An increase in the maximum financial penalty for data breaches.
Drafters in Singapore studied data protection practices in various other jurisdictions – including Australia, Canada, the European Union, Hong Kong, and New Zealand – and also solicited public feedback from four consultation exercises in proposing the amendments. The resulting bill represents a carefully considered decision as to where the needle should be placed to balance data protection and data connectivity.
Companies with Singapore-based data should keep the new legitimate interests exception on their radar. The PDPC's draft advisory guidelines lists "detecting or preventing illegal activities (e.g. fraud, money laundering)" and "[conducting] further and necessary corporate due diligence on customers, potential customers and business partners in addition to existing statutory requirements," including "for the consolidation of official watch lists," as examples of legitimate interests. This provision could be important to internal compliance reviews or audits either as part of an annual exercise or for risk management purposes, since such reviews or audits do not fall clearly within the current investigations and legal services exceptions, or even routine third-party due diligence.
With that said, the utility of the legitimate interests exception in practice remains to be seen, since use of the exception requires the organization to undertake several steps. For example, it would need to identify and mitigate adverse effects on the individual whose personal data is involved (which, broadly, includes any physical harm, harassment, serious alarm, or distress); conduct a risk assessment on whether its legitimate interests outweigh any residual adverse effect on the individual; and disclose its reliance on the exception to the individual (which can be done by including the appropriate language in its privacy policy). With these requirements in mind, it will be important for companies with regional bases in Singapore to consider how they can take advantage of the new exception to support the proactive compliance measures that regulators and enforcement agencies expect companies to take.
Conclusion
As a whole, the 2020 PDPA amendments reflect Singapore's continued recognition that data is a key economic asset, and data mobility is crucial for risk management and compliance purposes. Accordingly, Singapore's data protection laws are not meant to stifle, but instead are intended to support, the use of data in its increasingly digital economy, and at the same time, strengthen consumer trust and autonomy through pragmatic safeguards.
A company with a significant presence in Singapore will inevitably have to deal with businesses and counterparties in high-risk jurisdictions from an anti-corruption, anti-money laundering, and sanctions perspective. As such, when undertaking a proactive compliance review or an investigation, companies will likely have to grapple with Singapore's data protection laws when extracting documents stored in bits and bytes. However, far from a collision course, companies facing such a situation can, with the requisite knowledge and advice, navigate safely to shore.