Joseph Roth Rosner
Privacy + Data Security
In the face of a growing threat of ransomware attacks on businesses and government infrastructure, the government of Singapore has been hard at work updating its data protection and data security laws. In just two months, Singaporean regulators have moved to introduce new laws requiring mandatory data breach notification, regulating cybersecurity forensics firms, certifying cross-border data transfers and domestic data privacy practices, and greatly expanding government involvement in the data security of critical information infrastructure (CII) industries.
As of yet, there is little detail or proposed regulatory guidance to accompany the proposed bills and no clear timetable has been set for enactment or, ultimately, compliance with the laws. However, organizations doing business in Singapore or processing the data of Singaporean residents would do well to familiarize themselves with the wide-ranging updates below, while keeping an eye on compliance down the road.
1. Privacy Law Amendments. The Singaporean Data Protection Commission (PDPC) is currently seeking feedback through September 21, 2017 on two proposed changes to the Personal Data Protection Act of 2012 (PDPA).
The PDPC has yet to propose a penalty scheme for violations of the proposed data breach reporting rules.
2. New Commissioner of Cybersecurity to Oversee Critical Information Infrastructure. On July 10, 2017, the Cyber Security Agency of Singapore (CSA) and Ministry of Communications and Information (MCI) published a draft of the Cybersecurity Act 2017 (the “Act”), with the goal of closely regulating the data security practices of CII industries via a new CSA Commissioner of Cybersecurity. The proposed requirements are extensive:
3. Updated Consent Framework. The PDPC proposes updating the existing consent requirements under the PDPA. If individual consent is impractical to obtain, for example, notice to an individual disclosing the intended use, collection, or disclosure of their data could substitute for individual consent. Individual consent could also be waived if obtaining consent would undermine public interests. Both proposed methods of alternative consent would also require undertaking a privacy impact assessment.
4. Licensing of Cybersecurity Service Providers. The Act would also establish a mandatory licensing framework for cybersecurity forensics and monitoring service providers.
5. Creation of Singaporean Data Protection “Trustmark” Certification. The PDPC announced that it is in the process of rolling out its own data privacy certification to improve customer confidence in organizations that handle their personal data.
6. Enforcement and Increased Transparency. This month, the PDPC published its inaugural Personal Data Protection Digest. In addition to compiling previously posted enforcement decisions, the Digest notably contains eighteen case summaries of matters where the PDPC found organizations were not in breach of the PDPA. This increased transparency helps shine a light on the developing case law of privacy enforcement in Singapore, a welcome development particularly given the PDPC’s willingness to fine victims of breaches who failed to implement adequate data protection practices.
7. Cross-Border Regime Participation. Singapore issued a Notice of Intent to participate in the APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems.
 “Cry, Cry Again: More Global Ransomware Attacks Reported,” Morrison & Foerster client alert, June 27, 2017 (available at https://www.mofo.com/resources/publications/170627-ransomware-attacks-reported.html).
 “Public Consultation for Approaches to Managing Personal Data in the Digital Economy,” Singaporean Data Protection Commission, July 27, 2017 (available at https://www.pdpc.gov.sg/legislation-and-guidelines/public-consultations#ACTR1).
 Through published guidance, the PDPC does currently recommend immediate notification of a breach to individuals where sensitive personal data has been affected. The PDPC also recommends reporting to the PDPC any breaches that might cause public concern or where there is a risk of harm to a group of affected individuals. See PDPC Guide to Managing Data Breaches, May 8, 2015.
 “MCI and CSA Seek Public Feedback On Proposed Cybersecurity Bill,” Cyber Security Agency of Singapore, July 10, 2017 (available at https://www.csa.gov.sg/news/press-releases/mci-and-csa-seek-public-feedback-on-proposed-cybersecurity-bill).
 See fn. 2 above.
 Developing a Trusted Data Ecosystem to Support Singapore’s Digital Economy,” Singaporean Data Protection Commission, July 27, 2017 (PDF Media Release) (available at https://www.pdpc.gov.sg/docs/default-source/media/Seminar-2017-PR/pdps2017-media-release---(260717).pdf?sfvrsn=0).
 See fn. 6 above.
©1996-2017 Morrison & Foerster LLP. All rights reserved.