New data portability and data innovation laws proposed in Singapore

The Consultation recognises that the modern business marketplace is a data driven environment. The proposed provisions aim to enhance the growth of the digital economy in Singapore by facilitating data sharing between local organisations and enhancing protections for data analytics output by putting in place measures to safeguard business investment in “derived data”.

We have provided a summary of the proposed measures below. The full text of the Consultation can be accessed here.

Proposed data portability obligations aimed at increasing competition and consumer choice

The primary incentive of introducing the right to data portability is to give individuals greater choice and control over their data by empowering them to overcome the issue of consumer lock-in and more easily switch between competitive service providers.

If implemented, an organisation that receives a “data porting request” from an individual will be obligated to provide the individual’s data (under the organisation’s possession or control) in a commonly used machine-readable format to another organisation nominated by the individual. This obligation will not extend to data intermediaries in relation to data that is processed for another organisation, however, organisations may engage intermediaries to respond to data porting requests on their behalf.

The proposed right is to be made available to all individuals, whether or not they are in Singapore, but will only apply to the transfer of data between organisations that have a presence in Singapore.

As data portability is intended to support the digital economy, organisations will only be obligated to transfer data held in electronic format. The PDPC proposes that the new obligation will only apply to data, that is:

• “user provided data” eg any other information that the individual has provided to the organisation, including data provided through third parties, and
• “user generated data” eg an individual’s transactions, purchase history, call logs, search history, steps count etc.

Further, a novel exception has been carved out for “derived data” as the PDPC notes it is an important safeguard to business innovation, (more on this below). This exception should provide welcome clarity for businesses as to what types of data are to be covered by a data porting request (in contrast to the ongoing debate as to the extent to which the data portability obligation in the EU General Data Protection Regulations (GDPR) should apply to user generated data and derived data).

The PDPC will be given powers to review refusals to port data, failures to port data within a reasonable time and fees charged for porting data. In addition, the PDPC will issue binding codes of practice in due course, which will lay out industry-specific guidelines on interoperability and security of data. The financial sector is the most likely to be the first sector affected by these changes, echoing similar trends in Europe and regionally, such as the UK’s Open Banking initiative and, more recently, the introduction of the consumer data right in Australia.

Proposed data innovation provisions to enhance business innovation uses

The proposed data innovation provisions will allow organisations to use personal data that they hold for appropriate “business innovation purposes” without the need to notify or seek consent from individuals. Business innovation purposes include:

• operational efficiency and service improvements
• product and service development
• better understanding customers.

The PDPC has clarified that while organisations may use personal data for “business innovation purposes” without notifying or seeking consent from individuals, the existing rules (including notification and consent in relevant circumstances) continue to apply to the collection and disclosure of personal data, even for such business innovation purposes. For example, the proposed provisions do not seek to change the rules around the requirement for consent to send direct marketing messages, even if there is a business innovation purpose involved. Equally, the proposed provisions do not circumvent the need for an organisation to seek consent if it intends to disclose or sell derived personal data and insights (such as a customers’ retail spending profile) to a third party.

Interestingly - but importantly in light of the increasing use of data analytics and AI applications - where an individual withdraws consent for the use or disclosure of their personal data for the purposes that it had been collected, organisations may nonetheless continue to use such personal data for business innovation purposes as long as is necessary for that organisation’s legal or business purposes.

In contrast, businesses looking to rely on the “legitimate interests” justification under the GDPR to conduct similar business innovation activities will be required to take additional steps to protect individual information, including requiring data users subject to the GDPR to conduct a balancing exercise to weigh their legitimate interests against the extent to which affected individuals may be prejudiced by such activities. In addition, the GDPR provides individuals with the right to object to the processing of their data based on the legitimate interests justification and also does not allow automated processing of personal data which would significantly impact individuals unless consent is first obtained.

Special “derived data” exceptions

As an important safeguard to business innovation and in recognition of the proprietary nature of business insights and information that organisations may derive as a result of their own investments in digital innovation, “derived data” will receive special treatment under the proposed amendments. “Derived data” is any new data element that is created through the processing of other data by applying business-specific rules and which, if disclosed, would reveal confidential commercial information that could harm the competitive position of the organisation. Examples of derived data include customised packages or offers based on user preferences, predicted travel patterns based on analyses of commuters’ travel histories.

In addition to being exempt from the proposed data portability obligation, it is also proposed that:

Derived personal data will not be subject to the right of access under the PDPA (although organisations will still be required to provide individuals with information about the ways in which the derived data has been used or disclosed within the one year preceding the date of a request)

Derived personal data will not be subject to the right of correction under the PDPA - that is, an individual will not have the right to request that an organisation correct an error or omission in its derived data about an individual (although organisations will continue to be required to adhere to obligations to maintain accurate and current records of personal data (including derived personal data)).

Next steps

These changes are of significant interest to companies across all sectors (although the financial sector will likely be the first sector where industry specific data portability guidelines will be focused). Interested parties are invited to provide their feedback on the proposed changes to the PDPC by email to corporate@pdpc.gov.sg by 5pm on 03 July 2019.

Please get in touch with us if you are interested in making a submission to the PDPC, or if you wish to discuss how this development may impact your business operations in Singapore.