Cross Border Data Privacy – A Guide for Singapore Businesses

All Organizations in Singapore need to comply with the Transfer Limitation Obligation in the Personal Data Protection Act (PDPA) to facilitate cross border data privacy.

This means that any personal data being transferred outside Singapore must have a comparable standard of protection to that of the PDPA, accorded to that personal data.

Also Read: The FREE Guide To The 9 Obligations Of PDPA

What is Cross Border Data Privacy?

Cross-border data privacy involves the safe movement of electronic personal data around the world. It also helps the organizations initiating the transfer of personal data to ensure that the receiving party has adequate levels of protection.

Cross Border Data Privacy Laws: 5 Best Practices to Ensure Compliance

• Prepare Researched and Detailed Arguments for Court: If a cross border data protection law holds back the Organization’s capability to produce data, they must be ready to illustrate the causes why to the court. Probable examples are  breakdown of the law, metrics, and a summary of burden versus benefit.
• Update Litigation Readiness Plans, Implement, and Review: A litigation readiness plan will prepare Organizations for handling possible cross-border protection law compliance issues in court. An organization may need to change their litigation hold or data preservation practices if these could possibly interfere with relevant requirements under international law.
• Update and Review Data Security Measures: Inefficient data security measures can hinder compliance with domestic litigation and international privacy laws. Furthermore, an organization should constantly review security programs to ensure data protection and decrease breach risks.
• Update Information Governance Programs, Review, and Implement: A strong information governance program will help Organizations to comply with cross border data protection laws in an efficient manner. An organization should have a detailed information governance program in place so employees can quickly identify the location of data. Organizations should consider modifying their information systems and structures if they know it could potentially interfere with compliance.
• Research Relevant Data Protection Laws:  Organizations should keep current on any changes in relevant laws that affect their current or future cases. Becoming educated will help formulate an effective compliance plan. If a case invokes compliance with another nation’s laws, they should understand what data these laws protect and how they interact with the case’s discovery demands.

Disclosing Personal Data outside Singapore

In disclosing or transferring personal data to offshore third parties including subsidiaries, an organization must ensure that it has obtained the individual’s deemed or specific consent to such transfer (unless exemptions apply) and, if this disclosure was not made known at the time the data was collected, additional consent will be required unless exemptions apply.

It is also a requirement when complying with Cross border data privacy for organizations to enter into written agreements with their data intermediaries to whom they transfer personal data and who process such information on behalf of the organizations.

The written agreement typically consist of the sending organization ensuring that the receiving organization has in place “comparable protection” to the requirements as set out in the PDPA’s Protection Obligation when transferring personal data outside of Singapore.

Also Read: Free 8 Steps Checklist for Companies to Prevent Data Breach

The agreement also needs to state that the individuals whom the personal data belongs to have given consent (and required notices have been provided); where transfers are viewed necessary in certain prescribed  circumstances (which include in connection with overall performance of cross border data privacy between the transferring Organization and the individual, subject to certain conditions being met).

An Organization may also apply in writing to be exempted from any requirement prescribed for Cross border data privacy in respect of any transfer of personal data out of Singapore with valid compelling reasons. There are also certain conditions whereby an Organization is deemed to have complied with the regulations, for example when data is in transit and when individuals have provided explicit consent.

The Commission has published guidelines addressing the Transfer Limitation Obligation (covering intra group and third party sharing) for organizations, as well as Protection Obligation.