Organizations should implement the necessary security measures to ensure the safety of personal data in their possession or under their control, as well as its transfer from one server to another in or out of Singapore. This is to avoid breaching the Transfer Limitation Obligation of the Personal Data Protection Act or PDPA and face the consequences it may bring.
The Transfer Limitation Obligation
Transfer Limitation Obligation, as stated in Section 26 of the PDPA, restricts an organization’s capacity to transfer personal data outside of Singapore. In particular, section 26(1) stipulates that an organization may not transfer personal data to a country or territory outside of Singapore unless it complies with requirements prescribed by the PDPA to ensure that organizations provide a comparable level of protection to personal data so transferred. This need not to transfer personal data except in conformity with specified standards is referred to as the Transfer Limitation Obligation in these Guidelines.
Transfer Limitation Obligation: Conditions for transfer of personal data overseas
The PDPA’s implementing regulations will spell out the specifics of when and how businesses may send people’s personal data abroad. Basically, an organisation may transfer personal information abroad if:
- While the transferred personal data is in its custody or control, it has taken the necessary precautions to ensure that it will be treated securely and in accordance with the Data Protection Provisions.
- The recipient is located in a country or territory outside of Singapore and is obligated by legally enforceable responsibilities to provide to the personal data transferred a quality of protection that is comparable to that under the Personal Data Protection Act (PDPA) of Singapore.
In this sense, legally enforceable obligations include the following:
- any law;
- any contract that:
- i. requires the recipient to ensure at least comparable protection for the personal data transferred to the recipient; and
- ii. specifies the countries and territories to which the personal data may be transferred pursuant to the contract.
- any binding corporate rules that:
- i. require every recipient of the transferred personal data to provide a level of protection that is at least comparable to the protection under the PDPA; and
- ii. specify the recipients of the transferred personal data to which the binding corporate rules apply, the countries and territories to which the personal data may be transferred pursuant to the binding corporate rules, and the rights and obligations provided by the binding corporate rules; or
- any other legally binding instrument.
An organization transferring personal data overseas is deemed to have complied with the requirement to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide to the personal data transferred a standard of protection comparable to that under the PDPA if:
- The individual whose personal data is to be transferred consents to the transfer of his personal data, subject to certain conditions;
- The transfer is necessary for the performance of a contract between the organization and the recipient; and
- The transfer is essential for the conclusion or fulfillment of a contract entered into at the individual’s request or which a reasonable person would believe to be in the individual’s interest;
- The transfer is necessary for a use or disclosure in specific cases where the consent of the individual is not required under the PDPA, such as use or disclosure necessary to react to an emergency that threatens an individual’s life, health, or safety. In such cases, the organization may only transfer personal data if it has taken reasonable steps to ensure that the personal data will not be used or disclosed for other purposes by the recipient;
- The personal data is data in transit, or
- The organization has obtained the consent of the individual.
Scope of contractual clauses
In establishing contractual clauses that oblige the receiver to comply with a standard of protection for the personal data transferred to him that is at least similar to the protection under the PDPA, a transferring organization shall, at a bare minimum, include the following protections:
The preceding table represents the position under the PDPA that certain Data Protection Provisions are not applicable to the processing of personal data by a data intermediary on behalf of and for the purposes of another organization pursuant to a written contract. However, it is assumed that organizations employing such data intermediaries will have, as part of their processing contract, imposed responsibilities that assure protection in the relevant areas.
Data in transit
The term “data in transit” is used to describe personally identifiable information that has been transferred through Singapore en route to a destination outside of Singapore but which has not been accessed, used, or disclosed by any organization (other than the transferring organization or an employee of the transferring organization acting in the course of his employment with the transferring organization) in Singapore. One type of data that is in transit is information that originates outside of Singapore but is ultimately destined for transmission to servers in Singapore. Companies that send personal information abroad are presumed to be in compliance with the Transfer Limitation Obligation while such information is in transit.
Breach of Transfer Limitation Obligation by Belden Singapore Pte Ltd
The recent decision that was released by the PDPC involving the Belden Singapore Pte Ltd underscores the importance of exercising the Transfer Limitation Obligation by the PDPA. After breaching such an Obligation, Belden was issued a warning by the PDPC.
In this case, the PDPC was notified on November 19 and 20, 2020, respectively, of a data breach incident in which an unauthorized third party gained access to Belden Group’s business servers and exfiltrated information, including personal data of the Organizations’ employees. The incident exposed the personal information of 126 people associated with Belden Singapore and 63 people associated with Grass Valley Singapore Pte Ltd.
The main Human Resources functions of Belden Singapore Pte Ltd are conducted by Belden Inc., which is headquartered in St Louis, Missouri, United States. With this, Belden Singapore transfers the personal data of its employees to Belden Inc.
Thus, when Grass Valley entities were acquired by another company, formerly part of the global Belden Group, and which Grass Valley Singapore Pte Ltd is under, the personal data of Grass Valley Singapore’s employees were transferred to Belden Inc. and stored in Belden Inc.’s servers, as per the terms of the acquisition.
While the PDPA does not generally apply to the Belden Singapore Pte Ltd on the basis of processing personal data in Singapore, it applies based on its failure to comply with the Transfer Limitation Obligation. Under this obligation, Organizations must ensure that the personal data transferred overseas is protected to a standard comparable with the Data Protection Provisions. This was executed by putting in place a binding intra-group contract called the Global Data Transfer Agreement (GDTA), which governs the terms on which the various Belden entities transfer personal data to each other.
However, the GDTA was not legally binding on Belden Singapore as it had not acceded to the GDTA. For Belden Singapore to be bound by the GDTA, it must have executed a Deed of Ascension, and this was the cause of the Transfer Limitation Obligation’s breach.
Although Belden Singapore Pte Ltd breached the Transfer Limitation Obligation by not signing a Deed of Accession prior to the incident, the Deputy Commissioner only decided to issue a warning considering that such breach was technical and the failure to oblige with the legal formalities was not substantive in nature.
What we can get from this case is the seriousness of the PDPC with regards to any legal formalities that are placed to protect the personal data of individuals. Without the signing of the Deed of Accession prior to the incident, there was no legally enforceable obligation to ensure that the personal data transferred from Singapore were afforded a level of protection comparable to that provided under the PDPA.
This serves as a landmark case for future reference that prior to any transfer of personal data from Singapore, all formalities must be met to avoid any imposable fines.
How a DPO value adds in this matter
A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of obligation breaches as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.
DPOs complement the efforts of organizations in making sure that before the personal data is transferred outside Singapore, it has already complied with the PDPA, and the receiver has already set up a standard of protection for the personal data being transferred.