Directors Lim Chong Kin and David Alfred contributed to the Singapore Jurisdiction Report of the ABLI-FPF Consent Project
19 Sep 2022
The Asian Business Law Institute (ABLI) and Future of Privacy Forum (FPF) have recently published a report on the role and limits of consent under Singapore’s data protection laws as part of a series of reports on various jurisdictions in Asia Pacific region. The contributors for the Singapore jurisdiction report were our very own Mr Lim Chong Kin and Mr David N. Alfred.
Singapore’s Personal Data Protection Act 2012 (PDPA) was enacted in 2012 and came into force in 2014. The PDPA was reviewed and amended in 2020 (amendments came into force in 2021) to introduce a number of new requirements, including some changes to the consent regime under the PDPA. Consent has played an extremely vital role in PDPA since it was enacted. In particular, in the absence of any other permitted basis to collect, use or disclose personal data about an individual (a data subject), an organisation may only collect, use or disclose such data only if:
- the organisation has obtained the individual’s definite or actual consent (which may be expressed or implied) for the collection, use, or disclosure of his/her personal data; or
- the individual’s is deemed to consent to such collection, use or disclosure under the PDPA.
Under the PDPA, the requirement to obtain consent was subject to a number of exceptions which, if effect, are other legal bases for collection, use and disclosure of personal data. The 2020/2021 amendments to the PDPA organised the exceptions into categories that reflect common legal bases under other jurisdictions data protection laws, such as “vital interests of individuals”, “matters affecting the public” and “legitimate interests” (amongst others). The 2020/2021 amendments also introduced a new category of exceptions for business innovation purposes.
Organisations that seek to transfer personal data out of Singapore must either provide the data with, or apply to the data, a standard of protection that is similar to that under the PDPA. However, organizations are taken to have fulfilled this requirement if they obtain the individual’s consent for the transfer of the individual’s personal data out of Singapore after giving the individual a “reasonable summary in writing of the extent to which the transferred personal data will be protected to a comparable standard.”
To find out more, please click here to read the full report.