Something about the Personal Data Protection Regulations 2014 ("PDP Regulations") has me going in circles.
A key requirement for transfers of personal data out of Singapore is that the Transferor takes appropriate steps to ensure that the Recipient is bound by legally enforceable obligations to provide a comparable standard of protection to the personal data being transferred. (PDP Regulations, s. 9(1)(b))
"Legally enforceable obligations" includes any law, contract to protect the transfer of data ("Data Transfer Agreement", or "DTA"), binding corporate rules or any other legally binding instrument. (PDP Regulations, s. 10(1))
The requirement for legally enforceable obligations can also be satisfied in a few other ways. One way is that the obligation will be deemed satisfied if the individual consents to the Transferor's transfer of the personal data to the Recipient in that country or territory. (PDP Regulations, s. 9(3)(a))
However the individual will not have consented if, amongst other things, the individual was not given a reasonable summary in writing of the extent to which the personal data to be transferred to that country or territory will be protected to a standard comparable to the protection under the Act. (PDP Regulations, s. 9(4)(a))
Having set out that background, here is what's circular:
On more than one occasion I have encountered Transferors asking whether they can rely on individual consent to avoid having to enter into a DTA with Recipients, but as it stands, "individual consent" does not presently appear to be a viable way of avoiding entering into an agreement.
Associate Director, Bernard & Rada Law Corporation
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.