The Personal Data Protection Commission ("PDPC") just came out with some new advisory guidelines (the "Guidelines") today concerning the Transfer Limitation obligation.
Briefly, the Transfer Limitation obligation refers to an obligation in the Personal Data Protection Act 2012 ("PDPA") that requires any organisation transferring personal data out of Singapore to ensure that the receiving party will protect the personal data that it receives to a comparable standard as that which it would receive under the PDPA in Singapore. This particular obligation is aimed at preventing scenarios where organisations transfer personal data out of Singapore in order to abuse it.
So far, the position has been that an organisation may transfer personal data if the recipient is bound by legally enforceable obligations ensuring that the personal data transferred receives a standard of protection that is comparable to that which it would receive under the PDPA.
The Guidelines reinforce this position by describing "legally enforceable obligations" as including obligations imposed on the recipient under:
In practice, this would mean that if you were transferring personal data to an overseas third-party, you'd enter into an agreement to ensure that the third party recipient will abide by the PDPA. If you were transferring personal data to an overseas branch or office of the same organisation, you'd make sure you have binding corporate rules that require all branches and offices of the organisation to abide by the PDPA.
Here's where the Guidelines get confusing.
Section 19.3 of the Guidelines states that an organisation will be taken to have satisfied the requirement to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations if:
Point 1 clearly relates to consent.
Points 2 and 3 suggest that where a transfer is necessary, you can imply consent or consent would be deemed to have been given.
Point 4 is an exception to the requirement to obtain consent. It echoes the Third and Fourth Schedules of the PDPA which state that consent is not necessary for use or disclosure of personal data if such use or disclosure is necessary to respond to those types of emergencies.
Point 5 is a technical issue in which data passing through another country on its way to its final destination is not considered to be transferred to the country which it is transiting through.
Point 6 is an exception to the requirement to obtain consent. It echoes the Second, Third and Fourth Schedules of the PDPA which state that consent is not necessary for the collection, use or disclosure of personal data if the data is publicly available.
None of the points seem to relate directly to imposing any sort of legally enforceable obligation upon the recipient even though at first glance they may give the appearance of creating exceptions to the types of "legally enforceable obligations" described earlier (i.e. law, contract, binding corporate rules or any other legally binding instrument).
Is this an internal inconsistency in the Guidelines? It certainly leaves me feeling confuzzled (confused and befuddled), because it's unclear how any of those points would have any impact on whether an organisation has taken steps to impose legally enforceable obligations upon an overseas recipient. It's probably a good idea to keep your eyes peeled for further updates to the Transfer Limitation Guidelines; hopefully the PDPC will clear this up soon.
Associate Director, Bernard & Rada Law Corporation
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.