There are various companies that amass increasing amount of personal information data globally. However, GDPR and PDPA (Singapore Act) are the only laws that are comprehensive in nature and covers almost all aspects in relation to data protection. As such, even the United States of America and many countries that are home to tech companies do not have laws that regulate the manner in which personal data information are collected, stored and processed. Naturally, the United States too is way behind when it comes to stricter regulation of laws. However, certain states do have their own version of privacy laws but are sector specific only.
In this article, we will be learning more on privacy laws in the United States and in brief about General Data Protection Regulation (hereinafter referred as GDPR) and Personal Data Protection Act [Singapore] (Hereinafter abbreviated and referred as PDPA) laws for comparison purposes.
In the United States of America, the American Data Privacy and Protection Act is a framework that governs data privacy laws. “The data collected by the vast majority of products people use every day isn’t regulated. Since there are no federal privacy laws regulating many companies, they’re pretty much free to do what they want with the data, unless a state has its own privacy law. In most states, companies can use, share, or sell any data they collect about you without notifying you that they’re doing so. No national law standardizes when (or if) a company must notify you if your data is breached or exposed to unauthorized parties. If a company shares your data, including sensitive information such as your health or location, with third parties (like data brokers), those third parties can further sell it or share it without notifying you.” [1]
Summarizing the American Data Privacy and Protection Act:
- “Requires covered entities to minimize data collection to what is necessary
- Requires covered entities to ensure privacy by design and that users don’t have to pay for privacy
- Requires covered entities to allow consumers to turn off targeted advertisements
- Provides enhanced data protection for children and minors
- Provides consumers rights to access, correct, delete, port their data, and withdraw consent at any time
- Increases transparency on how companies collect and use data
- Provides greater protection to sensitive personal data
- More accountability measures for larger platforms.”[2]
Other Provisions
Information Security Breach and Notification Act: “Pursuant to New York’s General Business Law Section 899: any individual or company that conducts business in New York state and owns or licenses computerized data, which includes private information, is required to disclose any breach of the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. Private information is defined as personal information, such as individual’s name, number, personal mark, or other identifier used to identify such person in combination with one or more of the following data elements: social security number, driver’s license number or non-driver identification card number or account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.
If the organization must provide notice to any New York state resident, such organization must also notify the state attorney general, the department of state and the division of state police as to the timing, content and distribution of the notices and approximate number of affected persons. If more than five thousand New York residents are to be notified at one time, the organization must also notify consumer reporting agencies as to the timing, content and distribution of the notices and the approximate number of persons affected. The state attorney general enforces this law, and pursuant to this section, is permitted to bring a cause of action against any organization that fails to comply with this breach notification law.”[3]
Social Security Number Protection Law: “This law prohibits organizations from disclosing an individual’s unencrypted social security number to the public, printing the social security number on any card or tag required to access products, services, or benefits, requiring an individual to transmit their social security account number over the internet, or printing a social security number on materials that are mailed to the individual, unless required by law. Under this law, a Social Security Account Number is defined as the number issued by the federal social security administration, as well as any number derived therefrom, such as the last four digits. The state attorney general is permitted to enforce this law, and there is no private cause of action.”[4]
GENERAL DATA PROTECTION REGULATION
GDPR sets out certain guidelines to protect the privacy of natural persons as well as their personal data. These guidelines state end number of mandatory procedures that needs to be followed by companies across EU when storing, processing, and sharing personal data. GDPR provides citizens of EU with greater control over their personal data and their information being securely protected across Europe, regardless of whether the data processing takes place in the EU or not, mentioned under Article 3 of GDPR (territorial scope).
CONSENT MANAGEMENT UNDER GDPR:
GDPR takes “Consent” as a very important factor when it comes to protecting and processing personal data: the essentials of the same require that:
- The company needs to prove that there is a legitimate interest for storing and using data,
- That the way the data collected and shared with a third party, that (explicit consent has been given by the user for both point number 1 & 2 and the company will have to prove the same).
Consent Conditions:
- Digitally record consent,
- State legal basis for storing personal data,
- Store the source from where you got the consent and
- Store when and who has updated the information.
SUBSCRIPTION MANAGEMENT UNDER GDPR
When a contact has given his consent to receive email marketing campaigns from a company, they should always have the right to object or opt-out from receiving future marketing communications, according to GDPR. Prospects and customers decide for themselves what kind of information they want to receive as well as decide on the type of content they do not want to receive. This way subscribers receive emails based on their interest, which GDPR encourages.
Managing Personal Data with Consumer Relationship Management (CRM)
A CRM “software brings together all information from different departments throughout the company to give one, all-inclusive view of each customer and allows a company to manage and analyses its own interactions with its past, current and potential customers. Customer data, which goes into a CRM, is by default, also personal data. Different types of data have different rules for how it should be processed.”[5]
- Basic data such as names, addresses, phone numbers can be open to all employees within a company.
- Highly sensitive data such as bank account information, personal agreements, and contracts require more security and relevant user access and setting up routines and automated rules as to how different types of personal data can and should be handled by a company is essential.
The European Commission has the power to determine, based on Article 45, whether a country outside the EU offers an adequate level of data protection.
The adoption of an adequate decision involves:
- A proposal from the European Commission
- An opinion of the European Data Protection Board
- An approval from representatives of EU countries
- The adoption of the decision by the European Commission
Transfers of personal data to the country in question will be assimilated to intra-EU transmissions of data and the United States of America remains recognized by the European Commission. EU data protection rules apply to the European Economic Area (EEA), which includes all EU countries and non-EU countries. The framework “EU-US Privacy Shield” protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. It allows the free transfer of data to companies that are certified in the US under the Privacy Shield.
The Framework includes:
- Strong data protection obligations on companies receiving personal data from the EU
- Safeguards on US government access to data
- Effective protection and redress for individuals
- An annual joint review by EU and US to monitor the correct application of the arrangement.
The EU-U.S. Privacy Shield is based on a system of self-certification by which U.S. organizations commit to a set of privacy principles (that is the EU-U.S. Privacy Shield Framework Principles). It applies to both controllers and processors (agents), with the specificity that processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the principles. The protection afforded to personal data by the Privacy Shield applies to any EU data subject whose personal data have been transferred from the Union to organizations in the U.S. that have self-certified their adherence to the Principles with the Department of Commerce.
Under Article 45 clause 1 & 3: When assessing the adequacy of the level of protection, the Commission shall take account of the following elements:
- The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organization which are complied with in that country or international organization, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;
- The international commitments the third country or international organization concerned has entered, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
To comply with GDPR, it is important to have a comprehensive privacy policy. The policy needs to cover:
- Key company details including, name and nature of the business,
- Kind of data is collected,
- Where the information will be kept and,
- How the customer can get in touch if they would like to remove their data from the system.
All customer data must be collected legally and be stored legally according to GDPR rules. Customer service teams that use the cloud to store data, must take security into consideration. Choosing a high security datacenter in an EU-approved country should ensure this. Alternatively, organizations can use on-premises storage. In these instances, businesses should take steps to protect this data from internal errors or external security threats. Implementing passwords and using data encryption are all ways to improve security.
Data controllers are subject to Article 32 obligations, which require organization’s to “implement appropriate technical and organizational measures to ensure a level of security is appropriate to the risk.”
Legal Binding Obligation:
- The entity to whom the personal data is passed happens to be in a country that has data protection laws that are just as strong as GDPR (as determined by the EU Commission).
- Entity to whom personal data is passed agrees by a legally binding contract to comply with GDPR principles of data protection.
- The company has binding corporate rules.
Other Important Provisions of GDPR:
LAW | PROVISION |
Article 2 of GDPR |
This Regulation does not apply to the processing of personal data:
1. During an activity which falls outside the scope of Union law. 2. By the Member States when carrying out activities. 3. By a natural person during a purely personal or household activity. 4. By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. |
Pursuant to Article 25(1) of Directive 95/46/EC |
Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and the Member State laws implementing other provisions of the Directive are respected prior to the transfer. The Commission may find that a third country ensures such an adequate level of protection by reason of its domestic law or of the international commitments it has entered in order to protect the rights of individuals. In that case, and without prejudice to compliance with the national provisions adopted pursuant to other provisions of the Directive, personal data may be transferred from the Member States without additional guarantees being necessary. |
Pursuant to Article 25(2) of Directive 95/46/EC |
the level of data protection afforded by a third country should be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations, including the rules of law, both general and sectoral, in force in the third country in question. |
Article 44 of GDPR: General Principles for transfers |
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another international organization. All provisions in this Chapter shall be applied to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined. |
Article 45 of GDPR: Transfers based on an adequacy decision | Transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization. |
Article 46 of GDPR: Transfer subjected to appropriate safeguards |
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. |
Personal Data Protection Act, 2012 of Singapore Overview
The purpose of Personal Data Protection Act, 2012 of Singapore is to govern the collection, use and disclosure of personal data by organizations in a manner that recognizes both the right of individuals to protect their personal data and the need of organizations to collect, use or disclose personal data for valid and rational purposes that a reasonable person would consider appropriate in the circumstances. “Personal data” in the Act has been defined as “any data, whether true or not, about an individual who can be identified from that data or any other data /information to which the organization has or is likely to have access.
Personal data in Singapore is protected under the Personal Data Protection Act 2012 (PDPA). PDPA guarantees a standard data protection regime for any concerns regarding how the personal data are being used. Here not only individuals who are providing their personal data but the organizations as well as must comply with the PDPA Act and failure to do so are dealt with serious consequences. Adhering to PDPA further maintains individual’s trust in organization’s that manage data.
PART IV, of the Act ensures that the consent has been obtained from the individuals before collecting, using or disclosure of the personal data and that the data be used only for the purpose defined under Section 20 of the Act. Further, it is necessary to inform individuals on the purposes for collection, use and disclosure of their personal data.
Part V & VI of the Act ensures that the personal data is accurate and that, an individual may request any rectification on one’s personal data, if necessary. Further, an organization shall protect such personal data under its possession from unauthorized access/use, copying or similar risks. An organization shall terminate to retain documents that contain personal data, as soon as the purpose for which the personal data was collected is no longer being served and that retention of such personal data is no longer necessary for legal, or business purposes & securely destroy personal data when no longer needed. Further, under Section 26, Part VI, Transfer of Personal data outside Singapore requires organization transferring personal data outside Singapore only in accordance with PDPA Act.
Part VII & VIII provides for relevant legislation & authorities – which establishes a Data Protection Appeal Panel wherein any person who suffers loss or damage directly because of a contravention of any provision in Part IV, V or VI by an organization shall have a right of action for relief in civil proceedings in a Court of law, High Court and Court of Appeal. Further, the Commission may, with the consent of the complainant and the organization, refer the matter for mediation as well. This Part also provides that the Commission may, if it thinks fit in the circumstances to ensure compliance with Parts III to VI, give the organization all or any of the following directions:
(a) | To stop collecting, using, or disclosing personal data in contravention of this Act; |
(b) | to destroy personal data collected in contravention of this Act; |
(c) | to comply with any direction of the Commission under section 28(2); |
(d) | to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit |
Other relevant laws Part IX of the PDPA Act sets out provision of Do-Not-Call Registry which sets out an obligation of not sending marketing messages unless obtained consent from individual’s whom the messages have been sent. Moreover, PDPA has issued a number of advisory guidelines provided under Part X which provides for better clarity on the interpretation of the PDPA Act.
TRANSFER OF PERSONAL DATA OUTSIDE SINGAPORE
How can organizations transfer Personal Data outside Singapore?
Organizations must generally comply with all the transfer limitation obligation in the PDPA Act, 2012. Any organization may only transfer personal data outside Singapore if it has taken suitable steps in accordance with the Act’s requirements that guarantees that: (a) it will comply with the PDPA requirements (under Section 26 of the Act) in respect to transfer of personal data while it remains in its possession or under its control; (b) the recipient outside of Singapore is bound to have legally enforceable obligations to provide a standard of protection to the personal data transferred.
“Legally enforceable obligations” refers to the responsibilities imposed on the recipient:
- Uder law;
- Under any contract:
- requiring the recipient to provide a standard of protection to the personal data transferred that is at least comparable to the protection under the PDPA; and
- Specifying the countries and territories to which the personal data may be transferred under the contract.
- Any other legally binding instrument.
An organization would have satisfied the second requirement of ensuring that the recipient outside of Singapore is bound by legally enforceable obligations if the individual whose personal data is being transferred consents to the transfer of the personal data to the recipient in that country or territory. Organizations are data intermediaries, that is – it processes personal data on behalf of and for the purposes of another pursuant to a written contract, that intermediary is not subject to the ‘transfer limitation obligation’, as specified in Section 4(2) of the Act, which states as “shall not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organization pursuant to a contract which is evidenced or made in writing.”
Requirements:
The personal data Protection Commission (PDPC) has the power to exempt an organization from any prescribed requirements. PDPC in its revised guidelines (Chapter 6 & 15) talks about key concepts of transfer limitation obligation with respect to data intermediaries’ states:
- Organization engaging in data intermediary should make clear in its contract with that intermediary the latter’s level of responsibilities and the scope of work required to perform “on its behalf and for its purposes.”
- Any personal data that is being processed pursuant to such contract; the data intermediary has independent obligations in respect of the protection of personal data.
- Organization engaging in data intermediary to process personal data on its behalf, are responsible for complying with the ‘Transfer Limitation Obligation’, irrespective of whether the personal data is transferred by the organization to an overseas data intermediary or transferred overseas by the data intermediary in Singapore.
- Organizations should take appropriate due diligence and obtain assurance when retaining a data intermediary to guarantee it can do so.
- Organization must respond to an access request by providing access to the personal data requested, or by informing the individual of a rejection of the access request where it has valid grounds not to provide access. (Part V of PDPA, ACT 2012) & exception to this is set out in 5th Schedule of the PDPA Act.
- Grounds regarding personal data are mentioned in Section 21(3) of the PDPA Act are applicable as to when, “An organization shall not provide an individual with the individual’s personal data or other information.”
Implications:
Part X Section 51 of the PDPA Act, lists out offences and penalties regarding transfer of personal data outside Singapore and that, “a person shall be guilty of an offence if he makes a request under Section 21 or 22, as the case may be, to obtain access to or to change the personal data about another individual without the authority of that individual.”
Organizations must be careful in reviewing any contracts with a potential data intermediary. Further, agreements should include appropriate provisions on the permissible use and transfer or personal data and the identification of overseas locations to which the data may conceivably be transferred, as well as providing assurances with regard to how the data will be protected.
An organization transferring personal data overseas have satisfied the requirement to have taken suitable steps enduring that the recipient is obliged by legally enforceable obligations to provide personal data transfer as a standard of protection that is comparable to that under the PDPA Act if:
- Individual whose personal data is to be transferred gives his/her consent to the transfer of his personal data. To rely on consent given by the individual, the organization should provide the individual with a reasonable summary in writing of the extent to which the personal data transferred to those countries and territories will be protected to a standard comparable to that of protection under the PDPA Act
- Transfer of personal data is necessary for the implementation as well as conclusion of a contract between the organization and the individual / between the organization and a third party which is entered into at a person’s request / which a reasonable person would believe to be in the individual’s best interest
- Transfer is necessary where the consent of the individual is not required under PDPA Act. The specific situations when the transfer is necessary for the personal data to be used under paragraph 1(a), (b) or (d) of the Third Schedule to the PDPA or disclosed under paragraph 1(a), (b), (c), (e) or (o) of the Fourth Schedule to the PDPA.
- Further, the organization have taken reasonable steps to ensure such personal data are protected and that there exists no risk factor whatsoever
- Personal data is data in transit
- Personal data is publicly available
An individual may at any time withdraw any consent given, or deemed given under PDPA Act, upon giving reasonable notice to the organization. (Section 16 & 17 of the Act). Notification must be made in accordance with the requirements of the Act stating that any collection and disclosure of data was done for purposes that a reasonable person would consider appropriate in the circumstances & that such purposes have been notified to the individual.
An organization must also do all of the following:
- It is also a requirement under the Act for organizations to enter into written agreements with their data intermediaries to whom they transfer personal data and who process such data on behalf of the organizations.
- Organizations that collect and disclose personal data are required to develop and implement policies and practices and complaints that are necessary for the organization to comply with the Personal Data Protection Act 2012 (PDPA).
- PDPA Act also contains offshore transfer restrictions, which require an organization to ensure protection to the standards set out in the Act when transferring personal data outside of Singapore:
- Data transfer agreements,
- Individual’s consent (and required notices have been provided),
- Transfers are considered essential in certain prescribed circumstances,
- An organization may apply to be exempted from any requirement prescribed under the Act in respect of any transfer of personal data out of Singapore. An exemption may be granted on such conditions as the Commission may require.
By this you get a generic idea, of what the loopholes are on the current laws. That GDPR and PDPA are a set of comprehensive law that govern data privacy globally. The breaches for these laws are almost 10 million to 20 million dollars to be paid by the breaching company. What can be more done? Tell us on the comment section.
This article provides general information and comments on the subject matter covered and is not intended to provide legal advice. With respect to the subject matter, viewers should not rely on this information, but seek specific legal advice before taking any legal action. Please do contact us in case any credits have not been mentioned, the same will be rectified. Any opinions expressed in this article is those of the author only.
[1] The State of Consumer Data Privacy Laws in the US (And Why It Matters) | Wirecutter (nytimes.com) [2] Summary: American Data Privacy and Protection Act (US draft privacy bill) (medianama.com) [3] A4ID_DataProtectionLaw .pdf (neighborhoodindicators.org) [4] Ibid. [5] https://apostletech.com/what-is-crm-and-how-can-your-business-benefit/