Love.Law.Robots. by Ang Hou Fu

privacy

Feature image

It’s going to be a busy week! I’ll be attending the conferences below:

Here are the sessions that I am looking forward to:

SCCE Singapore Regional 2022

Of all the conferences, this is probably the one with the most practical topics I can apply to my work. So, although maintaining those Continuing Education Units for my certification is a serious challenge (40 points in 2 years?! Video conference at 1am?! 🤮), membership is still very useful to me.

Compared to last year’s regional, I think this one has far more breadth and indeed some depth into hot topics like ESG and Digital Data Management. Hot favourites like compliance training and supply chain management make an appearance too.

I am particularly curious about the finale: “Are robots running the compliance program?” Automation in compliance is that small victory that I think cash- and human resource-strapped compliance departments should look into. From the handout, the “automation” is Microsoft Power Automate, which while simple to understand and used in many corporate environments, is not as widely applicable compared to something like Zapier. Let’s see what new ideas I will get!

Automate Boring Stuff: Get Python and your Web Browser to download your judgementsThis post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing! Update 13 June 2020: “At least until the PDPC breaks its website.” How prescient… about three months after I wroteLove.Law.Robots.HoufuIt's always important to automate the boring stuff.

IAPP Asia Privacy Forum

They took a long time to flesh this out — back when I bought the early bird ticket in early June, half of the programme was labelled to be confirmed. I’m glad they managed to flesh this out. It’d be my first IAPP Conference even though I have been a member and am CIPP/A-certified since 2019.

I am a pretty practical person, so I am going to list things that have meaning to me.

  • Building Privacy Technology Into Your Privacy Programme ” — Privacy by Design is one of those revolutionary concepts introduced by the GDPR that you probably don’t hear enough about. Privacy engineering has always been very fascinating to me too.
  • Towards Innovative and Global Solutions for Trans-Border Flow ” — The biggest challenges in Singapore isn’t really complying with the PDPA here but dealing with the implications of having an open economy. In my context, a regional HQ is a hub for data flows so having an interesting way to handle them will be useful.
  • Implementing Privacy in Yet-to-Mature Geographies ” — Related to the previous point, we are in a region where jurisdictions have not had much experience in privacy. Thailand recently made its GDPR-like law effective. Indonesia is still toying with the idea. India’s comprehensive data protection law appears to be trapped in legislative purgatory. Coping strategies will be very appreciated.

Alongside IAPP Asia Privacy Forum, the Singapore PDPC also organise the Singapore version of a conference. Topics seem quite interesting, but given my decreasing focus on data privacy in recent years, I am going to give it a pass.

TechLaw.Fest

It’s my third TechLaw.Fest and my first in person!

Actually. I don't know whether this is an in-person event. Something about the metaverse.

I count myself as a sceptic of the metaverse and was actually profoundly upset that the programme focuses almost entirely on this topic. Compared to last year where there was an even spread, this year looks like an advertorial to convince you that there is something special.

Three Things: TechLawFest 2021I debrief on the TechLawFest in Singapore which ended recently with three key takeaways.Love.Law.Robots.HoufuCompared to last year...

Anyway, I am still sorting out my registration because, frankly, the organisation of this event is messy this year.

I will be hiding out in the Tech Talks section this year. I don’t want to hear a big talk about a fad which no one will care about in a year or two. The metaverse is like cryptocurrency and NFTs; somebody is pouring lots of money into it but nobody honestly has high hopes about it.

Live by the Code… Die by the Code?The excitement about Cryptocurrency and NFTs has turned to panic and loss. Will something different take its place?Love.Law.Robots.HoufuIn an earlier post, I wondered whether the fallout from cryptocurrency will bring forth something good.

Some of the things I wish they covered:

  • The fallout about Crypto Currency and NFTs: This is an awesome topic for litigators and restructuring professionals with all the news going around of bank runs, fraud and corporate dissolutions. To be fair, I have a suspicion that this is going to be covered in “ ** What Happens in the Metaverse Doesn’t Stay in the Metaverse: How Laws Apply Such That In-world Crime Could Mean Real-world Punishment** ” on the Main Stage on 22 July 2022.
  • AI Regulation — I believe there are some major advances in the field (in Europe, I think?) and this is a topic that is getting closer to law and regulation once the technology is more mainstream. The IMDA also released its own AI Governance Testing framework and toolkit in May, so I am surprised nobody wants to talk about it here.
  • I wouldn’t complain about learning more about legal operations. To be fair, “ ** The Virtual Lawyer: How Digitalisation is Changing the Business of Law** ” on the Main Stage on 21 July 2022 seems related. I am going to be rather peeved if it’s about how I can appear as an avatar to my colleagues… as if using Microsoft Teams wasn’t lame enough.

The past two years have forced a reckoning that the brick-and-mortar law office may not be as essential to lawyering as was assumed by many for a long time. In this session, we hear from a range of legal professionals wrestling with digitalisation and the business of law. #tlf22 pic.twitter.com/ShnH1DRCup

— TechLaw.Fest (@TechLawFest) July 13, 2022

Conclusion

There's going to be lots to do, and I am going to practice live tweeting this year so that I would get better at it. Last year, I tried to write a roundup but it was really tiresome, so please follow me on Twitter!

#blog #Compliance #Cryptocurrency #Ethics #Law #News #NFT #PersonalDataProtectionAct #Privacy #Singapore #TechLawFest #TechnologyLaw #IAPP #SCCE #DataProtectionOfficer

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

Regular readers might have noticed the disappearance of articles relating to the Personal Data Protection Commission’s decisions lately. However, as news of the “largest” data breach in Singapore came out, I decided to look into this area again.

My lack of interest paralleled the changing environment, which allowed me to keep up-to-date on them:

  1. The PDPC removed their RSS feed for the latest updates;
  2. I am not allowed to monitor their website manually; and
  3. The PDPC started issuing shorter summaries of their decisions, which makes their work more opaque and less interesting.

Looking at this area again, I wanted to see whether the insights I gleaned from my earlier data project might hold and what would still be relevant going forward.

Data Science with Judgement Data – My PDPC Decisions JourneyAn interesting experiment to apply what I learnt in Data Science to the area of law.Love.Law.Robots.Houfu

Something big struck, well, actually not much.

Photo by Francesca Saraco / Unsplash

The respondent in the case that had attracted media attention is Reddoorz, which operates a hotel booking platform in the budget hotel space. The cause of the breach is as sad as it is unremarkable — they had left the keys to their production database in the code of a disused but still available version of their mobile app. Using those keys, bad actors probably exfiltrated the data. This is yet another example of how lazy practices in developing apps can translate to real-world harm. They even missed the breach when they tried to perform some pen tests because it was old.

PDPC | Breach of the Protection Obligation by CommeasureBreach of the Protection Obligation by CommeasurePDPC LogoRead the PDPC’s enforcement decision here.

The data breach is the “largest” because it involved nearly 6 million customers. Given that the resident population in Singapore is roughly 5.5 million, this probably includes people from around our region.

The PDPC penalised the respondent with a $74,000 fine. This roughly works out to be about 1 cent per person. Even though this is the “largest” data breach handled under the PDPA, the PDPC did not use its full power to issue a penalty of up to $1 million. Under the latest amendments, which have yet to take effect, the potential might of the PDPC can be even greater than that.

The decision states that the PDPC took into account the COVID-19 situation and its impact on the hospitality industry in reducing the penalty amount. It would have been helpful to know how much this factor had reduced the penalty to have an accurate view of it.

In any case, this is consistent with several PDPC decisions. Using the PDPC’s website’s filters, only three decisions doled out more than $75,000 in penalties, and a further 4 doled out more than $50,000. This is among more than 100 decisions with a financial penalty. Even among the rare few cases, only 1 case exercised more than 25% of the current limit of the penalty. The following case only amounts to $120,000 (a high profile health-related case, too!).

The top of the financial penalty list (As of November 2021). Take note of the financial penalty filters at the bottom left corner.

This suggests that the penalties are, in practice, quite limited. What would it take for the PDPC to penalise an offender? Probably not the number of records breached. Maybe public disquiet?

In a world without data breaches

Throttle Roll - Swap Meat MarketPhoto by Parker Burchfield / Unsplash

While the media focuses on financial penalties, I am not a big fan of them.

While doling out “meaningful” penalties strikes a balance between compliance with the law and business interests, there are limits to this approach. As mentioned above, dealing with a risk of $5,000 fines may not be sufficient for a company to hire a team of specialists or even a professional Data Protection Officer. If a company’s best strategy is not to get caught for a penalty, this does not promote compliance with the law at all.

Unfortunately, we don’t live in a world without data breaches. The decisions, including those mentioned above, are filled with human errors. Waiting to get caught for such mistakes is not a responsible strategy. Luckily, the PDPA doesn’t require the organisation to provide bulletproof security measures, only reasonable ones. Then, the crux is figuring out what the PDPC thinks is enough to be reasonable.

So while all these data protection decisions and financial penalties are interesting in showing how others get it wrong, the real gem for the data protection professional in Singapore is finding someone who got it right.

And here’s the gem: Giordano. Now I am sorry I haven’t bought a shirt from them in decades.

There was a data breach, and the suspect was compromised credentials. However, the perpetrator did not get far:

  • The organisation deployed various endpoint solutions
  • The organisation implemented real-time system monitoring of web traffic abnormalities
  • Data was regularly and automatically backed up and encrypted anyway

Kudos to the IT and data protection team!

Compared to other “Not in Breach” decisions, this decision is the only one I know to directly link to one of the many guides made by the PDPC for organisations. “How to Guard Against Common Types of Data Breaches” makes a headline appearance in the Summary when introducing the reasonable measures that Giordano implemented.

The close reference to the guides signals that organisations following them can have a better chance of being in the “No Breach” category.

An approach that promotes best practices is arguably more beneficial to society than one that penalises others for making a mistake. Reasonable industry practices must include encrypting essential data and other recommendations from the PDPC. It would need leaders like Giordano, an otherwise ordinary clothing apparel store in many shopping malls, to make a difference.

A call from the undertaking

Photo by Nicola Fioravanti / Unsplash

The final case in this post isn’t found in the regular enforcement decisions section of the PDPC’s website — undertakings.

If you view a penalty as recognising a failure of data protection and no breach as an indicator of its success, the undertaking is that weird creature in between. It rewards organisations that have the data protection system for taking the initiative to settle with the PDPC early but recognises that there are still gaps in its implementation.

I was excited about undertakings and called them the “teeth of the accountability principle”. However, I haven’t found much substance in my excitement, and the parallel with US anti-corruption practices appears unfounded.

Between February 2021, when the undertaking procedure was given legislative force, and November 2021, 10 organisations spanning different industries went through this procedure. In the meantime, the PDPC delivered 21 decisions with a financial penalty, direction or warning. I reckon roughly 30% is a good indicator that organisations use this procedure when they can.

My beef is that very little information is provided on these undertakings, which appears even shorter than the summaries of enforcement decisions. With very little information, it isn’t clear why these organisations get undertakings rather than penalties.

Take the instant case in November as an example. Do they have superior data protection structures in their organisations? (The organisation didn’t have any and had to undertake to implement something.) Are they all Data Protection Trust Mark organisations? (Answer: No.) Are they minor breaches? (On the surface, I can’t tell. 2,771 users were affected in this case.)

My hunch is that (like the Guide to Active Enforcement says) these organisations voluntarily notified the PDPC with a remediation plan that the PDPC could accept. This is not as easy as it sounds, as you might probably engage lawyers and other professionals to navigate your way to that remediation plan.

With very little media attention and even a separate section away from the good and the ugly on the PDPC’s website, the undertaking is likely to be practically the best way for organisations to deal with the consequences of a data breach. Whether the balance goes too far in shielding organisations from them remains to be seen.

Conclusion

Having peeked back at this area, I am still not sure I like what I find. There was a time when there was excitement about data protection in Singapore, and becoming a professional was seen as a viable place to find employment. It would be fascinating to see how much this industry develops. If it does or it doesn’t, I believe that the actions and the approach of the PDPC to organisations with data breaches would be a fundamental cause.

Until there is information on how many data protection professionals there are in Singapore and what they are doing, I don’t think you will find many more articles in this area on this blog.

#Privacy #PersonalDataProtectionCommission #PersonalDataProtectionAct #Penalties #Undertakings #Benchmarking #DataBreach #DataProtectionOfficer #Enforcement #Law ##PDPAAmendment2020 #PDPC-Decisions #Singapore #Decisions

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

A lot of people in Singapore know about the Personal Data Protection Act in Singapore (PDPA). A lot of people also know about the Personal Data Protection Commission (PDPC). The PDPC enforces the PDPA. The PDPC has a good reputation amongst most Singaporeans for its proactive approach to protecting the personal data of ordinary Singaporeans. To most people, this is the data protection regime in Singapore. Full stop.

Far fewer people (and I dare say professionals too) are aware that there is a “right to private action” hidden somewhere in the PDPA. Section 48O, to be exact.

Now who would want to experience the stresses of litigation , paying legal fees (most of which can't be recovered) and the prospect of losing?

Someone with an axe to grind, like the parties in Bellingham v. Reed. It's the first case to test the right to private action in the High Court of Singapore (and possibly the Court of Appeal as well). As a result of the parties' honourable public service, we now know the limitations of the right to private action.

A Private Action Goes Nowhere

This tortured litigation started when a fund manager moved to a competitor. To drum up the new business, the fund manager contacted a potential customer using information from his previous role. What started as a breach of confidence action suddenly morphs into a data protection action when the fund manager's ex-employers added the affected data subject to the litigation.

In the court below, the data subject obtained a court order for the fund manager to stop using his data. This was in spite of the fund manager already stating clearly that he would not be using the personal data of the data subject or contacting him.

The appeal turns on whether the data subject suffered “loss and damage” as a result of the breach of the PDPA. On the facts, a monetary loss seems far-fetched. The data subject argued instead that he suffered “distress and loss of control over personal data”. This wasn't a type of damage commonly recognised under the law, like personal injury or monetary loss. Did the PDPA create a new kind of damage to be found under a private action?

The High Court held that the answer is no. The PDPA “was not driven by the need to protect an absolute or fundamental right to privacy”. A “privacy right” was not part of Singapore's constitution or implied by Singapore's international obligations. The Court commented that:

The purpose of the PDPA was as much to enhance Singapore’s competitiveness and to strengthen Singapore’s position as a trusted business hub as it was to safeguard individuals’ personal data against misuse.

Since the data subject only suffered distress and loss of control over personal data, which were not recognised under the law, the appeal succeeded and the data subject's orders was set aside.

Leave the Private Action Behind

Oddly, the balance struck here could eviscerate the private action under the PDPA. What kind of damages can an affected individual claim for a breach of data protection obligations other than distress and loss of control over their own data?

On the key question of whether the PDPA's private action recognises new heads of damages such as emotional distress or loss of control over personal data, I don't expect the Court of Appeal to come up with a different answer. There might be alternative explanations, but the policy behind it is quite clear.

Firstly, a right of private action would probably end up with lots of litigation against companies, many of which can be for fairly minor breaches. We might be using too much judicial resources on many small matters. Companies might end up being stuck in a mire of lawsuits instead of innovating.

Secondly, many of the structures of the legal system in Singapore would not benefit such private actions. This includes the nearly complete absence of class action suits in Singapore. A private suit is likely to be an exhausting and expensive affair, which would leave many individuals out in the first place.

Thirdly, and this was recognised at the High Court at paragraph 94, there are better avenues for individuals to vindicate themselves. Most importantly, the PDPC has powers to enforce the PDPA, and many of these remedies mirror what an individual would most likely want from an action. This includes the dreaded financial penalty, the basis of which is on compliance with law rather than what loss or damage was suffered. It's notable that an affected individual can appeal the PDPC's decision.

Will Increased Penalties Lead to Greater Compliance With the PDPA?When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, was at stake. Several companies scrambled to get their houses in order.Love.Law.Robots.Houfu

Furthermore, the Protection of Harassment Act (which has received far more attention from the government) could provide a more effective route for any intrusion into privacy.

So even though it appears odd that the private action would be extremely limited under the PDPA, this “balance” might be palatable. The private action looks likely to remain as a relic for the most irrational parties. It speaks volumes that the only reported case of a private action in more than 5 years of the PDPA is going to the Court of Appeal.

Is a Constitutional Right necessary?

While I agreed with the result, the reasoning left me unsatisfied. By adamantly insisting that the PDPA was different from other privacy and data protection regimes in western liberal democracies, the High Court appeared to suggest that we compromised something by striking a balance. Or worse, that we are involved in a switch and bait whereby we have meaningless rights in the PDPA.

Any talk about human rights should keep a close eye on its efficacy, in this case whether data subjects can enforce their rights effectively. It's quite clear that individuals can't realistically take companies to task on data protection on their own. The PDPC has had far more success using its enforcement powers.

So, maybe the Court of Appeal can come up with a better way to explain this. However, I wouldn't be holding my breath on this one. This case is a rare sighting, and cases like this will remain rare.

In the meantime, we should train our focus on the PDPC. Full stop.

#Privacy #Singapore #Law

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This one flew under the radar for some time. Jigyasa was first decided in March 2020 and then reconsidered almost a year later in 2021. (It was published in March 2021, and I am not sure whether the original decision was ever published in 2020 because neither I nor my robots noticed it). During that period of time, COVID happened. Ostensibly, that event allowed the penalty to be reduced from $90,000 to $30,000. Given the circumstances, it might be quite a reprieve for this respondent. Overall though, the decision brings troubling news for everyone else.

To summarise the details, the respondent is a sole proprietor providing Human Resource services. It is a small outfit dealing in “an extremely niched industry”. The personal data consisted of confidential 360 performance reports. As far as I am aware, 360 reports are generally prepared for upper, and middle management folks and consist of such good nuggets as “person should handle more complex responsibilities” and “slow support”. They were released in the wild through a misconfigured web application. The proprietor has no idea what these things do. As a result, these reports stayed on the Internet for 7 years.

Thing 1: The original penalty was harsh

As I mentioned, a $90,000 penalty is eye-catching. You don’t need a big data science chart to figure that out.Just play with the levers on the PDPC’s search, and you will find only three organisations that scored a $90,000 or higher penalty: Ninjavan, SingHealth and iHis. They aren’t sole proprietors.

If you want a big data science chart though, I can share one from a project I did last year.

This is up to March 2020, so does not include the latest cases since then. Other notes in the original post still apply.This is up to March 2020, so does not include the latest cases since then. Other notes in the original post still apply.

Ninjavan can be justified on the sheer scale of the breach (over 1 million persons affected). SingHealth and iHIS can be justified on the sheer scale (over 1 million persons affected, including the Prime Minister), as well as the medical data involved. To join this rarefied gang, we have Jigyasa, which left reports of 671 people online, causing (at least) one of the affected to fail his job interviews for over two years (allegedly).

Since we are doing this exercise, let’s move slightly lower than the $90,000 penalty. In Horizon Fast Ferry (2019), a company operating ferry services exposed the personal data (including passports) of nearly 300,000 passengers. They didn’t have a data protection policy or officer either. Frankly, they didn’t tell their contractor to do anything about data protection, so the overall impression was cluelessness as well. The penalty? $54,000.

Of course, there is no magic formula for determining the penalty, and each case considers “the specific facts of the case to ensure that the decision and direction(s) are fair and appropriate for that particular organisation”. However, these cases don’t exist in a vacuum, and fairness requires considering whether each respondent is treated fairly compared to the others.

If one compares the millions and thousands of people affected in other cases and the 671 in Jigayasa, which resulted in similar or lower penalties, then there must be something special about Jigyasa.

We now arrive at the decision’s most controversial premise. In arguing for a lower penalty, the respondent claimed that because the information was collected under an exception under the PDPA and disclosed without consent, the breach was less serious. This sounds intuitive the first time, but what has consent to do with the severity of the breach? This is a breach of a protection obligation, not an obligation to get consent.

The PDPC decided instead to give the argument a roundhouse kick and charge that a higher degree of protection was required because consent was not required. In fact, the PDPC argued that not having to get consent had a consequence:

The quid pro quo for organisations having the liberty to collect, use and disclose personal data without consent for evaluative purposes, and to keep opinion data beyond the reach of data subjects for access and correction, is that they are expected to put in place more robust measures to comply with the Protection Obligation.

I was stunned by the “ quid pro quo ” argument made by the PDPC and wanted to find out whether I missed something. The decision does not cite any support that the exclusion framework for evaluative purposes implies a quid pro quo approach.

The Parliamentary debates regarding the exceptions in the PDPA did not mention the evaluative purpose specifically. I did find this explanation regarding the exceptions in the PDPA:

Sir, Mr Desmond Lee asked about the exceptions provided in the Second to Fourth Schedules. These are based on the overarching intent of ensuring adequate protection for individuals without placing onerous burdens on organisations to comply with the law. They also take into account international practice and Singapore’s context. For example, exceptions apply in certain circumstances or situations where obtaining consent for the collection, use or disclosure of personal data may not be feasible. Such situations include collection of personal data for life-threatening emergencies. Exceptions are also necessary to enable certain organisations to effectively perform their functions, such as investigations or legal proceedings.

It’s not easy to square both passages together, but the message now appears to be that information collected under the evaluative exception should be treated as riskier than others.

Even though the PDPC claimed that this quid pro quo structure only applies to the evaluative purpose exception, it’s hard not to see how the argument can easily apply to any other exception. This includes the new exceptions, such as business improvement purposes. These new exceptions are not “necessary” to perform business functions and ultimately benefit the consumer in some way, so there can be a quid pro quo arrangement too. Given this decision, organisations must look into the data they are storing and pay special attention to data collected under an exception.

However, if you have been mindful of data protection in the first place, you would already know that whatever personal data you have should be protected, regardless of how they were collected.

Thing 3: Penalties can be arbitrary, avoid them if you can

I wasn’t expecting that relying on an exception to collect data would result in heavier penalties. The impression I had was that they were meant to reduce the compliance burden of companies.

There are several ways to rationalise the impact of this decision. The PDPC already said this reasoning is limited to evaluative purposes. Each case stands on its own. The PDPC continually reminds the public that each case and each penalty is due to its unique circumstances. I have not read a decision whereby the PDPC refers to a past decision as a basis for the calculation of the penalties. We can sweep this decision under the carpet as it did for a year hiding behind COVID-19.

Will Increased Penalties Lead to Greater Compliance With the PDPA?When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, was at stake. Several companies scrambled to get their houses in order.Love.Law.Robots.Houfu

I instead feel that the best response to a decision that I think is cruel, arbitrary or irrational is to think of ways out of it. Unlike criminal law, where the best action to avoid speeding tickets is by not speeding, the PDPC’s approach to active enforcement suggests more alternatives. These include voluntary undertakings (NEW in the amendments) or an expedited decision.

In a voluntary undertaking, the respondent has more control over the outcome of a case. We are talking about * remediation, not mitigating factors.* We are also talking about the respondent’s plans, not the PDPC’s directions.

Furthermore, I haven’t read any media outlet that attempts to explain a voluntary undertaking in the context of a data breach. You might not even know there is a new section on the PDPC’s website.

Unfortunately, to quickly develop a remediation plan that would satisfy the PDPC, you will need professionals specialized in the field. I believe that this is really the strongest case for hiring your own data professionals, especially in light of the new amendments to the PDPA.

#Privacy #Singapore

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater , was at stake. Several companies scrambled to get their houses in order. For the most part, the authorities have followed through. We are expecting more too. Is this the same with the Personal Data Protection Act in Singapore too?

Penalties will increase under the latest PDPA amendments.

The financial penalties under Singapore’s Personal Data Protection Act probably garner the most attention. They are still newsworthy even though they have been issued regularly since 2016. The most famous data breach concerning SingHealth resulted in a total penalty of S$1 million. The maximum penalty of $1 million is not negligible. It’s not hypothetical either.

The newest PDPA amendments will now increase the maximum penalty to up to 10% of an organisation’s annual gross turnover in Singapore. To help imagine what this means: According to Singtel’s Annual Report in 2020, operating revenues for Singapore consumers was S$2.11b. The maximum penalty would be at least S$200m.

Is this the harbinger of doom and gloom for local companies? Will local companies scramble to hire personal data specialists like for the GDPR? Will an army of lawyers be groomed to fine-comb previous PDPC decisions to distinguish their clients' cases? Is my CIPP/A finally worth something?

Penalties imposed under the PDPA appear limited.

Before trying to spend on compliance, savvier companies would want to find out more about how the Personal Data Protection Commission enforces the PDPA. This makes sense. The costs of compliance have to be rational in light of the risks. If the dangers of being susceptible to a financial penalty are valued at $5,000, it makes no sense to hire a professional at $80,000 a year. If liability for data breaches is a unique and rare event, hiring a firm of lawyers to defend you in that event is better than hiring a professional every day to prevent it.

So here is the big question: What’s the risk of being penalised $1 million or gasp(!) at least $200 million?

Unfortunately, one does not need a big data science chart to realise that being penalised $1 million is a rare event. Being penalised $100,000 is also a rare event. Using the filters from the PDPC’s decisions database reveals a total of 2 cases with financial penalties greater than $75,000 since 2016.

Screen capture of filters of PDPC decisions with financial penalties of more than $75000. (As of October 2020)

However, if you insist on having a “big data science chart”, here’s one I created anyway:

Histogram of the number of cases binned on enforcement value.

Notes :

  • I excluded the Singhealth penalties ($750K and $250K) because they were outliers.
  • It’s named “enforcement value” and not “penalty sum” because I considered warnings and directions to have $0 as a financial penalty.

The “big data science chart” tells the same story as the PDPC’s website. Most financial penalties fall within the $0 to $35,000 range, with the mean penalty being less than $10,000. While the PDPC certainly has the power to impose a $1 million penalty, it appears to flex around 1% of its capabilities most of the time.

Past performance does not represent future returns. However, the amendments to the PDPA were not supposed to represent a change to the PDPC’s practices. They are for “flexibility” and to match other areas like the Competition Act. There is very little indication that an increase in the financial cap now means that companies will be liable for more.

Why are the penalties so low?

The decisions cite several factors in determining the amount of penalty – the number of individuals affected, the significance of the data lost and even whether the respondent cooperated with the PDPC.

In Horizon Fast Ferry, the PDPC cited the “ICO Guidance on Monetary Penalties” as a principle in determining monetary penalties:

The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the DPA or with PECR. The penalty must be sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others.

The key phrase in the quote is “sufficiently meaningful”. Given the PDPC’s desire to promote businesses, the PDPC would not like to kill off a company by imposing a crippling penalty. The penalties serve a signalling purpose. As they continue to attract public attention and encourage companies to comply, penalties are the most effective tool in the PDPC’s arsenal.

However, even if the penalties are “sufficiently meaningful” in an objective sense, they may still be meaningless subjectively. $5,000 might be peanuts to a large business. Some businesses may even treat it as a cost of “innovation”. PDPC decisions are replete with “repeat” offenders. Breaking the PDPA, for example, seems to be a habit for Grab.

While doling out “meaningful” penalties strikes a balance between compliance with the law and business interests, there are limits to this approach. As mentioned above, dealing with a risk of $5,000 fines may not be sufficient for a company to hire a team of specialists or even a professional Data Protection Officer. If a company’s best strategy is not to get caught for a penalty, this does not promote compliance with the law at all.

Moving beyond penalties

I am not a fan of financial penalties. I have always viewed them as a “transaction”, so they never really comply with the spirit of compliance.

Asking companies to comply with directions may be far more punishing than doling out a fine. A law firm might help you negotiate the best directions you can get, but the company has to implement them through its employees. The company will need data protection specialists. This approach is more effective than just essentially issuing a company a ticket.

For this reason, I was pretty excited about the PDPC’s Active Enforcement guidelines. Here’s something to watch out for: a new section on undertakings appeared last month.

Conclusion

Still, I am probably an outlier in this regard. The increased penalty cap has repeatedly featured as one of the most critical changes in the PDPA. Experience does not suggest that a higher cap will change much. Nevertheless, as a signal, the news would probably make management sit up and review their data protection policies. Data Protection Officers should take advantage of the new attention to polish up their data protection policies and practices.

This post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing!

#Privacy #Singapore ##PDPAAmendment2020 #Compliance #DataBreach #DataProtectionOfficer #Decisions #GDPR #Enforcement #Penalties #PersonalDataProtectionAct #PersonalDataProtectionCommission #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

There’s a new hue to the shift from openness to accountability in the PDPA. We are used to the idea of expecting more from organisations. However, individuals (who aren’t public servants or acting in a personal capacity) who mishandle personal data will be criminally liable under a new section in the upcoming PDPA.

As the PDPC and Ministry puts it, it’s an offence relating to egregious mishandling of personal data. The types of mishandling are:

  1. Knowing or reckless unauthorised disclosure of personal data
  2. Knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and
  3. Knowing or reckless unauthorised re-identification of anonymised data.

Anyone convicted of an offence is liable to a fine not exceeding $5,000 or to imprisonment for a term not exceeding two years or both.

Leveling the Public and Private sectors

One of the most controversial areas of the PDPA is the exclusion of the public sector. This can create an impression of differing standards in data protection standards in the public and private sector. In response, the Government has taken steps to level up its data protection.

One of the more aggressive moves by the Government to show its accountability was to enact the Public Sector (Governance) Act. In sections 7 and 8 of the same act, the egregious mishandling of personal data by public servants is also criminalised in very similar terms as the amendments.

As such, the PDPA amendments level the playing field. An employee who egregiously mishandles personal data will also be penalised in the same way, whether he is in the private or public sector. At least in this respect, the differences between the public and private sectors is less pronounced.

The amendments are also essential to plug a hole for companies doing work for the Government. If you mishandle government data, you are liable under the PSGA if you are a public servant. However, non-public servants, such as contractors, are not liable under the PSGA if they mishandle government data. So after the amendments are passed, no one will be left out.

Do employees have anything to fear?

From its inception, the PDPA targets organisations for compliance, not its employees. Section 4(1)(b), which do not impose obligations on the employee, and section 11(2), which states that an organisation is responsible for its personal data, confirms this.

This makes sense. Employees need their employer’s support to carry out the organisation’s data protection obligations. The decisions consistently rebuke the argument that employees did their jobs as the employer ideally expects them to. Employees need practical and relevant training, and they are best provided by the organisation.

Do the amendments mean that employees face more exposure under the revised PDPA? Realistically, the answer is no. The provisions place a very high threshold on the mens rea or mental element of the offence. The offender either did this intentionally or recklessly. Negligent acts are not enough. Furthermore, the use of the information must not be authorised by the company.

As such, the paradigm case for this section is the rogue employee who makes use of the company’s data to make a profit. An employee who ignores data protection training and then commits the mistake training was meant to prevent, may not be criminally liable under this provision. Arguing that such an employee intentionally caused a data breach will be challenging.

Interestingly, we can find this sort of employee in Hazel Florist & Gifts [2017] SGPDPC 9. Even though the employee who caused the data breach refused to attend training or follow SOP, the PDPC still blamed the organisation for failing to make her do so.

Would I use the new criminal liabilities to encourage my colleagues to take data protection seriously? Ultimately, it’s not right to scare people for something unlikely to happen. In any case, the reality is that most employees do want to comply once they have the right tools. When they fail to comply, it's generally because they are not in the right environment, and this environment is completely within the control of the organisation. The “stick” in this case is good but does not seem necessary.

Conclusion

The amendments imposing personal liability on individuals appear to be mainly an effort to align the public officers with other individuals. Like the public sector, liability is narrow and targeted at the most egregious conduct. In that light, the amendments are essential for a consistent regime in the private and public sector.

#Privacy #Singapore ##PDPAAmendment2020 #Employee #Government #PersonalDataProtectionAct

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

Introduction

The history of data protection legislation, in my view, comprises three generations:

  • The earliest generation focuses on common law and sectoral self-regulation. It’s a bit of the wild west, with various ideas and strands all over the place.
  • The EU’s Data Protection Directive, way back in 1995, represents the next generation. Its key innovation is comprehensive national legislation. Its foundations are based on OECD recommendations and revolve around consent, notification, purpose limitation, etc.
  • The third and latest generation, of course, belongs to the GDPR in 2018. Its key innovations are lawful purposes, protection of children, the right to be forgotten, the right to object to automated processing, etc.

Singapore’s PDPA was enacted in 2012. It sits between the EU’s Data Protection Directive and the GDPR. As such, it retains many well-established and familiar features but very few of the innovations used in the GDPR.

One of these artefacts concerns what the PDPA calls the “consent obligation”. The consent obligation requires the consent of a data object before an organisation can process personal data. Unfortunately, reality does not work out like that. As is consistent with experience, data subjects in Singapore don’t “consent” much substantively, and the exception swallows the rule. Other laws, the exceptions in the schedules of the PDPA and the “reasonable” requirement all qualify the consent obligation.

Instead of looking to the GDPR, the latest amendments to the PDPA “double down” on the consent obligation. Sure, the schedules will undergo some housekeeping and streamlining. Deemed consent is expanded. Two new exceptions are introduced — legitimate interests and business improvement. (Curiously “legitimate interests”; sounds like one of the legal bases in the GDPR.)

Given the Law Reform Committee’s view that the PDPA is sound, the consent obligation will be with us for a long time.

As I showed above, I am not a big fan of this convoluted consent obligation. I like the legal bases of the GDPR more. They are easier to explain, and the exceptions don’t control the rule. By conceding that consent is unable to explain user rights fully, the GDPR accords better to reality.

Nevertheless, I am going to try to explain the Consent Obligation, including the new amendments. So, we are going to play a game! Let’s play “ so you want to collect personal data in Singapore “.

So you want to process personal data Contains all the flowcharts in this post. So you want to process personal data.pdf 217 KB download-circle

Highlights of changes

As I summarized above, there are several new exceptions to the consent obligation. Here are some highlights.

Deemed consent has expanded.

Deemed consent has grown with two new situations. They are expansive and encompass many cases where it’s evident that organisations should have sought consent. The appropriate notification situation also enables organisations to use another method of obtaining consent, which may be considered less confrontational.

A new legitimate interests exception.

The PDPA will also feature a new general exception for legitimate interests. The one in the PDPA looks similar to the one in the GDPR. It also requires organisations to do a cost-benefit analysis in the form of a data protection impact analysis.

Here is another one: using personal data for business improvement. As this only applies to use, you must have collected the personal data through other means. This applies very much to data and customer analytics. You might have already collected data from your customers or operations, and this allows you to make more use of it without worrying about the PDPA.

Conclusion

The changes to the consent obligation are very business-friendly. Should an organisation be excited to employ these exceptions?

If you have been very much at the top of your privacy game, you probably would not need any of these exceptions. Your privacy policy would already have included using personal data for data analytics or business improvement. You would not be needing any “deemed consent” because, in line with best practices, you would have already been upfront and direct with your data subject.

Given the hit or miss nature of PDPC decisions when exceptions are considered, if you can plan for it, you wouldn’t rely on any of these exceptions.

So while it’s heartening to see the movement from openness to accountability, these new changes represent a step back. Hopefully, I wouldn’t need to add several more pages to the next version of my flow chart.

#Privacy #Singapore ##PDPAAmendment2020 #ConsentObligation #GDPR

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

Update 31/5/2021: As of 1 February 2021, the revised (or updated as they call it) PDPA has been enacted substantially. The post has been updated to highlight areas which are still not effective as of May 2021.

I thought the break in the PDPC’s monthly release of decisions since March was due to office closure from COVID-19. Here is a new excuse. After what seems like an eternity of consultations, we have the text of the Amendment Bill. This will be the first substantial revision of Singapore’s Personal Data Protection Act.

Here is a summary of what I believe are the key points.

Mandatory Data Breach Notification is here

A vast majority of enforcement decisions from the PDPC concern data breaches. A vast majority of public reporting also concerns data breaches. Data breaches are the biggest source of liability for companies. However, enforcement action and liability depended on complaints. It is a bit like see no evil, hear no evil.

If organisations were required to report data breaches, this would greatly increase their exposure. For many organisations who merely comply with the minimum requirements of the PDPA, they will need to introduce new policies and processes to address what to do in a data breach.

Organisations working on behalf of public agencies no longer exempted

Following the data breaches in public health and questions regarding the private and public divide in the PDPA, the PDPA now covers organisations working on behalf of public agencies. More organisations will be included under the PDPA since the government is much involved in Singaporean’s lives through private companies. Together with a push from the government, this means that more organisations will be accountable under the PDPA.

Here’s another (underreported) change following from the debacles. The Amendment bill now introducesoffences for private-sector employees who mishandle information. This tracks the Public Sector Governance Act, which covered public sector employees.

The PDPA gets PersonalThoughts, stories and ideas.Love.Law.Robots.Houfu

Voluntary Undertakings now part of PDPC’s enforcement

I have always been very sceptical of the use and the focus on financial penalties. When the PDPA first came out, the headline number of $1 million was a pretty big deal. The GDPR already provides penalties that are way higher than that. Furthermore, in practice, hardly any organisation got a six-figure penalty. Singhealth remains an outlier. If your goal is to not pay a high penalty, you will hire better lawyers, not data protection officers.

Therefore I am excited about voluntary undertakings, as they are the teeth of the accountability principle. There have been very few decisions which apply this uncommon enforcement method. Hopefully, as has been the case with anti-corruption in the US, a focus on entrenching good practices is encouraged. At the very least, such enforcement will encourage the hiring and involvement of data protection officers.

Oh, and by the way, the amendment increases the penalties that the PDPC can impose. It has now increased to 10% of the organisation’s annual gross turnover or $1 million, which ever is higher. As I mentioned, all this is rather theoretical given the enforcement standards so far. [ Update: This is one of the changes which are not effective as of 1 February 2021, presumably due to COVID. Quite frankly the pudding is in the enforcement, not how high it can go.]

Will Increased Penalties Lead to Greater Compliance With the PDPA?When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, was at stake. Several companies scrambled to get their houses in order.Love.Law.Robots.Houfu

Given the “lawful purposes” approach followed by the GDPR, the increased emphasis on consent under the Amendment Bill seems quaint. “Deemed” consent will be expanded to new situations. You can argue that “deemed consent” is fictitious consent, whereby organisations just tick a few action boxes to do what they want.

Making sense of the latest PDPA amendments to the Consent ObligationI consider the new amendments to the Consent Obligation under the PDPA with a flow chart.Love.Law.Robots.Houfu

Do note that a “lawful purpose” features in the amendment bill. “Legitimate interest” is termed as an “exception” here. There is a balancing effort between what the organisation would like, and the risk and benefit to the public and individual. Is this a peek in the curtain? Will the “legitimate interest” exception swallow consent?

In any case, the PDPA still relies on consent, huge exceptions and “reasonableness”. This bill does not bring the PDPA to the 21st century. Singapore risks being left behind against other countries which adopted GDPR like laws.

Data Portability

Data portability allows individuals to request an organisation to transmit a copy of their personal data to another organisation. It now gets its own section in the PDPA.

As a bit of a geek, of course I am very excited about “data portability”. However, implementation matters, and I am not sure organisations are motivated enough to put up the structures that will make this work. My developer experience playing with bank APIs have not been positive.

[ Update: This is one of the changes which are not effective as of 1 February 2021.]

Conclusion

I don’t think I have covered all the changes in detail. Some changes need their own space, so I would be writing new posts and updating this one. Passing the act will still require some more time. Did anything else catch your eye?

[ Update : The act was passed and the provisions noted here are substantially effective]

#Privacy #Singapore #Features #ConsentObligation #DataBreach #DataPortability #Enforcement #Government #LegitimateExpectations #Notification #OpennessObligation #Penalties #PersonalDataProtectionAct #PersonalDataProtectionCommission #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu