Love.Law.Robots. by Ang Hou Fu

Compliance

Feature image

It’s going to be a busy week! I’ll be attending the conferences below:

Here are the sessions that I am looking forward to:

SCCE Singapore Regional 2022

Of all the conferences, this is probably the one with the most practical topics I can apply to my work. So, although maintaining those Continuing Education Units for my certification is a serious challenge (40 points in 2 years?! Video conference at 1am?! 🤮), membership is still very useful to me.

Compared to last year’s regional, I think this one has far more breadth and indeed some depth into hot topics like ESG and Digital Data Management. Hot favourites like compliance training and supply chain management make an appearance too.

I am particularly curious about the finale: “Are robots running the compliance program?” Automation in compliance is that small victory that I think cash- and human resource-strapped compliance departments should look into. From the handout, the “automation” is Microsoft Power Automate, which while simple to understand and used in many corporate environments, is not as widely applicable compared to something like Zapier. Let’s see what new ideas I will get!

Automate Boring Stuff: Get Python and your Web Browser to download your judgementsThis post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing! Update 13 June 2020: “At least until the PDPC breaks its website.” How prescient… about three months after I wroteLove.Law.Robots.HoufuIt's always important to automate the boring stuff.

IAPP Asia Privacy Forum

They took a long time to flesh this out — back when I bought the early bird ticket in early June, half of the programme was labelled to be confirmed. I’m glad they managed to flesh this out. It’d be my first IAPP Conference even though I have been a member and am CIPP/A-certified since 2019.

I am a pretty practical person, so I am going to list things that have meaning to me.

  • Building Privacy Technology Into Your Privacy Programme ” — Privacy by Design is one of those revolutionary concepts introduced by the GDPR that you probably don’t hear enough about. Privacy engineering has always been very fascinating to me too.
  • Towards Innovative and Global Solutions for Trans-Border Flow ” — The biggest challenges in Singapore isn’t really complying with the PDPA here but dealing with the implications of having an open economy. In my context, a regional HQ is a hub for data flows so having an interesting way to handle them will be useful.
  • Implementing Privacy in Yet-to-Mature Geographies ” — Related to the previous point, we are in a region where jurisdictions have not had much experience in privacy. Thailand recently made its GDPR-like law effective. Indonesia is still toying with the idea. India’s comprehensive data protection law appears to be trapped in legislative purgatory. Coping strategies will be very appreciated.

Alongside IAPP Asia Privacy Forum, the Singapore PDPC also organise the Singapore version of a conference. Topics seem quite interesting, but given my decreasing focus on data privacy in recent years, I am going to give it a pass.

TechLaw.Fest

It’s my third TechLaw.Fest and my first in person!

Actually. I don't know whether this is an in-person event. Something about the metaverse.

I count myself as a sceptic of the metaverse and was actually profoundly upset that the programme focuses almost entirely on this topic. Compared to last year where there was an even spread, this year looks like an advertorial to convince you that there is something special.

Three Things: TechLawFest 2021I debrief on the TechLawFest in Singapore which ended recently with three key takeaways.Love.Law.Robots.HoufuCompared to last year...

Anyway, I am still sorting out my registration because, frankly, the organisation of this event is messy this year.

I will be hiding out in the Tech Talks section this year. I don’t want to hear a big talk about a fad which no one will care about in a year or two. The metaverse is like cryptocurrency and NFTs; somebody is pouring lots of money into it but nobody honestly has high hopes about it.

Live by the Code… Die by the Code?The excitement about Cryptocurrency and NFTs has turned to panic and loss. Will something different take its place?Love.Law.Robots.HoufuIn an earlier post, I wondered whether the fallout from cryptocurrency will bring forth something good.

Some of the things I wish they covered:

  • The fallout about Crypto Currency and NFTs: This is an awesome topic for litigators and restructuring professionals with all the news going around of bank runs, fraud and corporate dissolutions. To be fair, I have a suspicion that this is going to be covered in “ ** What Happens in the Metaverse Doesn’t Stay in the Metaverse: How Laws Apply Such That In-world Crime Could Mean Real-world Punishment** ” on the Main Stage on 22 July 2022.
  • AI Regulation — I believe there are some major advances in the field (in Europe, I think?) and this is a topic that is getting closer to law and regulation once the technology is more mainstream. The IMDA also released its own AI Governance Testing framework and toolkit in May, so I am surprised nobody wants to talk about it here.
  • I wouldn’t complain about learning more about legal operations. To be fair, “ ** The Virtual Lawyer: How Digitalisation is Changing the Business of Law** ” on the Main Stage on 21 July 2022 seems related. I am going to be rather peeved if it’s about how I can appear as an avatar to my colleagues… as if using Microsoft Teams wasn’t lame enough.

The past two years have forced a reckoning that the brick-and-mortar law office may not be as essential to lawyering as was assumed by many for a long time. In this session, we hear from a range of legal professionals wrestling with digitalisation and the business of law. #tlf22 pic.twitter.com/ShnH1DRCup

— TechLaw.Fest (@TechLawFest) July 13, 2022

Conclusion

There's going to be lots to do, and I am going to practice live tweeting this year so that I would get better at it. Last year, I tried to write a roundup but it was really tiresome, so please follow me on Twitter!

#blog #Compliance #Cryptocurrency #Ethics #Law #News #NFT #PersonalDataProtectionAct #Privacy #Singapore #TechLawFest #TechnologyLaw #IAPP #SCCE #DataProtectionOfficer

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater , was at stake. Several companies scrambled to get their houses in order. For the most part, the authorities have followed through. We are expecting more too. Is this the same with the Personal Data Protection Act in Singapore too?

Penalties will increase under the latest PDPA amendments.

The financial penalties under Singapore’s Personal Data Protection Act probably garner the most attention. They are still newsworthy even though they have been issued regularly since 2016. The most famous data breach concerning SingHealth resulted in a total penalty of S$1 million. The maximum penalty of $1 million is not negligible. It’s not hypothetical either.

The newest PDPA amendments will now increase the maximum penalty to up to 10% of an organisation’s annual gross turnover in Singapore. To help imagine what this means: According to Singtel’s Annual Report in 2020, operating revenues for Singapore consumers was S$2.11b. The maximum penalty would be at least S$200m.

Is this the harbinger of doom and gloom for local companies? Will local companies scramble to hire personal data specialists like for the GDPR? Will an army of lawyers be groomed to fine-comb previous PDPC decisions to distinguish their clients' cases? Is my CIPP/A finally worth something?

Penalties imposed under the PDPA appear limited.

Before trying to spend on compliance, savvier companies would want to find out more about how the Personal Data Protection Commission enforces the PDPA. This makes sense. The costs of compliance have to be rational in light of the risks. If the dangers of being susceptible to a financial penalty are valued at $5,000, it makes no sense to hire a professional at $80,000 a year. If liability for data breaches is a unique and rare event, hiring a firm of lawyers to defend you in that event is better than hiring a professional every day to prevent it.

So here is the big question: What’s the risk of being penalised $1 million or gasp(!) at least $200 million?

Unfortunately, one does not need a big data science chart to realise that being penalised $1 million is a rare event. Being penalised $100,000 is also a rare event. Using the filters from the PDPC’s decisions database reveals a total of 2 cases with financial penalties greater than $75,000 since 2016.

Screen capture of filters of PDPC decisions with financial penalties of more than $75000. (As of October 2020)

However, if you insist on having a “big data science chart”, here’s one I created anyway:

Histogram of the number of cases binned on enforcement value.

Notes :

  • I excluded the Singhealth penalties ($750K and $250K) because they were outliers.
  • It’s named “enforcement value” and not “penalty sum” because I considered warnings and directions to have $0 as a financial penalty.

The “big data science chart” tells the same story as the PDPC’s website. Most financial penalties fall within the $0 to $35,000 range, with the mean penalty being less than $10,000. While the PDPC certainly has the power to impose a $1 million penalty, it appears to flex around 1% of its capabilities most of the time.

Past performance does not represent future returns. However, the amendments to the PDPA were not supposed to represent a change to the PDPC’s practices. They are for “flexibility” and to match other areas like the Competition Act. There is very little indication that an increase in the financial cap now means that companies will be liable for more.

Why are the penalties so low?

The decisions cite several factors in determining the amount of penalty – the number of individuals affected, the significance of the data lost and even whether the respondent cooperated with the PDPC.

In Horizon Fast Ferry, the PDPC cited the “ICO Guidance on Monetary Penalties” as a principle in determining monetary penalties:

The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the DPA or with PECR. The penalty must be sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others.

The key phrase in the quote is “sufficiently meaningful”. Given the PDPC’s desire to promote businesses, the PDPC would not like to kill off a company by imposing a crippling penalty. The penalties serve a signalling purpose. As they continue to attract public attention and encourage companies to comply, penalties are the most effective tool in the PDPC’s arsenal.

However, even if the penalties are “sufficiently meaningful” in an objective sense, they may still be meaningless subjectively. $5,000 might be peanuts to a large business. Some businesses may even treat it as a cost of “innovation”. PDPC decisions are replete with “repeat” offenders. Breaking the PDPA, for example, seems to be a habit for Grab.

While doling out “meaningful” penalties strikes a balance between compliance with the law and business interests, there are limits to this approach. As mentioned above, dealing with a risk of $5,000 fines may not be sufficient for a company to hire a team of specialists or even a professional Data Protection Officer. If a company’s best strategy is not to get caught for a penalty, this does not promote compliance with the law at all.

Moving beyond penalties

I am not a fan of financial penalties. I have always viewed them as a “transaction”, so they never really comply with the spirit of compliance.

Asking companies to comply with directions may be far more punishing than doling out a fine. A law firm might help you negotiate the best directions you can get, but the company has to implement them through its employees. The company will need data protection specialists. This approach is more effective than just essentially issuing a company a ticket.

For this reason, I was pretty excited about the PDPC’s Active Enforcement guidelines. Here’s something to watch out for: a new section on undertakings appeared last month.

Conclusion

Still, I am probably an outlier in this regard. The increased penalty cap has repeatedly featured as one of the most critical changes in the PDPA. Experience does not suggest that a higher cap will change much. Nevertheless, as a signal, the news would probably make management sit up and review their data protection policies. Data Protection Officers should take advantage of the new attention to polish up their data protection policies and practices.

This post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing!

#Privacy #Singapore ##PDPAAmendment2020 #Compliance #DataBreach #DataProtectionOfficer #Decisions #GDPR #Enforcement #Penalties #PersonalDataProtectionAct #PersonalDataProtectionCommission #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

This feels like an opinion which is begging for a ruling from the Court of Appeal.

The Case

In PP v Michael Tan and another [2019] SGHC 207, the High Court had the opportunity to consider whether the punishment for bribing foreign government officials should be similar to the punishment for bribing local government officials. The facts are not so material to the question. Simply stated, in one case an owner of a shipping company bribed port officials in Malaysia to get out of trouble or to get its competitors into trouble. The second case is related to the notorious US Navy case — the accused was the recipient of the bribes (passive bribery). Appeals from the accused failed in this court. In the second case, the jail term was even increased.

More interestingly, the Prosecution failed in two jurisprudential questions:

  • Whether the “public service rationale” should be extended to foreign public officials
  • Whether a new sentencing framework should be proposed for corruption offences.

Of course, the focus of this post is on the first question. The judge decided at [72] that the “public service rationale” should not be extended to foreign public officials because the public interest in the original rationale is distinct from that for foreign public officials. Instead, foreign public officials are a separate and distinct aggravating factor for punishment (at [75].

Impact of this case

It’s odd that despite being number 3 on the Corruption Perceptions Index, there has not been much caselaw on foreign bribery. The Prevention of Corruption Act does not refer to foreign bribery, except that oddly Singaporeans who bribe overseas are treated as bribing in Singapore.

In Transparency International’s 2018 “Exporting Corruption” Report, which focus on each country’s enforcement of anti-corruption laws with respect to foreign officials, Singapore is labelled “ Little or No Enforcement “. Specific recommendations in the report include “Establish laws that clearly prohibit Singaporean persons and entities from engaging in corrupt practices overseas” and “Define “foreign public officials” in the PCA and other applicable laws”.

It ain’t exactly the recommendation, but it goes some way towards it. This case establishes the juridicial basis of bribery of foreign officials as an aggravating factor. The opinion should be praised for referring to Singapore’s obligations under the United Nations Convention Against Corruption. The reasons fairly comprehensively set out why Singapore should do its part to punish foreign bribery.

The Distance ahead

Based on the reasons which the Prosecution did not succeed (such as a shiny new sentencing guideline), there is ample room for the Court of Appeal to comment on the scope of the law with respect to foreign bribery.

Judicial decisions can’t paper over all legislative cracks. The main provisions of the PCA, which have stayed largely the same over the last 30 years are badly due for review. The latest events in Singapore in this event have all involved cross-boundary and involve startling amounts.

One other recent development — the recent introduction of deferred prosecution agreements which would allow the government to hold companies accountable for crimes such as Anti-Bribery. As DPAs are extensively used in the US and UK for anti-bribery offences, it is not difficult to see them having the same application here.

Conclusion

Save for a comprehensive review of the Prevention of Corruption Act, several pieces are in place for a long overdue modernisation of Singapore’s Anti-Bribery Laws. This is timely as more Singapore corporates are involved in cross-boundary business, which increases the risk of bribery. Singapore’s reputation for being a clean country is well-earned; it must adjust to the new circumstances to keep it.

#Law #Singapore #PreventionofCorruptionAct #Compliance

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu