Love.Law.Robots. by Ang Hou Fu

Enforcement

Feature image

Like most people, I hate to be wrong. But if I got things right all the time, I’d be a judge, not a blog writer.

More than a year ago, I highlighted the only case on the Personal Data Protection Act I am aware of that has reached the High Court. It was a “rare sighting” of a private action under the Personal Data Protection Act (PDPA).

In the post, I concluded that the right of private action was “meaningless” because the High Court held that you cannot claim “distress and loss of control”. That was, after all, what most people face when their privacy is breached. Even so, I thought that individuals going after companies for a breach was too much for one person to bear. That case, after all, concerned a rich, disgruntled data subject facing an intransigent data controller.

The case had gone on appeal to the Court of Appeal, which is understandable, given that the PDPA has never been before the highest court of the land, so clearly there are interesting and novel legal questions to be heard.

Furthermore, the Attorney General’s Chambers (AGC) also participated in the appeal. This is noteworthy because it intervened in essentially a private action. However, as mentioned above, the questions are novel, so the drafters of the PDPA should have a say.

The AGC's submissions largely echoed what I accepted in my previous post. This was essentially how we expected to read the legislation. This included accepting the general belief that emotional distress is not claimable under law.

Well, the Court of Appeal has spoken, and I was wrong.

The Court of Appeal held that “distress and loss of control” can be the subject of a right to private action. This was different from the common law, which generally does not regard emotional distress as actionable. (You can’t make a claim against another person for making you feel sad; such is “the vicissitudes of life”.)

What do I read from this? The Court probably abhors meaningless rights. As noted in my previous article, following the lines of the Government and the High Court’s judgement, the private action was not useful to anyone who had their privacy breached.

With the Court of Appeal’s pronouncement, the right to private action has more life in it. However, it’s still probably impracticable to exercise. Not only does a claimant have to bear the costs and stress of litigation, but it also depends on the actions of the respondent. In the instant case, the respondent explicitly (and inexplicably) refused to undertake not to use data without consent. The private action would be wholly unnecessary if everyone acted reasonably.

It was surprising to me that the Government’s position was not accepted by the Court of Appeal. The big picture is that there will always be some uncertainty about how the Court would read a piece of legislation in a dispute. This might make the Government’s recent insistence that only Parliament can decide what is marriage more understandable.

For now, until the Court of Appeal says so, maybe we shouldn’t be too confident when we make predictions on what the law is.

#Law #Singapore #SupremeCourtSingapore #AGC #ConsentObligation #Enforcement #Government #Judgements #Lawyers #Legislation #News #PersonalDataProtectionAct #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

Regular readers might have noticed the disappearance of articles relating to the Personal Data Protection Commission’s decisions lately. However, as news of the “largest” data breach in Singapore came out, I decided to look into this area again.

My lack of interest paralleled the changing environment, which allowed me to keep up-to-date on them:

  1. The PDPC removed their RSS feed for the latest updates;
  2. I am not allowed to monitor their website manually; and
  3. The PDPC started issuing shorter summaries of their decisions, which makes their work more opaque and less interesting.

Looking at this area again, I wanted to see whether the insights I gleaned from my earlier data project might hold and what would still be relevant going forward.

Data Science with Judgement Data – My PDPC Decisions JourneyAn interesting experiment to apply what I learnt in Data Science to the area of law.Love.Law.Robots.Houfu

Something big struck, well, actually not much.

Photo by Francesca Saraco / Unsplash

The respondent in the case that had attracted media attention is Reddoorz, which operates a hotel booking platform in the budget hotel space. The cause of the breach is as sad as it is unremarkable — they had left the keys to their production database in the code of a disused but still available version of their mobile app. Using those keys, bad actors probably exfiltrated the data. This is yet another example of how lazy practices in developing apps can translate to real-world harm. They even missed the breach when they tried to perform some pen tests because it was old.

PDPC | Breach of the Protection Obligation by CommeasureBreach of the Protection Obligation by CommeasurePDPC LogoRead the PDPC’s enforcement decision here.

The data breach is the “largest” because it involved nearly 6 million customers. Given that the resident population in Singapore is roughly 5.5 million, this probably includes people from around our region.

The PDPC penalised the respondent with a $74,000 fine. This roughly works out to be about 1 cent per person. Even though this is the “largest” data breach handled under the PDPA, the PDPC did not use its full power to issue a penalty of up to $1 million. Under the latest amendments, which have yet to take effect, the potential might of the PDPC can be even greater than that.

The decision states that the PDPC took into account the COVID-19 situation and its impact on the hospitality industry in reducing the penalty amount. It would have been helpful to know how much this factor had reduced the penalty to have an accurate view of it.

In any case, this is consistent with several PDPC decisions. Using the PDPC’s website’s filters, only three decisions doled out more than $75,000 in penalties, and a further 4 doled out more than $50,000. This is among more than 100 decisions with a financial penalty. Even among the rare few cases, only 1 case exercised more than 25% of the current limit of the penalty. The following case only amounts to $120,000 (a high profile health-related case, too!).

The top of the financial penalty list (As of November 2021). Take note of the financial penalty filters at the bottom left corner.

This suggests that the penalties are, in practice, quite limited. What would it take for the PDPC to penalise an offender? Probably not the number of records breached. Maybe public disquiet?

In a world without data breaches

Throttle Roll - Swap Meat MarketPhoto by Parker Burchfield / Unsplash

While the media focuses on financial penalties, I am not a big fan of them.

While doling out “meaningful” penalties strikes a balance between compliance with the law and business interests, there are limits to this approach. As mentioned above, dealing with a risk of $5,000 fines may not be sufficient for a company to hire a team of specialists or even a professional Data Protection Officer. If a company’s best strategy is not to get caught for a penalty, this does not promote compliance with the law at all.

Unfortunately, we don’t live in a world without data breaches. The decisions, including those mentioned above, are filled with human errors. Waiting to get caught for such mistakes is not a responsible strategy. Luckily, the PDPA doesn’t require the organisation to provide bulletproof security measures, only reasonable ones. Then, the crux is figuring out what the PDPC thinks is enough to be reasonable.

So while all these data protection decisions and financial penalties are interesting in showing how others get it wrong, the real gem for the data protection professional in Singapore is finding someone who got it right.

And here’s the gem: Giordano. Now I am sorry I haven’t bought a shirt from them in decades.

There was a data breach, and the suspect was compromised credentials. However, the perpetrator did not get far:

  • The organisation deployed various endpoint solutions
  • The organisation implemented real-time system monitoring of web traffic abnormalities
  • Data was regularly and automatically backed up and encrypted anyway

Kudos to the IT and data protection team!

Compared to other “Not in Breach” decisions, this decision is the only one I know to directly link to one of the many guides made by the PDPC for organisations. “How to Guard Against Common Types of Data Breaches” makes a headline appearance in the Summary when introducing the reasonable measures that Giordano implemented.

The close reference to the guides signals that organisations following them can have a better chance of being in the “No Breach” category.

An approach that promotes best practices is arguably more beneficial to society than one that penalises others for making a mistake. Reasonable industry practices must include encrypting essential data and other recommendations from the PDPC. It would need leaders like Giordano, an otherwise ordinary clothing apparel store in many shopping malls, to make a difference.

A call from the undertaking

Photo by Nicola Fioravanti / Unsplash

The final case in this post isn’t found in the regular enforcement decisions section of the PDPC’s website — undertakings.

If you view a penalty as recognising a failure of data protection and no breach as an indicator of its success, the undertaking is that weird creature in between. It rewards organisations that have the data protection system for taking the initiative to settle with the PDPC early but recognises that there are still gaps in its implementation.

I was excited about undertakings and called them the “teeth of the accountability principle”. However, I haven’t found much substance in my excitement, and the parallel with US anti-corruption practices appears unfounded.

Between February 2021, when the undertaking procedure was given legislative force, and November 2021, 10 organisations spanning different industries went through this procedure. In the meantime, the PDPC delivered 21 decisions with a financial penalty, direction or warning. I reckon roughly 30% is a good indicator that organisations use this procedure when they can.

My beef is that very little information is provided on these undertakings, which appears even shorter than the summaries of enforcement decisions. With very little information, it isn’t clear why these organisations get undertakings rather than penalties.

Take the instant case in November as an example. Do they have superior data protection structures in their organisations? (The organisation didn’t have any and had to undertake to implement something.) Are they all Data Protection Trust Mark organisations? (Answer: No.) Are they minor breaches? (On the surface, I can’t tell. 2,771 users were affected in this case.)

My hunch is that (like the Guide to Active Enforcement says) these organisations voluntarily notified the PDPC with a remediation plan that the PDPC could accept. This is not as easy as it sounds, as you might probably engage lawyers and other professionals to navigate your way to that remediation plan.

With very little media attention and even a separate section away from the good and the ugly on the PDPC’s website, the undertaking is likely to be practically the best way for organisations to deal with the consequences of a data breach. Whether the balance goes too far in shielding organisations from them remains to be seen.

Conclusion

Having peeked back at this area, I am still not sure I like what I find. There was a time when there was excitement about data protection in Singapore, and becoming a professional was seen as a viable place to find employment. It would be fascinating to see how much this industry develops. If it does or it doesn’t, I believe that the actions and the approach of the PDPC to organisations with data breaches would be a fundamental cause.

Until there is information on how many data protection professionals there are in Singapore and what they are doing, I don’t think you will find many more articles in this area on this blog.

#Privacy #PersonalDataProtectionCommission #PersonalDataProtectionAct #Penalties #Undertakings #Benchmarking #DataBreach #DataProtectionOfficer #Enforcement #Law ##PDPAAmendment2020 #PDPC-Decisions #Singapore #Decisions

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater , was at stake. Several companies scrambled to get their houses in order. For the most part, the authorities have followed through. We are expecting more too. Is this the same with the Personal Data Protection Act in Singapore too?

Penalties will increase under the latest PDPA amendments.

The financial penalties under Singapore’s Personal Data Protection Act probably garner the most attention. They are still newsworthy even though they have been issued regularly since 2016. The most famous data breach concerning SingHealth resulted in a total penalty of S$1 million. The maximum penalty of $1 million is not negligible. It’s not hypothetical either.

The newest PDPA amendments will now increase the maximum penalty to up to 10% of an organisation’s annual gross turnover in Singapore. To help imagine what this means: According to Singtel’s Annual Report in 2020, operating revenues for Singapore consumers was S$2.11b. The maximum penalty would be at least S$200m.

Is this the harbinger of doom and gloom for local companies? Will local companies scramble to hire personal data specialists like for the GDPR? Will an army of lawyers be groomed to fine-comb previous PDPC decisions to distinguish their clients' cases? Is my CIPP/A finally worth something?

Penalties imposed under the PDPA appear limited.

Before trying to spend on compliance, savvier companies would want to find out more about how the Personal Data Protection Commission enforces the PDPA. This makes sense. The costs of compliance have to be rational in light of the risks. If the dangers of being susceptible to a financial penalty are valued at $5,000, it makes no sense to hire a professional at $80,000 a year. If liability for data breaches is a unique and rare event, hiring a firm of lawyers to defend you in that event is better than hiring a professional every day to prevent it.

So here is the big question: What’s the risk of being penalised $1 million or gasp(!) at least $200 million?

Unfortunately, one does not need a big data science chart to realise that being penalised $1 million is a rare event. Being penalised $100,000 is also a rare event. Using the filters from the PDPC’s decisions database reveals a total of 2 cases with financial penalties greater than $75,000 since 2016.

Screen capture of filters of PDPC decisions with financial penalties of more than $75000. (As of October 2020)

However, if you insist on having a “big data science chart”, here’s one I created anyway:

Histogram of the number of cases binned on enforcement value.

Notes :

  • I excluded the Singhealth penalties ($750K and $250K) because they were outliers.
  • It’s named “enforcement value” and not “penalty sum” because I considered warnings and directions to have $0 as a financial penalty.

The “big data science chart” tells the same story as the PDPC’s website. Most financial penalties fall within the $0 to $35,000 range, with the mean penalty being less than $10,000. While the PDPC certainly has the power to impose a $1 million penalty, it appears to flex around 1% of its capabilities most of the time.

Past performance does not represent future returns. However, the amendments to the PDPA were not supposed to represent a change to the PDPC’s practices. They are for “flexibility” and to match other areas like the Competition Act. There is very little indication that an increase in the financial cap now means that companies will be liable for more.

Why are the penalties so low?

The decisions cite several factors in determining the amount of penalty – the number of individuals affected, the significance of the data lost and even whether the respondent cooperated with the PDPC.

In Horizon Fast Ferry, the PDPC cited the “ICO Guidance on Monetary Penalties” as a principle in determining monetary penalties:

The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the DPA or with PECR. The penalty must be sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others.

The key phrase in the quote is “sufficiently meaningful”. Given the PDPC’s desire to promote businesses, the PDPC would not like to kill off a company by imposing a crippling penalty. The penalties serve a signalling purpose. As they continue to attract public attention and encourage companies to comply, penalties are the most effective tool in the PDPC’s arsenal.

However, even if the penalties are “sufficiently meaningful” in an objective sense, they may still be meaningless subjectively. $5,000 might be peanuts to a large business. Some businesses may even treat it as a cost of “innovation”. PDPC decisions are replete with “repeat” offenders. Breaking the PDPA, for example, seems to be a habit for Grab.

While doling out “meaningful” penalties strikes a balance between compliance with the law and business interests, there are limits to this approach. As mentioned above, dealing with a risk of $5,000 fines may not be sufficient for a company to hire a team of specialists or even a professional Data Protection Officer. If a company’s best strategy is not to get caught for a penalty, this does not promote compliance with the law at all.

Moving beyond penalties

I am not a fan of financial penalties. I have always viewed them as a “transaction”, so they never really comply with the spirit of compliance.

Asking companies to comply with directions may be far more punishing than doling out a fine. A law firm might help you negotiate the best directions you can get, but the company has to implement them through its employees. The company will need data protection specialists. This approach is more effective than just essentially issuing a company a ticket.

For this reason, I was pretty excited about the PDPC’s Active Enforcement guidelines. Here’s something to watch out for: a new section on undertakings appeared last month.

Conclusion

Still, I am probably an outlier in this regard. The increased penalty cap has repeatedly featured as one of the most critical changes in the PDPA. Experience does not suggest that a higher cap will change much. Nevertheless, as a signal, the news would probably make management sit up and review their data protection policies. Data Protection Officers should take advantage of the new attention to polish up their data protection policies and practices.

This post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing!

#Privacy #Singapore ##PDPAAmendment2020 #Compliance #DataBreach #DataProtectionOfficer #Decisions #GDPR #Enforcement #Penalties #PersonalDataProtectionAct #PersonalDataProtectionCommission #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

Update 31/5/2021: As of 1 February 2021, the revised (or updated as they call it) PDPA has been enacted substantially. The post has been updated to highlight areas which are still not effective as of May 2021.

I thought the break in the PDPC’s monthly release of decisions since March was due to office closure from COVID-19. Here is a new excuse. After what seems like an eternity of consultations, we have the text of the Amendment Bill. This will be the first substantial revision of Singapore’s Personal Data Protection Act.

Here is a summary of what I believe are the key points.

Mandatory Data Breach Notification is here

A vast majority of enforcement decisions from the PDPC concern data breaches. A vast majority of public reporting also concerns data breaches. Data breaches are the biggest source of liability for companies. However, enforcement action and liability depended on complaints. It is a bit like see no evil, hear no evil.

If organisations were required to report data breaches, this would greatly increase their exposure. For many organisations who merely comply with the minimum requirements of the PDPA, they will need to introduce new policies and processes to address what to do in a data breach.

Organisations working on behalf of public agencies no longer exempted

Following the data breaches in public health and questions regarding the private and public divide in the PDPA, the PDPA now covers organisations working on behalf of public agencies. More organisations will be included under the PDPA since the government is much involved in Singaporean’s lives through private companies. Together with a push from the government, this means that more organisations will be accountable under the PDPA.

Here’s another (underreported) change following from the debacles. The Amendment bill now introducesoffences for private-sector employees who mishandle information. This tracks the Public Sector Governance Act, which covered public sector employees.

The PDPA gets PersonalThoughts, stories and ideas.Love.Law.Robots.Houfu

Voluntary Undertakings now part of PDPC’s enforcement

I have always been very sceptical of the use and the focus on financial penalties. When the PDPA first came out, the headline number of $1 million was a pretty big deal. The GDPR already provides penalties that are way higher than that. Furthermore, in practice, hardly any organisation got a six-figure penalty. Singhealth remains an outlier. If your goal is to not pay a high penalty, you will hire better lawyers, not data protection officers.

Therefore I am excited about voluntary undertakings, as they are the teeth of the accountability principle. There have been very few decisions which apply this uncommon enforcement method. Hopefully, as has been the case with anti-corruption in the US, a focus on entrenching good practices is encouraged. At the very least, such enforcement will encourage the hiring and involvement of data protection officers.

Oh, and by the way, the amendment increases the penalties that the PDPC can impose. It has now increased to 10% of the organisation’s annual gross turnover or $1 million, which ever is higher. As I mentioned, all this is rather theoretical given the enforcement standards so far. [ Update: This is one of the changes which are not effective as of 1 February 2021, presumably due to COVID. Quite frankly the pudding is in the enforcement, not how high it can go.]

Will Increased Penalties Lead to Greater Compliance With the PDPA?When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, was at stake. Several companies scrambled to get their houses in order.Love.Law.Robots.Houfu

Given the “lawful purposes” approach followed by the GDPR, the increased emphasis on consent under the Amendment Bill seems quaint. “Deemed” consent will be expanded to new situations. You can argue that “deemed consent” is fictitious consent, whereby organisations just tick a few action boxes to do what they want.

Making sense of the latest PDPA amendments to the Consent ObligationI consider the new amendments to the Consent Obligation under the PDPA with a flow chart.Love.Law.Robots.Houfu

Do note that a “lawful purpose” features in the amendment bill. “Legitimate interest” is termed as an “exception” here. There is a balancing effort between what the organisation would like, and the risk and benefit to the public and individual. Is this a peek in the curtain? Will the “legitimate interest” exception swallow consent?

In any case, the PDPA still relies on consent, huge exceptions and “reasonableness”. This bill does not bring the PDPA to the 21st century. Singapore risks being left behind against other countries which adopted GDPR like laws.

Data Portability

Data portability allows individuals to request an organisation to transmit a copy of their personal data to another organisation. It now gets its own section in the PDPA.

As a bit of a geek, of course I am very excited about “data portability”. However, implementation matters, and I am not sure organisations are motivated enough to put up the structures that will make this work. My developer experience playing with bank APIs have not been positive.

[ Update: This is one of the changes which are not effective as of 1 February 2021.]

Conclusion

I don’t think I have covered all the changes in detail. Some changes need their own space, so I would be writing new posts and updating this one. Passing the act will still require some more time. Did anything else catch your eye?

[ Update : The act was passed and the provisions noted here are substantially effective]

#Privacy #Singapore #Features #ConsentObligation #DataBreach #DataPortability #Enforcement #Government #LegitimateExpectations #Notification #OpennessObligation #Penalties #PersonalDataProtectionAct #PersonalDataProtectionCommission #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing!

Avid followers of Love Law Robots will know that I have been hard at creating a corpus of Personal Data Protection Commission decisions. Downloading them and pre-processing them has taken a lot of work! However, it has managed to help me create interesting charts that shows insight at a macro level. How many decisions are released in a year and how long have they been? What decisions refer to each other in a network?

Unfortunately, what I would really to do is natural language processing. A robot should analyse text and make conclusions from it. This is much closer to the bread and butter of what lawyers do. I have been poking around spaCy, but using their regular expression function doesn’t really cut it.

This is not going to be the post where I say I trained a model to ask what the ratio decendi of a decision is. Part of the difficulty is finding a problem that is solvable given my current learning. So I have picked something that is useful and can be implemented fast.

The Problem

The biggest problem I have is that the decisions, like many other judgements produced by Singapore courts, is in PDF. This looks great on paper but is gibberish to a computer. I explained this problem in an earlier post about pre-processing.

Get rid of the muff: pre-processing PDPC DecisionsThis post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing! The life of a budding data science enthusiast. You need data to work on, so you look all around youLove.Law.Robots.Houfu

Having seen how the PDF extraction tool does its work, you can figure out which lines you want or don’t want. You don’t want empty lines. You don’t want lines with just numbers on them (these are usually page numbers). Citations? One-word indexes? The commissioner’s name. You can’t exactly think up of all the various permutations and then brainstorm on regular expression rules to cover all of them.

It becomes a whack a mole.

Training a Model for the win

It was during one of those rage-filled “how many more things do I have to do to improve this” nights when it hit me.

“I know what lines I do not want to keep. Why don’t I just tell the computer what they are instead of abstracting the problem with regular expressions?!”

Then I suddenly remembered about machine learning. Statistically, the robot, after learning about what lines I would keep or not, could make a guess. If the robot can guess right most of the time, that would determine in which cases regular expression must be used.

So, I got off my chair, selected dozens of PDFs and converted them into text. Then I separated the text into a CSV file and started classifying them.

Classification of lines for training

I managed to compile a list of over five thousand lines for my training and test data. After that, I lifted the training code from spaCy’s documentation to train the model. My Macbook Pro’s fans got noisy, but it was done in a matter of minutes.

Asking the model to classify sentences gave me the following results:

Text Remove or Keep
Hello. Keep
Regulation 10(2) provides that a contract referred to in regulation 10(1) must: Keep
YEONG ZEE KIN Remove
[2019] SGPDPC 18 Remove
transferred under the contract”. Keep
There were various internal frameworks, policies and standards which apply to Keep
(vi) Remove

By applying it to text extracted from the PDF, we can get a resulting document which can be used in the corpus. You can check out the code used for this in the Github Repository under the branch “line_categoriser”.

houfu/pdpc-decisionsData Protection Enforcement Cases in Singapore. Contribute to houfu/pdpc-decisions development by creating an account on GitHub.GitHubhoufu

Conclusion

Will I use this for production purposes? Nope. When I ran some decisions through this process, the effectiveness is unfortunately like using regular expressions. The model, which weighs nearly 19Mbs, also took noticeably longer to process a series of strings.

My current thoughts on this specific problem is for a different approach. It would involve studying PDF internals and observing things like font size and styles to determine whether a line is a header or a footnote. It would also make it easier to join lines of the same style to make a paragraph. Unfortunately, that is some homework for another day.

Was it a wasted adventure? I do not think so. Ultimately, I wanted to experiment, and embarking on a task I could do in a week of nights was surely insightful in determining whether I can do it, and what are the limitations of machine learning in certain tasks.

So, hold on to your horses, I will be getting there much sooner now.

#PDPC-Decisions #spaCy #NaturalLanguageProcessing

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing!

As mentioned in my previous post, I have not been able to spend time writing as much code as I wanted. I had to rewrite a lot of code due to the layout change in the PDPC Website. That was not the post I wanted to write. I have finally been able to write about my newest forays for this project.

Enforcement information#

I had noticed that the summary provided by the Personal Data Protection Commission provided an easy place to cull basic information. So, I have added enforcement information. Decisions now tell you whether a financial penalty or a warning was meted out.

Information is extracted from the summaries using RuleMatcher in spaCy. It isn’t perfect. Some text does not really fit the mould. However, due to the way the summaries are written, information is mostly extracted accurately.

Visualising the parts of speech in a typical sentence can allow you to write rules to extract information.

This is the first time I have used spaCy or any natural language processing for this purpose. Remarkably, it has been fast. Culling this information (as well as the other extra features) only added about two hundred seconds to building a database from scratch. I would like to find more avenues to use these newfound techniques!

spaCy · Industrial-strength Natural Language Processing in PythonspaCy is a free open-source library for Natural Language Processing in Python. It features NER, POS tagging, dependency parsing, word vectors and more.

References

Court decisions are special in that they often require references to leading cases. This is because they are either binding (stare decisis) or persuasive to the decision maker. Of course, previous PDPC Decisions are not binding on the PDPC. Lately, respondents have been referring to the body of cases to argue they should be treated alike. I have not read a decision where this argument has worked.

Nevertheless, the network of cases referring to and referred by offers remarkably interesting insights. To imagine, we are looking at a social network of cases. To establish a point, the Personal Data Protection Commission does refer to earlier cases. All things being equal, a case with more references is more influential.

pdpc-decisions now reads the text of the decisions to create a list of decisions it refers to in the decision (“ referring to “). From the list of decisions, we can also create a list of decisions which makes references to it (“ referred by “). Because of the haphazard way the PDPC has been writing its decisions and its citations, this is also not perfect, but it is still kind of accurate.

As I mentioned, compiling a network of decisions can offer some interesting insights. So here it is — the social network of PDPC decisions.

I guess this is the real pdpc decisions in one chart

Update (24/4/2020): The chart was lumping together the Aviva case in 2018 with the Aviva case in 2017. The graph has been updated. Not much has changed in the big picture though.

Of course, a more advanced visualisation tool would allow you to drill down to see which cases are more influential. However, a big diagram like the above shows you which are the big boys in this social network.

Before I leave this section, here’s a fun fact to take home. Based on the computer’s analysis, over 68% of PDPC decisions refer to one another. That’s a lot of chatter!

Moving On

I keep thinking I have finished my work here, but there seems to be new things coming up. Here is some interesting information I would like to find out:

  • In a breach, how many data subjects were affected? How exactly does this affect the penalty given by the PDPC?
  • What kinds of information are most often involved in a data breach? How does this affect the penalty given by the PDPC?
  • How long does it take for the PDPC to complete investigations? Can we create a timeline from the information in a decision?

You would just have to keep watching this space! What kind of information is interesting to you too?

#PDPC-Decisions #NaturalLanguageProcessing #spaCy

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

Previously I wrote about how Singapore is strengthening its foreign bribery regime by providing a jurisprudential basis. Foreign bribery is a bit of a mystery. Unlike local bribery, there is no clear motivating factor how a country gets on the bandwagon. The damage to foreign countries may be a distant concern for national governments. Not every country wants to be a global policeman or punish its own nationals for damaging other countries. Certainly not Singapore.

An Interest Group Theory to Foreign Bribery?

I chanced upon an article on the FCPA Blog which provides an easy framework to understand why other countries are getting on the foreign bribery. The blog, which is a summary of an article written by the authors, says:

Once U.S. extraterritorial enforcement began in earnest, the incentives of foreign firms, at least those subject to material FCPA risk, came to mirror those of U.S. firms under the FCPA. They faced an uneven playing field vis-à-vis domestic competitors which, due to their domestic or regional reach, were subject to less risk of U.S. enforcement. Therefore, in order to level the playing field against such competitors, foreign multi-nationals came to favor the importation of a parallel regulatory regime into their own country. In this way, foreign anti-bribery laws spread around the world.

Sean J. Griffith and Thomas H. Lee, “How to get countries to enforce foreign anti-bribery and corruption laws

In Singapore, as mentioned, foreign bribery enforcement began to draw more attention after the FCPA case against Keppel Offshore and Marine. It was about this time that Singapore started the deferred prosecution agreement scheme for the first time. It did not apply to foreign bribery (Singapore’s Prevention of Corruption Act is pretty vintage compared to other OECD countries), but I thought DPA would definitely aim to apply in foreign bribery in due course.

So did our local MNCs want to level the playing field against other competitors? Maybe, but our local MNCs (which are often government linked) are in a world of their own in Singapore. They could bury this, move on and conduct business as usual.

My thoughts: Enacting Foreign Bribery laws to protect local MNCs?

Here’s my alternative argument.

When the US exercises its extraterritorial jurisdiction, it takes the initiative in determining how such violations are treated.

However, if national governments take action, it would be more difficult for the US to determine the course by itself. If the national government is competent enough, the US and other countries wouldn’t even need to act.

Locals MNCs would prefer the national government to take action since they would have greater access and influence over the course of a local investigation and prosecution. However, in order for local MNCs to benefit, national laws must already have a similar framework, such as foreign bribery laws and deferred prosecution agreements.

This is intuitive to me. I was actually influenced when I read the parliamentary debates on the news breaking of Keppel Offshore and Marine (KOM) being subjected to such heavy fines. The key answers are buried in the middle of the text.

  • Unlike the US, the Singaporean government was able to give a conditional warning in lieu of prosecution to the company. As learned readers may note, a conditional warning imposes conditions, but its conditions are not as detailed as a deferred prosecution agreement.
  • The government admitted openly that the action under the FCPA would have achieved much more than under local laws. Besides the lack of ability to impose conditions like strengthening compliance programs, the maximum fine under local anti-corruption laws is $100,000. KOM was fined several million US Dollars.

Conclusion

I do agree with the authors that the enactment of foreign bribery laws depend greatly on the actions of the US. If there is no enforcement of the FCPA overseas, there is no impetus anywhere else. I also agree that local business lobbies are probably more influential in pushing national governments to action. However pure market forces are not so influential in this side of the world, and I believe that national protection may be at work here.

Do you agree that market forces influence local MNCs to push for foreign bribery laws, or that national governments trying to protect their own businesses account for a push for foreign bribery laws? I would love to hear your comments!

#Law #Enforcement #ForeignBribery #PreventionofCorruptionAct #FCPA

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu