Upcoming changes to the PDPA: Introducing Data Portability

Upcoming changes to the PDPA: Introducing Data Portability

Passed in Parliament on 2 November 2020, the Personal Data Protection (Amendment) Bill introduced a slew of amendments and new concepts to the existing framework under the Personal Data Protection Act (“PDPA”).

One of the new concepts is that of data portability under the proposed new Part VIB of the PDPA. Although this Part VIB is not yet in effect as at the date of this article, it is important for organisations to understand this upcoming amendment to better prepare itself for its eventual implementation.

In particular, this new data portability obligation may be a cause of concern for organisations in Singapore, especially those who are not already familiar with similar obligations under the data protection laws in other jurisdictions. While new in Singapore, other jurisdictions have implemented such similar data portability obligations, for example, in the European Union under Article 20 of the General Data Protection Regulation (Regulation (EU) 2016/679).

What is the Data Portability Obligation?

Simply put, the new data portability obligations under the new Part VIB of the PDPA will, upon request by an individual, require organisations to transmit such individual’s personal data in its possession or under its control to another organisation in a commonly used machine-readable format.

The purpose of the introduction of this new right for individuals is to provide data subjects with greater autonomy and control over their personal data, as well as to facilitate the innovative and more intensive use of personal data in the possession or under the control of organisations to support the development, enhancement and refinement of goods and services provided by other organisations.

Currently, there is still no right to data portability under the PDPA. However, the Personal Data Protection Commission (“PDPC”) have indicated that they will be working closely with all stakeholders for a phased implementation, and we can expect its implementation in the upcoming months.

Key Characteristics of the Data Portability Obligation

Although it has not been implemented under the PDPA thus far, and the regulations and guidelines from the PDPC have not yet been announced, here are some of key characteristics that we understand of the data portability obligation so far:

  • Not all personal data

Contrary to popular belief, the data portability obligation does not apply to all personal data. The following flowchart provides a quick guide on what personal data is covered:

Clarification on what personal data is prescribed to be applicable data and/or what the prescribed period is will likely be provided subsequently when the PDPC issues its regulations and guidelines on data portability.

  • Requirement of Ongoing Relationship

Under proposed section 26H(3) of the PDPA, the data portability obligation only applies to applicable data if both of the following are satisfied:

  1. The data porting request satisfies the prescribed requirements (to be issued by the PDPC at a later date); and
  2. The organisation, at the time it receives the data porting request, has an ongoing relationship with the individual.

We understand that the PDPC is working closely with stakeholders for the implementation of the new data portability obligation and anticipate that the new regulations will be issued in the upcoming months with the prescribed technical or protection details.

  • Excluded Applicable Data

An organisation is not required to transmit any of the following types of applicable data:

  1. opinion data kept solely for an evaluative purpose;
  2. a document related to a prosecution if all proceedings related to the prosecution have not been completed;
  3. personal data which is subject to legal privilege;
  4. personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
  5. personal data collected, used or disclosed without consent, under paragraph 3 of Part 3 of the First Schedule for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed; and
  6. derived personal data.
  • Does not apply to data intermediaries

The proposed data portability obligation will apply to any organisation that collects, uses and/or discloses personal data in Singapore that is governed by the PDPA, but will not apply to a data intermediary in relation to data that it is processing on behalf of and for the purposes of another organisation.

  • May not apply to all foreign receiving organisations

Organisations are only required to transmit data to other organisations (the “receiving organisation”) that: (a) is formed or recognised under the law of Singapore or a country prescribed to be an applicable country (“applicable country”); or (b) is resident, or has an office or a place of business, in Singapore or an applicable country. The list of countries prescribed to be an applicable country will likely be announced together with the regulations and guidelines for data portability at a later time.

However, the PDPC have made it clear that this is not intended to prevent voluntary arrangements by organisations to transmit applicable data to overseas organisations with the consent of the individual (subject to the data transfer obligation).

How to prepare for the data portability obligation?

Step 1: Receiving Data Porting Requests

Organisations must provide an avenue for individuals to be able to submit data porting requests (e.g., via the website). Where a template form is provided, it should request for sufficient information to identify the requesting individual, as well as the types and amount of data requested for porting.

Step 2: Verification

In addition to ensuring the veracity of a data porting request, organisations should also verify the data to be ported before porting the data. The PDPC recommends allowing the requesting individual to view the data (or a sample of the data) before transmitting it to the receiving organisation.

Step 3: Porting of Applicable Data

Following the verification above, an organisation should provide the following information to the individual:

·       Fees Payable (if any)

An organisation may charge a reasonable fee to recover the cost of providing the service to port the requested data. If an individual or receiving organisation refuses to pay the fees, the organisation may reject the data porting request.

·       Timeline

The data to be ported must be ported within a reasonable period. Currently, the PDPC is proposing to prescribe in Regulations a period of no longer than 7 calendar days upon confirmation of the data.

Step 4: Format for Porting Data

Although the PDPC has stated that they will not prescribe the data formats that an organisation should adopt for transmitting data, the format used should be easily accessible and affordable to any organisation receiving the data (e.g., open data formats).

Step 5: Notification of Rejection (where applicable)

If an organisation rejects a data porting request, it must inform the individual as soon as practicable of the rejection and the reason for the rejection (e.g., exception applies or it does not possess the applicable data).

Step 6: Preservation of Data

An organisation is required to preserve the requested data upon receiving a data porting request by an individual. Where the organisation rejects a data porting request (including when the individual does not agree to pay the fees), the organisation must continue to preserve a copy of the requested data for a reasonable period (i.e., minimally 30 calendar days).

In the upcoming months, we can expect that further information and guidance will be issued by the PDPC on the proposed data portability obligation and the prescribed requirements therein. In the meantime, organisations should get a head-start and familiarise themselves with this upcoming obligation and prepare themselves accordingly.

This article seeks to briefly introduce the upcoming amendments to the Personal Data Protection Act in Singapore in a summarized and engaging manner and should not be construed as legal advice in any form or manner. For more information on this matter, please feel free to contact Ms Jennifer Chih and Ms Maria Chang.