The Reveal: Singapore introduces its proposed Personal Data Protection Bill

Singapore has taken another step towards the introduction of data protection legislation by publishing the responses the Singapore Ministry of Information, Communication and the Arts (MICA) had received during its second (and in all probability, final) round of public consultation. The details and the rationale for introducing the legislation can be found here and here. All things considered, the draft legislation does try to strike a reasonable balance between the interests of the individual and businesses. This is clear from the drafting and the various exceptions. However, as would be expected, a lot of the detail awaits to be fleshed out in guidelines that will be issued by MICA (especially around what constitutes consent and what is "reasonable"). On that note, I suspect that MICA may take a leaf out of the UK ICO's page.

It is unlikely that MICA will make many substantive changes at this late stage (having committed considerable time and resources in considering the first round of submissions, drafting its considered response to the submissions, and drafting the proposed data protection legislation). As such, I found it a bit curious why some organisations chose to only make submissions at this second round of public consultations and not at the first round where their submissions would have mattered more. For instance, in the first round of public consultation, MICA had not intended to make a distinction between data processors and data controllers - which would have meant that all the obligations and restrictions in the proposed data protection law would have applied to data processors (which would have been out-of-step with other international precedents) . In response, a few major IT companies that provide outsourced IT solutions made it crystal clear in their submissions during the first round of consultations why this would not be a good idea. MICA subsequently agreed to the inclusion of a distinction between data controllers and data processors when it issued the draft data protection legislation.

At this stage, MICA would have already committed to the principles, concepts and scope of the proposed law, and it would take serious lobbying or manifest error for the policy team and drafters to change their minds in a major way. Perhaps some minor tweaks here and there but certainly not drastic changes like stepping away from the penalty framework which some organisations continue to object to.