PDPC consults on proposed introduction of data portability and data innovation provisions

27 June 2019

Since 22 May 2019, the Personal Data Protection Commission (“PDPC”) has been conducting a public consultation to seek comments on the proposed introduction of data portability and data innovation provisions, as part of the review of the Personal Data Protection Act 2012 (“PDPA”). The deadline for submission of feedback has been extended from 3 July 2019 to 17 July 2019.

Proposed data portability obligation

PDPC is considering introducing a data portability obligation under the PDPA. Under the proposed obligation, an organisation must, at the request of an individual, provide the individual’s data that is in the organisation’s possession or under its control, to be transmitted to another organisation in a commonly used machine-readable format. Set out below are some of the proposed features:

• Covered organisation: The proposed data portability obligation will apply to any organisation (defined in the PDPA to include any individual, company, association or body of persons, corporate or unincorporated whether or not formed or recognised under the law of Singapore; or resident, or having an office or a place of business, in Singapore) that collects, uses or discloses personal data in Singapore, except for (i) any individual acting in a personal or domestic capacity, (ii) any employee acting in the course of his or her employment with an organisation, (iii) any public agency, and (iv) any organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of personal data.

The proposed data portability obligation will not apply to a data intermediary in relation to data that it is processing on behalf of and for the purposes of another organisation. 

• Receiving organisation: Organisations will only be required to transmit data to other organisations (“receiving organisations”) that have a presence in Singapore. However, this is not intended to prevent voluntary arrangements by organisations to transmit data to overseas organisations with the consent of the individual.
•  Requesting individual: Any individual, regardless of whether the individual is in Singapore, may make a data portability request to an organisation that is covered by the proposed data portability obligation.  
• Covered data: PDPC proposes for the proposed data portability obligation to apply only to data in the possession or control of organisations that is held in electronic form. In order to reap the maximum benefits for consumers and the economy, PDPC proposes for the data portability obligation to apply to data that is (i) provided by the individual to the organisation, and (ii) generated by the individual’s activities in using the organisation’s product or service. The data is not limited to the personal data of the individual, but may include personal data of third parties, so long as it was provided by the requesting individual, or generated by the individual’s activities.

To promote business innovation, PDPC proposes to provide for a similar exception to the access obligation under the PDPA for data which, if disclosed, would reveal confidential commercial information that could harm the competitive position of the organisation. This is not intended to affect general competition in the market, but to protect first movers who bring to market an innovative product or service from unfair competition by fast followers. The proposed exception to port data that is associated with an innovative product or service should not exempt a first mover for an unnecessarily prolonged period.

The access obligation under the PDPA refers to the right of individuals to request for access to their personal data in the possession or under the control of the organisation, and organisations have the obligation to provide the requested personal data. 

• Handling data portability requests: PDPC proposes to impose the porting organisation with key responsibilities such as providing an avenue for individuals to submit requests for data porting, ensuring the veracity of the request received and allowing the individual to view the data before transmitting it to the receiving organisation. As a matter of good practice, the porting organisation should check that the transmitted data has been received by the receiving organisation and assist with any queries it may have with regard to the data transmitted.
•  Receiving ported data: It is proposed that the receiving organisation should verify the completeness and conformity to formats and standards of data that is transmitted to it by a porting organisation pursuant to a data portability request. 
• Alignment with access obligation: PDPC proposes to provide exceptions to the data portability obligation similar to the current exceptions to the access obligation under the PDPA to ensure that where an organisation is not required to provide access to a requesting individual’s personal data pursuant to section 21 of the PDPA, the organisation will also not be required to provide the individual access to or a copy of the data for porting to another organisation pursuant to the data portability obligation. 
• Power to review: In terms of enforcement, it is proposed that PDPC be empowered to review an organisation’s (i) refusal to port data, (ii) failure to port data within a reasonable time, and (iii) fees for porting data, pursuant to an individual’s data portability request.    
• Codes of practice: It is proposed that PDPC be empowered to prescribe binding codes of practices for data portability that may apply to organisations in specific clusters or sectors. The proposed codes of practices will be issued as subsidiary legislation under the PDPA and will be legally binding. PDPC intends to develop these codes of practice in consultation with the relevant sector regulators and industry stakeholders.

PDPC would also like views on the impact of data portability, specifically on consumers, market and the economy.

Proposed data innovation provisions

PDPC intends to make clear in the PDPA how organisations may use data for appropriate purposes, so as to provide organisations with confidence to harness the data they hold for business innovation. PDPC would like feedback in the following key areas: 

• Business innovation purposes: To enable organisations to confidently use data to derive business insights and innovate in the development and delivery of products and services, PDPC intends to introduce provisions in the PDPA to clarify that organisations can use personal data (collected in compliance with the data protection provisions of the PDPA) for the purposes of (i) operational efficiency and service improvements, (ii) product and service development, or (iii) knowing customers better (“business innovation purposes”). PDPC intends to clarify that organisations may use personal data for business innovation purposes without the requirement to notify the individuals of and seek consent to use their data for these purposes. Where individuals withdraw their consent for the use or disclosure of their personal data for the purposes for which the organisation had collected the personal data, organisations may continue to use such personal data for business innovation purposes. The proposed provision for business innovation purposes does not extend to the use of data for sending direct marketing messages to customers. 

• Derived personal data: PDPC refers to new data that is created through the processing of other data by applying business-specific logic or rules as “derived data”. Depending on the business-specific rules applied, derived data may still be capable of identifying an individual (“derived personal data”). Where personal data is used for the creation of derived personal data for business innovation purposes (i.e. for operational efficiency and service improvements, product and service development, or knowing customers better), organisations will not be required to notify the individual and obtain consent to do so. Consent is also not required to use the derived personal data for business innovation purposes. PDPC proposes to provide that derived personal data will not be subject to the obligations under the PDPA relating to access, correction and data portability (currently under consultation).

Reference materials

The following materials are available on the PDPC website www.pdpc.gov.sg: 

• PDPC media release 
• Factsheet on Public Consultation on Proposed Data Portability and Data Innovation Provisions 
• Public Consultation on Proposed Data Portability and Data Innovation Provisions 
• Keynote Speech by Deputy Commissioner, Mr Yeong Zee Kin, at Know Ahead to Stay Ahead - Leadership’s Engagement in Data Protection at Infocom Media Development Authority on 22 May 2019

Download PDF