Whilst a lot of attention has been given to European data protection legislation, we should not forget some interesting developments which are happening in Asia at the moment.
Indeed a spate of new data protection legislation has been prepared and in some cases already passed in the last year. For example, Malaysia will have its new data protection regime come into force this summer and just last month the Philippine government passed its privacy legislation.
Particular interest has been generated by the Singaporean draft legislation, the latest (and potentially last) draft of which was published a few weeks ago. Whilst the legislation does borrow some concepts from the current European regime, other provisions draw more comparison with US privacy laws (particularly with regard to information which is made publicly available).
Areas of difference to familiar European legislation which caught Datonomy’s eye include:
- The focus of the legislation is only on the private sector. Government agencies are not covered.
- All organisations that are engaged in data collection, processing or disclosure within Singapore would be caught by the regime, even where the organisation is not physically located in Singapore. So, for example, an organisation which is based in the UK (such as a UK website) but which collects personal data from Singaporean customers would need to comply. This raises similar extra-territorial debates to those raised recently with the new draft European Regulation. In this case the Singaporean government has admitted that it recognises enforcement and investigation may be rather difficult in the case of overseas companies.
- The Act draws no distinction between personal and sensitive personal data – all must be treated the same.
- The law specifically incorporates a reasonableness test so organisations must consider “what a reasonable person would consider appropriate in the circumstances” when complying with the Act.
- There are no notification requirements so less bureaucracy.
- Perhaps most interestingly, the government made a decision to extend rights to cover data of deceased individuals in terms of obligations around data disclosure and security up to 10 years from the date of death.
So, what do readers think of the proposals? To date the European legislation remains silent as to whether data subjects must be living but most national regimes (including that of the UK) have limited it in this way. Do you think that there may be merit in revisiting this like Singapore?
Datonomy wll be keeping an eye on the developments in Asia and, in particular, will feed back when the final Singaporean draft is published.