Jun 08 2020 | by OrionW
The Personal Data Protection Commission (PDPC) amended the Personal Data Protection Regulations 2014 (PDPR) to recognise the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System and Privacy Recognition for Processors (PRP) System certifications as modes for data transfers abroad. The amendment came into force on 1st June 2020.
Transfer Limitation Obligation under the Personal Data Protection Act
The PDPR requires an organisation transferring personal data to a country or territory outside of Singapore to take appropriate steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection that is at least comparable to that under the Personal Data Protection Act 2012 (PDPA).
Before the amendment, the "legally enforceable obligations" described in the PDPR consisted of obligations imposed on a recipient of personal data under:
(i) any law;
(ii) contracts satisfying certain protection standards;
(iii) binding corporate rules satisfying certain protection standards; or
(iv) any other legally binding instrument.
Impact of the PDPR Amendment
The PDPR amendment adds a new category of “legally enforceable obligation” that an organisation wishing to make cross-border data transfers may rely on: specified privacy-compliance certifications held by the proposed recipient of the data. The certifications specified in the amendment are currently limited to the APEC PRP System for data intermediaries and the APEC CBPR System for non-data intermediaries.
In a related update to its Advisory Guidelines on Key Concepts in the PDPA, the PDPC explained that a recipient organisation holding a "specified certification" is taken to be bound by legally enforceable obligations to provide a standard of protection comparable to that laid down in the PDPA. Thus, organisations in Singapore can conveniently transfer personal data to a CBPR- or PRP-certified recipient without meeting additional requirements.
PDPC Sample Clause Recommendation
The PDPC recommends transferring organisations in Singapore to include the following clause in contracts for transfers of data to overseas recipients that hold CBPR or PRP certifications to ensure compliance with the transfer limitation obligations:
“The parties agree and acknowledge that [an organisation / a data intermediary]* which is certified under the Asia-Pacific Economic Cooperation [Cross Border Privacy Rules System / Privacy Recognition for Processors System]* is bound by a legally enforceable set of obligations to provide comparable protection to the Personal Data Protection Act 2012 (No. 26 of 2012, Statutes of the Republic of Singapore).
The receiving party shall maintain its certification under the Asia-Pacific Economic Cooperation [Cross Border Privacy Rules System / Privacy Recognition for Processors System]* during the term of this Agreement, and promptly notify the disclosing party of any change in the receiving party’s certification status.”
Cross-border transfers of personal data are critical to individuals and businesses. The PDPR amendment makes the transfer of personal data overseas to a recipient that is CBPR- or PRP-certified more convenient. The amendment may also provide a point of differentiation for certified organisations when they compete for business involving cross-border data transfers.
Disclaimer: This article is for general information only and does not constitute legal advice.