Naavi.org

EDPB published the following press release today:

During its 41st plenary session, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures.

Both documents were adopted as a follow-up to the CJEU’s ‘Schrems II’ ruling.

As a result of the ruling on July 16th, controllers  relying on Standard Contractual Clauses (SCCs) are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country,

–if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area (EEA).

The CJEU allowed exporters to add measures that are supplementary to the SCCs to ensure effective compliance with that level of protection where the safeguards contained in SCCs are not sufficient.

The recommendations aim to assist controllers and processors acting as data exporters with their duty to identify and implement appropriate supplementary measures where they are needed to ensure an essentially equivalent level of protection to the data they transfer to third countries. In doing so, the EDPB seeks a consistent application of the GDPR and the Court’s ruling across the EEA.

The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EEA in accordance with EU law, and help them identify those that could be effective.

The recommendations on the supplementary measures will be submitted to public consultation. They will be applicable immediately following their publication.

In addition, the EDPB adopted recommendations on the European Essential Guarantees for surveillance measures. The recommendations on the European Essential Guarantees are complementary to the recommendations on supplementary measures.

The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with the rights to privacy and the protection of personal data, and therefore as not impinging on the commitments of the Article 46 GDPR transfer tool the data exporter and importer rely on.

Reference:

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Recommendations 02/2020 on the European Essential Guarantees for surveillance measures

WhatsApp has been in news as a messaging Company providing End to end encrypted messaging services in the past, introducing vanishing messages etc. As a messaging company it had its share of controversies involving spread of fake messages and mobilization people for creating social unrest etc.

Now by introducing the WhatsApp Pay, WhatsApp is changing its profile from a messaging app to a Fintech App. Perhaps we will need to look forward to a different set of issues arising between WhatsApp and the Government of India involving data localization and financial fraud control.

With  RBI providing the regulatory clearance for WhatsApp Pay, users of WhatsApp can  now send and receive money from their contacts just like exchanging messages. Additionally, payments can also be made to persons not in the contact list with the use of QR code.

WhatsApp is having a customer base of around 350 million in India and hence as a Peer to peer payment system it is expected to catch on quickly. Presently GooglePay and PhonePe are said to have a market share of around 40% each in the UPI based payment system worth Rs 3.5 lakh crore transactions per month, to which WhatsApp will join.

All these systems will use the UPI network of partner Banks and compete with the Wallet Companies and PPIs particularly for small payments, though they themselves donot undertake any  liability for the transactions.

While GooglePay and WhatsPay are monetizing their customer base acquired from a different service, AmazonPay and PhonePe (taken over by Flipkart) may use the E Commerce customer base to spread their wings into the FinTech domain.

In terms of business strategy, the way messaging and e-commerce business is merging onto banking and finance business is interesting. The trend is “Unified Business Services” and these companies are enlarging their revenue base from advertising to financial services. Soon they will also wade into insurance and investment broking besides traditional banking itself.

Since these are  “No Liability” monetization deals to encash on the customers they acquired when India did not have any Data Protection laws, they are great as business deals but uncomfortable for Fraud watchers.

Traditionally Banking has been separately regulated by RBI in India but the current developments indicate a trend where the frontal face of the business is a Google or WhatsApp or Amazon but the back end is the licensed banking service.

This creates a perception that WhatsApp or Google is the payment institution but actually the customers are authorizing these agencies to operate Customer’s Bank accounts as if they are power of attorney holders for operating the Bank account.

For example WhatsApp pay is having an arrangement with five banks namely the ICICI Bank, HDFC Bank, Axis Bank, SBI and Jio Payment Bank who are licensed to carry on banking business. When we use WhatsApp, we are allowing WhatsApp as our agent to operate our Bank account through a chain of third parties.

When a WhatsApp customer activates the payment system, he is assigned a unique WhatsApp UPI ID which includes the phone number. This is used as a QR code for receiving the payment and is therefore linked to the UPI Id of the customer in his preferred Bank account based on the mobile number.

While using the system,  the payment link will immediately open the UPI app and the instruction is re-directed to the user’s Bank. User’s Bank sends the payment to the WhatsApp assigned UPI ID of the contact and at the destination this UPI ID has to be converted into the personal UPI ID of the contact through the intervention of WhatsApp.

The WhatsApp payment server (which could be different from the message server) therefore may be involved in converting the assigned UPI ID of the users to their real  UPI Ids in their respective Banks and vice versa. The rest of the transaction is handled by the Banks.

The initiation of the service is therefore like an authority to operate the Bank account for a limited purpose. However the Customer may not realize that he is the Principal and WhatsApp is his agent for execution of the transaction.  Since he inputs the PIN directly, we presume that it is not visible to WhatsApp. But WhatsApp is forcing the user to use the UPI app which he may not otherwise would like to use. It also holds several permissions and therefore it is not clear if the transaction data is visible to the WhatsApp server.

The “Request for Payment” prompts the issue of the payment instructions from the sender of the payment.

The authentication for the transaction is the 4 number PIN set by the customer for his UPI account with the Bank which is neither a digital signature nor a complex password. The only additional security that can be expected is the link to the mobile device and perhaps the SIM number. The mobile device therefore becomes critical to the security and if the device is lost, there is every possibility of the compromise of all the Bank balance one may have in multiple Banks to which the mobile has been registered.

By  this convergence of messaging platforms with the Banks, the financial risks have multiplied. At the same time these UPI based systems have been designed in such a manner that the partner Banks of WhatsApp are acting as “Undisclosed Agents” of the front end messaging companies. Whenever there is a fraud, which is inevitable in a financial transaction, the consumer will therefore be searching for finding out who is responsible for the fraud.

For example, in the WhatsApp Pay system there are 4 Banks involved in the back end (one each of the payer and the payee, one each of the WhatsApp accounts of the two parties who are partnering WhatsApp. Additionally NPCI is involved as the switch and WhatsApp as the front end at both the payer’s end and the receiver’s end. This is not disclosed in the Privacy Policy and no specific privacy policy is attached to this service.

The above diagram roughly suggests the institutional architecture of the WhatsApp pay system .

A fraudster can execute a fraud at any of these 8 points. A WhatsApp Spyware can compromise either of the two ends of WhatsApp, trojans can compromise the traditional banking channel and NPCI switch can be compromised by any other malware. The net result of  manifestation of any of these vulnerabilities is that an unauthorized payment occurs and money is debited in the payer’s account.

RBI needs to confirm who will hold the liability for such frauds and whether the “Limited Liability” system applicable for other online frauds also applies for WhatsApp pay kinds of payments.

The Banker Customer relationship is between the Payer and his Bank and hence the liability for the unauthorized payment will first fall on the Paying Bank. This has to be clarified by the RBI.

Unfortunately the Bank would be in the background and the victim of a fraud would first try to contact WhatsApp to report a fraud. At present WhatsApp has not made any provision for reporting of disputes along with the payment message. (P.S: Google pay seems to have made such a provision).

Hence the victim may be required to run from pillar to post to lodge his complaint and get his money back. Every body will pass the buck and the victim would be told that he alone should be responsible for the fraud because every other organization has international level security while the user is ignorant, negligent and must have clicked a wrong button etc.

At present the liability for Banks for phishing frauds have been determined on the principles set by the S Umashankar Vs ICICI Bank case which has been decided at the Adjudicator’s level and confirmed at the TDSAT level, under ITA 2000. It has been held that under Section 43(g), non adherence to security measures mandated by RBI would amount to “Negligence” or “Lack of Due diligence” which legally becomes “Assistance to another for committing a fraud”. (See TDSAT Judgement here).

The principle established by this judgement places reliance on the RBI as a regulator to set the security standards. Additionally availability of any other guidelines under law would be applicable. Here the Section 43A of ITA 2000 and the reasonable security practice mentioned there in becomes relevant. The Due diligence mentioned under ITA 2000 extends now to the draft Personal Data Protection Bill 2019 which may soon become a law and substitute Section 43A.

Thus while settling the liability under the WhatsApp fraud, it would be relevant to invoke the provisions of ITA 2000 and PDPA of India under which WhatsApp would be a Data Fiduciary and all other agencies will be either Data Processors or Joint Data Fiduciaries.

At present WhatsApp does not have a Privacy Policy as required under PDPA nor ITA 2000. RBI has not been transparent about the details of the arrangement with WhatsApp apart from the total limitation of about 20 million users.

In particular we need clarification on whether RBI has exempted WhatsApp from the data localization principle or other due diligence requirements. We also need to know if RBI has flagged the risks to consumers and built any safeguards such as mandatory Cyber insurance.

In the meantime WhatsApp must make efforts to be compliant with PDPA on the basis of the current draft bill and upgrade it as and when the Act is finally passed.

It would be better for the Governor of RBI to come up with an assurance to the Country that the risks of allowing UPI based payment systems by the global giants has been properly assessed and adequately mitigated.

We therefore suggest that RBI should come up with  a “Master Circular” to clarify the working how this system of payment systems operated by private non licensed Fintech players like Google, WhatsApp, Flipkart, Amazon etc.,  the Bank’s responsibilities and Customer’s rights.

Naavi

The way Mumbai Police has handled the Republic TV case with

-the reopening of a closed case

-of what possibly was a murder and treating as a suicide

– bringing in the abetment link for a business contract dispute,

-deliberately misreporting the TRP report submitted by a market research agency to substitute one Channel to another

– arm twisting witnesses by visiting them in the night,

-bringing pressure on the research company to change its report,

-arresting the editor of a TV channel,

-moving him into a jail with criminals,

-assaulting, intimidating etc.,

is a Bollywood script which would have been a block buster movie and could have been titled ” Singham the new Don”.

This could perhaps qualify as a  human rights and freedom of press issue. However, since Human rights are normally available only for terrorists  and the freedom of press is only available to a privileged class of journalists only, this case is not perhaps eligible for the activists who are normally interested in taking up such issues and they remain in a self imposed silence.

We also presume that the hands of the Central Government are tied and the High Court and Supreme Courts which open their offices in the middle of the night to hear the Yakub Memoms, now want to enjoy their well earned week-end holidays and take their own sweet time to hear a case of this nature.

Since even Mr Subramanya Swamy or Mr Modi or Amit Shah have found themselves helpless in the matter, it is unnecessary for us to express any view on the matter.

We can only say ‘Jai Ho’ to our democracy which enables a party like Shivasena to win an election on the strength of their association with BJP and later associate with Congress, form the Government and do what it wants.

Our concern is only what does all this mean to the  Data Protection industry which we need to discuss.

Impact on Data Protection Industry

As we all know, there is a provision in laws such as GDPR that if the regulatory agency of a country finds that another country has acceptable data protection measures, then under the “Adequacy” clause, personal data can be transferred from the host country to the destination country without the restrictions otherwise imposed in this regard. As a result, in order to preserve the data processing business coming from the EU region, most countries strive towards meeting the requirements of GDPR to gain the adequacy status.

The reason why nearly 130 countries are passing personal data protection laws is that it is the first step towards gaining the attention of EU authorities to even make a claim to the “Adequacy” status.

But as we recently found out, the EU demands a heavy pound of flesh to provide the “Adequacy” status. Nothing less than an abject surrender and will satisfy the EU Courts as was indicated in the Schrems II judgement of the EU Court of Justice. In this case, the US privacy shield which was considered acceptable even by the EDPB was rejected by the Court. The reason was because it felt that the guaranteed assurances were unsatisfactory since the Ombudsman was appointed by the President of United States and the Intelligence agencies like FBI continue to have right of surveillance over the personal data transferred from EU for processing in US.

The EDPB suggested that Data Exporters in EU may get an assurance from the Data Importers through the Standard Contract clauses (SCC) in the agreement. But it must be recognized that a Data Importer of a country like India or US cannot sign a contract which is in conflict with the local laws made either by the Parliament of the country or enforced by the national security agencies.  Even if such terms are signed off in a contract, it will not prevent the local law enforcement authorities to invoke them ignoring the contractual obligations.

Hence there is no way any country can satisfy the EUCJ regulations on Data Importer’s obligations without picking up a fight with the law enforcement agencies in the local area, which has become an existential risk for the company.

It is here that the Mumbai Police has established a precedence that it is the supreme law making body in the country and not answerable to any body other than the party in power in the state. This will definitely be taken up as an argument against India in any international forum when required that in India, the local Police (not even the CBI) have the ultimate call on what data they want to ask from a company and for what reason.

Any outgoing employee of an organization or a contactor for whom the company refuses to settle dues because of any reason may commit  suicide and it is enough for that company to be in the radar of the Police for “Abetment to Suicide”.

It is time for all companies to scan their employee/contractor suicides and ensure that it does not point to any possible abetment charge.  This will be a new “Threat vector” that security professionals need to consider.

As a result of this Mumbai development, the “Adequacy” and “SCC” are unlikely to be of any use for Indian Companies to establish a case for transfer of personal data.

The only credible option is to ensure that there is an explicit consent from every data subject for transfer of personal data for processing into India for which the Data Controller has to take necessary measures.

Thus the developments have rattled the Indian position on data protection in the global environment and will set us back by a few notches in the “Ease of Doing Business”.

What JPC on PDPB can do

In order to safeguard the Indian data protection industry, one precaution that the Joint Parliamentary Committee on PDPB 2019 need to take is to prescribe in PDPA of India that

“any offence either under PDPA or under ITA 2000 or other laws against data processing organizations shall be investigated only by a central investigating authority like the CBI and NIA with the concurrence of the Data Protection Authority”

In other words,

“Data” should be declared as a new class of  “Asset” whose management and security does not fall under the jurisdiction of the state police.

The logic for this is that Data is an asset like “Spectrum” and is neither movable, immovable nor it is an intellectual property nor an actionable right.

Therefore, Data should be declared as a new and exclusive class of asset.

Just as there is a separate law for intellectual property, the Personal Data Protection Act should be regarded as the exclusive law for Data which which should be governed only under the directions of the Data Protection Authority.

This would mean that many provisions of ITA 2000 in respect of data related crimes should require permission of the DPA for the local police to investigate. This should be similar to the restriction that the local state Governments can impose on CBI investigation in the State which many of the states including Maharashtra, West Bengal etc have imposed.

Alternatively, ITA 2000 may be amended and Section 80 should be amended to make a “Central Cyber Crime Force” the sole police authority to investigate and prosecute Cyber Crimes.

Probably this will increase the efficiency of Cyber Crime management since all Cyber Crimes are inter state crimes if not international crimes.

This new definition of an asset class will be an innovative amendment that can be brought to PDPB 2019.

I hope JPC will take note.

What other State Governments like Karnataka can do

In the meantime, Naavi.org suggests that a progressive State Governments such as Karnataka, should undertake some special measures to provide assurance to the international data market that what happened or is happening in Maharashtra is an aberration and does not represent the way law is implemented elsewhere in the country.

We have to assure the international community that India is not a banana republic though Maharashtra has the right to be. We are a true federal democracy and tolerate states like Maharashtra as part of our democracy. We can assure that Karnataka is a “Data Angel” with special assurances for the data processing industry.

The least that can be done is for the state Government to give a press statement that what happened to the media companies like Republic and Hansa in Mumbai will never happen in Karnataka.

Along with such an assurance, the Government has to invite all those IT Companies like Infosys which were at one point of time unhappy with the Karnataka Government  and shifted their expansion operations to Pune to come back to Bangalore.

It is time to reassure the IT industry that Karnataka shall be a safe haven where data processing companies  that there will be no interference from the State in the day to day affairs of a commercial organization whether it is a media company or a data processing company.

This is therefore an opportunity for Karnataka Government and it should appropriately strategize to harness the opportunity.

Naavi

When Singapore amended its data protection laws increasing the penalties for data breach to 10% of the annual  turnover, a window of opportunity has opened up for India to attract investments of data processing companies to India.

India presently is operating under the data protection regime of Section 43A of ITA 2000 and is not considered good enough for global companies to have their personal data processed in India. But once the Personal Data Protection Act is passed, India can on paper sport a data protection law which is on par with global laws.

At the same time, if some companies were considering setting up their operations in Singapore because there was a better industry environment there and a better “Ease of Doing Business”, they have been jolted by the recent amendment to PDPA 2012 increasing the penalties for data breach. The data breach risk will increase the cost of operations along with the  cost of risk mitigation and Cyber insurance cost both going up not to talk of occasional data breach which may escape all security measures.

The recent relaxation of OSP guidelines from DOT is another major positive development which could also attract some fence sitters to consider India as their investment destination.

Hopefully, the PDPB 2019 will be passed without further delay so that Government can spread the word around about the better business environment in India and attract investments.

At the same time, developments in the State of Maharashtra have set the industry back by a significant margin since the data protection industry look for a law and order situation where law enforcement works in protecting the industry rather than wage a war on the industry at the whims and fancy of the local Government and the Police. The inability of the federal Government and the Courts to intervene when it was required has put a doubt in the minds of international observers that if tomorrow, a data processing company is in the bad books of the local political party or the Police, then the operations of the company as well as the personal data entrusted to them for processing is not safe from being vandalized by the State.

Mumbai being a commercial hub with Pune being an important data IT hub, the impact of the developments regarding the Republic TV would cast a shadow on the lawfulness of  operations in the country. The developments have turned part of the country into a banana republic and going by the Schrems II decision of the EUCJ, India will not be considered a country which EU can rely upon.

In order to reduce the adverse impact of the Mumbai Police excesses, it is necessary for other States such as Karnataka to take extra efforts to attract the IT industries and more particularly the data processing industry that what is happening in Mumbai is an aberration and does not reflect the general status of lawfulness of the industry operations elsewhere in the country.

Perhaps to take the advantages from the two positive developments namely the amendment of the Singapore data protection act adverse to the industry, and the amendment of the OSP guidelines in India favorable to the industry as also to cushion the impact of the  misadventures of Mumbai Police and Government, the neighboring Governments in Hyderabad and Bangalore may undertake special projects to attract IT investors to these states.

Perhaps special economic zones such as ” Data Processing Zones” may be created for businesses involving the processing of personal data with support of employees working from home. Since the PDPB 2019 also provides that the DPA can notify a local data processing entity processing personal data of foreign citizens as being exempted from PDPA of India, if the local state Governments provide the assurance to the industries that they are not like the Maharashtra Government and will not behave like what Maharashtra is behaving in the case of Republic TV, then we can not only move some projects from Singapore to these states , but also move many projects slated for Pune and other parts of Maharashtra to Bangalore and Hyderabad.

Let us hope Karnataka Government seizes this opportunity and undertakes some programs on this theme during the Bengaluru Tech Summit due in the end of November.

Naavi

Lupin Suffers Information Security Incident-Business Insider

The trend of Continuing cyber attacks on pharmaceutical companies, before the advent of the PDPA (Personal Data Protection Act of India) when companies are expected to have better security oversight seems to continue with the latest incident report from Lupin Laboratories Ltd.

According to the sketchy reports available in the media “Select IT Systems were affected”. Company has stated that the Core systems and operations were not affected and restoration of the impacted systems was underway.

Globally, it is known that data breach in Health Industry is expensive to a company (According to a study the average cost of data breach in a Pharma company is US$ 7.3 million). At the same time, the Health care industry is not so good in its IS practices as indicated by a study which states that it takes nearly one year to track down a Cyber Security issue in such a company. Hackers consider Health care industry to be a gold mine because the stolen health data may carry a price of around US $ 1000 per set in the darkweb. There is no surprise that most data breaches (nearly 50%) are due to malicious attacks.

While this situation is global, India is in the cusp of passing the PDPA and the current times may be the last opportunity for hackers to catch a negligent company.

First it was Breach candy hospital. Then it was Dr Lal Pathlabs and Dr Reddys. Now Lupin. May be others will also experience are have already experienced hacks yet to be identified and revealed.

Hopefully, Industry would wake up and fortify its defenses when the law is yet to impose the kind of fines that would be common place when the PDPA comes into operation.

We know that currently Indian law as in ITA 2000/8 has Section 43A which expects companies holding sensitive personal data maintain “Reasonable Security Practice”. Even those companies who are not handling sensitive personal data are liable under Section 43 along with other sections including Section 66 and 72A to ensure that “Prudent Security” is always available to protect data which has implications on the share holders or the public.

Fortunately, the implementation system currently is too weak to make the companies jump up and such incidents get buried from our memory soon.

We need to however take notice that so far we were considering that “Administrative fines” under GDPR and the proposed Indian PDPA at a maximum of 4% of global turnover as deterrent enough. But Singapore has come up with a shocker of an amendment in which the administrative fine in respect of a personal data breach can be as high as 10% of the turnover.

Considering the frequency with which data breaches are getting reported, if such fines are really imposed, many companies may need to file insolvency if confronted with a single data breach incident. In fact the “Risk of Doing Business in Singapore for a Company processing personal data” has now taken a quantum leap. This means Cyber Insurance costs in Singapore and salaries of DPOs  and CISOs will also jump through the roof.

We must however recognize that “Breach of Personal Data” is different from “Breach of Non Personal Data”. Many security incidents including ransomware attacks may stop at the level of denial of access or a compromise without exfiltration of personal data. Such “Information Security Incidents” may not qualify for the “Personal Data Breach” and hence may not come under the jurisdiction of the Data Protection Authority or the Supervisory Authority or the PDPC. It may just be a “Cyber Crime Incident” where the victim has to claim his personal loss as a damage and Police will have to pursue the crime incident.

It will therefore be necessary for us to classify the “Security Incidents” as involving or not involving personal data. Similarly the Cyber Insurance contracts need to distinguish the incidents as “Personal data Breach”, “Sensitive personal data breach” and “Non personal data breach” and fix premia and coverage separately.

Under IPC we have different offences such as “Murder”, “Culpable Homicide Not amounting to Murder” and “Causing death by Negligence not amounting to homicide” etc., with different punishments.

Similarly the Data Industry needs to recognize different types of Data Breaches and ensure that they donot report a “Data Breach which is of a Non personal data breach” is not reported wrongly as a data breach to a Personal data regulator and vice versa.

At the same time, the law is vague enough and Police like in Mumbai can have such innovative interpretations that most data breaches may fall under both Personal Data and Non Personal data breaches and hence companies need to prepare themselves for this new regime of Data breach Oversight from the Police and Personal data regulatory agencies.

Naavi

Singapore passed some key amendments to the Personal Data Protection Act 2012 establishing a new norm for administrative fines at 10% of turnover.

Now companies, with turnover exceeding Singapore dollar 10 million per year,  responsible for data breaches face financial penalties upto 10% of their turnover or Singapore dollars 1 million which ever is higher. For companies with turnover less than S$10 million the maximum pernalty remains at S$ 1 million.

Additionally 

a) New offences related to the mishandling of personal data has been introduced

b) Deemed consent provision has been expanded

c) New Exceptions have been introduced in consent requirement

d) New Data Portability obligation has been introduced

e) Spam Control act has been expanded to cover instant messaging platforms.

f) In addition to the increase in the fines related to data breach, notification has been made mandatory.

g) The applicability of the law has been extended by removing the exemption provided for  Organisations acting on behalf of public agencies from the Act

New Offences

The new offences introduced include

• any unauthorised disclosure of personal data that is carried out knowingly or recklessly;
• any unauthorised use of personal data that is carried out knowingly or recklessly and results in a wrongful gain or a wrongful loss to any person; and
• any unauthorised re-identification of anonymised data that is carried out knowingly or recklessly.

(This does not include public officers, who are subject to the Public Sector (Governance) Act 2018.)

It will also be an offence for a person to fail to:

• comply with an order to appear before the PDPC or an inspector of the PDPC;
• provide a statement in relation to any investigation; or
• produce any document specified in a written notice.

Deemed Consent

The definition of “Deemed consent” is  expanded to include:

• for contractual necessity, i.e. where data processing is reasonably necessary to perform a contract; and
• where individuals have been notified of the purpose of the data processing and given an opportunity to opt out.

Exceptions

New exceptions are being provided for Consent in the following instances.

Now consent will not be required where the legitimate interests of the organisation and the benefit to the public (or any section thereof) together outweigh any adverse effect on the individual.

This could include where data is processed for the purposes of detecting or preventing illegal activities (e.g. fraud or money laundering) or threats to physical safety and security, ensuring IT and network security, or preventing the misuse of services.

Organisations must however conduct a risk and impact assessment, and disclose any reliance on legitimate interests and  cannot use the provision to send direct marketing messages to individuals.

Tthere will be a business improvement exception to consent, where there is a need to:

• carry out operational efficiency and service improvements;
• develop or enhance products/services; or
• know more about the organisation’s customers.

The use of personal data must be what a reasonable person would consider appropriate in the circumstances, and the data must not be used to make a decision that is likely to have an adverse effect on any individual. This exception also applies to a group of companies, including subsidiaries within an organisation.

Also, the research exception to consent will be available, provided that, among other things:

• the use of personal data or results of the research must not have an adverse effect on individuals; and
• results must not be published in a form that identifies any individual.

There will also be exception  to institutes carrying out scientific research and development, or arts and social science research, or to market research aimed at understanding potential customer segments. However, disclosure for research purposes will continue to be subject to more stringent restrictions relating to impracticality and public interest.

Additionally the scope of the business asset transaction exception in the PDPA will be extended to the personal data of independent contractors, in addition to that of employees, customers, directors, officers and shareholders of the organisation.

Data Portability

Data portability right will now be available to individuals, giving them the right to request the transmission of their data to another service provider.

An organisation’s portability obligation will only apply to:

• user-provided data and data on user activity held in electronic form, including business contact information, this data may include third-party personal data, where the request is made in the requesting individual’s personal or domestic capacity;
• requesting individuals with an existing, direct relationship with the organisation; and
• receiving organisations with a presence in Singapore; however, data portability could subsequently be extended to like-minded jurisdictions offering comparable protections and reciprocal arrangements.

The PDPC will work with industry and sector regulators to establish and set out further requirements under regulations, including:

Exceptions to the data portability obligation will be provided, similar to those for the access obligation.

Personal data that is derived by an organisation in the course of business from other personal data will not be covered by the portability obligation.

Refusals of porting requests must be notified to individuals, together with the reasons for the refusal, and within a reasonable time. The PDPC will have the power to review these refusals and any fees for the porting of data.

Data retention

Organisations will be required to preserve personal data requested under an access or porting request for at least 30 calendar days after rejection of the request, or until the individual has exhausted their right to apply to the PDPC for reconsideration of the request or appeal to the Data Protection Appeal Committee, High Court or Court of Appeal, whichever is later.

Spam Control

The Spam Control Act 2007 will now cover the bulk sending of commercial text messages to instant messaging accounts. ‘Do not call’ (‘DNC’) provisions will prohibit the sending of specific messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software.

Third-party checkers will be required to communicate accurate DNC register results to the organisations on behalf of which they are checking the DNC register, and the checkers will be liable for DNC infringements resulting from any erroneous information provided by them.

The DNC provisions will be enforced under the same administrative regime as the other data protection obligations in the PDPA, as opposed to being enforced as criminal offences.

Accountability

There will be a higher level of accountability for the Organisations who will be expected to demonstrate compliance.

Thus the law in Singapore has become more stringent and at the same time brought in more clarity.

Naavi

Details of the amendment are available here