Professor Abu Bakar Munir
The Ministry of Information, Communications and the Arts of Singapore on 13 September 2011 issued a consultation paper on the proposed data protection regime for the Republic. Like other data protection laws around the world, the proposed law will have some rules concerning data processing. In many jurisdictions, the rules are called the data protection principles, which must be observed when organizations process personal data. The rules relate to transparency, collection, use, disclosure, protection, retention, accuracy, access and correction.
There will be two types of exemptions – total and partial. A total exemption means that the Data Protection law (DP law) does not apply at all. Three circumstances are mentioned in the consultation paper, to be exempted under this category. First, when personal data has been made available by a public agency to a specific organization or to the public generally. Secondly, processing of personal data in the course of a news activity and thirdly, processing of personal data in relation to an individual’s business contact information if it is solely for the purposes of enabling the individual to be contacted in relation to the individual’s employment, business or profession. Besides, the major exemption is on the public sector. The proposed DP law will govern only private sector organizations.
Unlike the data protection laws in other jurisdictions, the proposed DP law provides only two rights to an individual - the rights to have access and to correct the personal data. A Data Protection Commission (DPC) will be established to enforce the Act. The DPC will have powers to issue orders and to impose penalty up to $1 million for non-compliance or breach of the Act.
Interestingly, the approach to be adopted is “complaint-based”, which means that the DPC will investigate any case of non-compliance based on a complaint. Arguably, a complaint-driven enforcement may not be an effective way to enforce the DP law. The potential complainants may not be able to recognize breaches and are unwilling to complaint. These could be the obstacles to enforce the DP law effectively.
More interestingly, the proposed DP law covers only consumers’ data. The data protection law, however, is about privacy and individuals. An individual may or may not be a consumer. Restricting the application of the DP law only to consumers’ data may not be wise and judicious.
See my submission on the consultation paper at http://www.mica.gov.sg/DPconsultation/responses/Individuals%20%2810%29/Munir,%20Abu%20Bakar.pdf