Singapore Faces Changing Personal Data Sharing Policy Landscape as Country Joins Asia-Pacific Cross-Border Transfer System


Singapore has been busy on the data-sharing policy front.  The country’s privacy office, the Personal Data Protection Commission, July 27 released a comprehensive guide on data-sharing within and between organizations. But the guide became outdated on the same day it was published.

Dr. Yaacob Ibrahim, minister for Communication and Information, announced July 27 that Singapore had submitted its notice of intent to join the data-transfer privacy scheme, the Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System (CBPR). The CBPR system allows companies to more easily transfer personal data. It requires a country to adopt national data transfer procedures, including establishing an independent public or private sector accountability agent and a privacy enforcement agency. Companies can then apply to be certified under the scheme administered by a particular country.

Singapore would become the sixth APEC member to enter the CBPR system, joining Canada, Japan, Mexico, South Korea, and the U.S. Participation in the CBPR picked up steam in 2017, with South Korea joining in June and Japan enacting a new privacy law that used CBPR certification as an exemption on data transfers to a third country.

The 21 APEC member economies are home to approximately 2.8 billion people and represent approximately 59 percent of world gross domestic product, APEC says.

The Guide to Data Sharing walks data protection officers through the process of data sharing in compliance with Singapore’s Personal Data Protection Act, but doesn’t mention the CBPR. Manuel Maisog, a privacy partner at Hunton & Williams in Beijing, told Bloomberg BNA that the problem with the guide is that it doesn’t address how companies should approach transfers to companies that are already qualified under the CBPR.

The U.S. was the first country to enter the CBPR program. Since it joined in 2012, the U.S. has certified a handful of companies as being compliant with the CBPR rules, including Hewlett-Packard Co., Apple Inc., International Business Machines Corp.,  online video tutorial company Inc., Merck & Co., human resource cloud company Workday Inc., software company Yodlee Inc., and publisher Ziff Davis LLC.

The privacy office should update the guidance so that companies will see there are tangible data-transfer benefits from gaining CBPR certification, Maisog said.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.