Privacy & Cybersecurity Law Blog

On September 24, 2013, the Singapore Personal Data Protection Commission (the “Commission”) published guidelines to facilitate implementation of the Singapore Personal Data Protection Act (the “PDPA”). The Advisory Guidelines on Key Concepts in the Personal Data Protection Act and the Advisory Guidelines on the Personal Data Protection Act for Selected Topics provide explanations of concepts underlying the data protection principles in the PDPA, and offer guidance on how the Commission may interpret and apply the PDPA with respect to certain issues (e.g., anonymization, employment, national identification numbers). The guidelines are advisory only; they are not legally binding.

Despite having been established only recently, the Commission has been considerably active in issuing proposals for advisory and regulatory materials in preparation for next year’s implementation dates. In early February 2013, the Commission proposed advisory guidelines on selected topics and key concepts, and issued proposals for regulatory matters and for the operation of the Do Not Call registry. The Commission also has hosted events to help organizations develop an understanding of the PDPA ahead of upcoming implementation dates. The PDPA’s provisions establishing protections for personal data are scheduled to become effective on July 2, 2014. Certain other provisions establishing a Do Not Call registry will become effective earlier next year.

Singapore’s PDPA is structured to serve as a framework law: the law sets forth the minimum, fundamental rules necessary to establish a data protection framework. More detailed regulation on particular topics (such as whether particular information should be defined as “sensitive personal information” and whether more stringent rules should apply to such information) is subject to sectoral rulemaking. Accordingly, we can expect Singapore authorities to issue additional, more specific, regulations on a rolling basis.