New year, new regulations: where Singapore stands with privacy regulations

As the global privacy compliance landscape evolves, are we ready to adapt to the needs of the digital economy?

Personalisation is the lifeblood of the modern-day digital advertising industry. Beyond the traditional boundaries of broadcast and print, the battle for short-term recognition as much as long-term loyalty has been largely predicated upon the extent to which advertising is effectively customised. From clicks indicative of online browsing habits to swipes and check-ins on mobile applications, consumer data provides a valuable insight into user preferences and profiles. And yet, according to a 2017 PwC report, the advertising and marketing sector is suffering from a severe shortage of trust, ranking as one of the least trustworthy industries around the world.

But how does this narrative play out in Singapore? According to a recent Microsoft study, locals expressed that trust in digital services is measured by the metrics of privacy and security, rather than intent. With existing data privacy regulations in place since 2012, further reform has been catalysed by the EU’s landmark enactment of its General Data Protection Regulation (GDPR) in 2018. More remains to be seen with upcoming data protection legislations being strengthened in the region––ranging from those enacted by Thailand, Indonesia, and India. Meanwhile, to the West, the impending California Consumer Protection Act (CCPA) and the Consumer Online Privacy Rights Act (COPRA) in the United States is equally likely to have global implications. As such developments prompt a re-evaluation of data collection, storage, and analysis practises within a competitive global economy, businesses have been forced to face a new reality: any digital business is fundamentally a global business––are Singaporean organisations ready to adapt to this wave of change?

A collaborative environment
With government policies centred around championing innovation, Singapore has taken a progressive approach to harnessing the full power of data, largely spurred on by its Smart Nation Initiative, which hoped to spearhead a digital-first vision of the city state. With a business-first attitude towards infrastructural developments in mind, commercial access was granted to the MyInfo database, a key first step in establishing a national digital identity profile. With its catalogue of vital information on citizens and residents in the country, businesses would be able to benefit from "greater efficiencies whilstallowing for a more intuitive user experience for their customers." Whilst such an emphasis on data gathering practises gesture towards its significance in the makings of a smart nation, they pose critical questions about the extent to which operational efficiencies ought to take precedence over access to personal data.

To address this, Singapore’s Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission (PDPC) jointly proposed a Trusted Data Sharing Framework in June, in order to offer a common standard of data sharing practises whilst addressing regulatory, technical, operational, and organisational considerations, in line with the PDPA. With the intention of promoting “human-centricity by-design right from the beginning” goes to show that the needs and protection of citizens must remain at the heart of such efforts.

In fact, recent local regulatory developments have paved the way for greater operational efficiencies. Earlier this year, the PDPC introduced data sharing agreements, enabling organisations to share personal data with other organisations within a regulatory sandbox, thus enjoying exemptions from certain obligations under the PDPA. Central to this data sharing agreement lies PDPC’s novel idea of monitoring the ground, and predicting how proposed changes to the PDPA might work in practise before amending data protection laws accordingly.

Despite this calibrated approach that encourages innovation, businesses across Singapore’s digital media sector continue to fall short. In June 2019, Southeast Asian ride-hailing giant Grab was fined SG$16,000 by the government under its Personal Data Protection Act (PDPA) for leaking customer data in an email marketing campaign. Towards the end of the summer, advertising firm O2 Advertising was fined SG$10,000 for inadequately securing the personal data of over 1,000 consumers and for inappropriately retaining access to data sets despite them no longer being in use. Such cases speak to a mindset not unique to the country, largely shaped by an attitude of data maximalism––the more, the better. In a bid to better serve customers, perhaps we’ve lost our way.

A step further
Indeed, no matter how enterprising and innovative, a pro-data position is not without its faults. Despite the benefits to be reaped from a collaborative data sharing system, the ongoing shift in global opinion surrounding personal data protection rights calls for regulatory frameworks that prioritise the rights of users rather than enterprises. Especially in Singapore, where existing legislation appears to falls short when compared to far more stringent Western legislative models such as GDPR and the incoming CCPA and COPRA, the application of emerging technologies may have the potential to take regulatory compliance further.

Despite existing systems such as MyInfo, blockchain, on the one hand, can be leveraged to put control back in the user’s hands. With GDPR, COPRA, and CCPA as a model, the right to data portability is one of the fundamental individual rights outlined in these frameworks, enabling users to obtain and utilise their personal data for their own purposes across different services and platforms. Currently, this right to data portability is being contemplated by the Competition and Consumer Commission of Singapore (CCCS) and the PDPC. A discussion paper from both organisations acknowledges several benefits of introducing this right, such as lower transaction costs, optimised use of data, as well as reducing frictions of data movements. If implemented, blockchain may further actualise these benefits of data portability without revealing the data set itself, ensuring that only the data that is actually needed, is ever shared. In this case, only its cryptographic hash would be exposed to the network, complying with the right to deletion.

Perhaps, more than anything, blockchain’s most valued quality lies in its ability to support a far more secure data collaboration framework, owing to its inherent inalterability as an immutable ledger. For local businesses to adapt to comparatively more holistic frameworks abroad, blockchain can be used to track and manage consent between individuals, data processors, and data controllers, ensuring that records are consistently up to date. Additionally, blockchain can also help to ensure that these records are not retroactively manipulated, thereby ensuring the provenance of data and consent. Whether across applications of data in digital marketing or in the financial services sector, the ability to ensure that data is verifiably authentic will be essential as we continue into the digital age.

Future-proofed, future ready
No longer limited to physical boundaries and geographical fault lines, Singapore will need to ensure that its local privacy compliance frameworks are not only designed with its people in mind, but with the needs of an ever-changing global economy. With only a meagre 17% of consumers believing that the use of data to tailor advertisements is an ethical practise, the industry has been confronted with a need to re-evaluate its practises. Though not limited to the digital marketing sector, the past year alone has already seen a record high of PDPA violation notices for businesses operating in the country. Indeed, there are lessons to be learned from notable breaches around the world or past incidents of data misuse as a means of manipulation––despite the benefits to be reaped by way of efficiency, such a reliance comes with calls for greater accountability.

As the country continues to position itself as an innovation-forward tech haven, Singapore will need to ensure that its businesses are ready to contend with the fundamentally global nature of the commercial landscape, primed to address the concerns of the digital economy.