Singapore: Implemented Personal Data Protection Act (PDPA) including cross-border electronic data transfer

On 2 July 2014, the Personal Data Protection Act (PDPA), including cross-border electronic data transfer, came into effect. In particular, Section 26 of the PDPA restricts organisations from transferring personal data outside of Singapore. Specifically, section 26(1) states that an organisation cannot transfer any personal data to another country or territory unless it complies with the requirements set forth under the PDPA. These requirements are designed to ensure that the personal data receives a level of protection comparable to what it would receive under the PDPA. An organisation may transfer personal data overseas if compliance with data protection provisions is ensured while the data is under its control. The recipient in the foreign country must be bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA. These obligations can be imposed by law, contract, binding corporate rules, or other legally binding instruments. An organisation is deemed compliant if the individual consents to the transfer, the transfer is necessary for contract performance, it is in the individual’s interest, it is required for emergencies, the data is in transit, or it is publicly available in Singapore.