Singapore: Adopted Personal Data Protection Act (PDPA) including cross-border electronic data transfer

On 15 October 2012, the Personal Data Protection Act (PDPA) including cross-border electronic data transfer was adopted. The adoption and implementation of a legal framework that regulates cross-border electronic data transfers is the result of an obligation stipulated in provision 14.11(2) of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a trade agreement between Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam. Section 26 of the PDPA restricts organisations from transferring personal data outside of Singapore. Specifically, section 26(1) states that an organisation cannot transfer any personal data to another country or territory unless it complies with requirements set forth under the PDPA. These requirements are designed to ensure that the personal data receives a level of protection comparable to what it would receive under the PDPA. An organisation may transfer personal data overseas if it ensures compliance with data protection provisions while the data is under its control. The recipient in the foreign country must be bound by legally enforceable obligations to provide a standard of protection comparable to the PDPA. These obligations can be imposed by law, contract, binding corporate rules, or other legally binding instruments. An organisation is deemed compliant if the individual consents to the transfer, the transfer is necessary for contract performance, it is in the individual’s interest, it is required for emergencies, the data is in transit, or it is publicly available in Singapore.