Associate Professor Lim Yee Fen, Division of Business Law, Nanyang Business School, Nanyang Technological University (NTU)
01 Dec 2011
SR 607, Level 6, NTU@one-north campus, Executive Centre 11 Slim Barracks Rise (off North Buona Vista Road) Singapore 138664
During this EUC Research Seminar, Dr Lim Yee Fen presented her research on data protection in the EU which informed the Consultation Paper she submitted to Singapore’s Ministry of Information, Communication and the Arts (MICA) on the proposed laws for the protection of personal data in Singapore. Dr Lim’s conclusions were that Singapore’s proposed data protection laws are ‘extremely light-touch’, and she was of the opinion that the introduction of these laws will make little substantial difference, as the laws try to appease both businesses and consumers at the same time and do not address the fundamental principle of security.
The EU’s long tradition of human rights protection also extends to personal and digital privacy, and the right to the protection of personal data can be traced back to 1981, in the Council of Europe’s Convention 108 (the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data), which formed the basis for the EU’s Data Protection Directive (95/46/EC), what Dr Lim termed the ‘gold standard’ in data protection legislation.
She emphasized the importance of data protection laws from the security principle, and the implications they would have for both consumers and businesses. Specifically referring to the EU data protection and privacy regime, she noted that this also has implications for global trade because of EU’s importance as a trading power. Articles 25/26 of the EU’s directive have indirectly caused a global harmonisation of data protection modes as they carry implications on trade with the EU – countries with advanced levels of data protection legislation try to obtain ‘adequacy status’ for preferential treatment and access to the EU market.
Dr Lim made a comparison of some of the key regulations of the EU’s privacy and data protection regimes and those being proposed by MICA to underline her point that the proposals by MICA are too ‘light-touch’ and may not serve the interests of both consumers and businesses. While not advocating that Singapore should adopt the EU model whole-sale, she tried to point out why the EU set such a high standard, and the risks in the ambiguity of Singapore’s proposed legislation.
The most important principle in EU’s directive concerns the issue of explicit consent over what data are collected and for what purpose. The sharing of data while allowed is also strictly regulated.
For Singapore’s proposed legislation, the default position is that data sharing, and selling of data is permissible, leading to the question of control over the dissemination of personal data if one does not know who has this information.
Dr Lim also mentioned what she sees as some potential problems with Singapore’s proposed legislation as reasons she believes Singapore will not obtain ‘adequacy status’ in negotiations with the EU. These gaps include the lack of a breach requirement, the exclusion of the public sector from this law, the lack of special provision for ‘sensitive data’ and the extent of power given to the supervisory authority on data protection.
In closing she highlighted her view that the collection of more (especially unnecessary data) is also a liability for companies, and a security risk for individuals.