Everything you need to know about data portability, but is too troublesome to ask …

On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.

The concept of data portability is something that I saw for the first time in the General Data Protection Regulation, the GDPR. The basic idea is that data portability gives individuals more control over their own personal data. It enables an individual to receive the personal data about them that an organisation has been processing and transmit it to another organisation.  

This may, for example, make it easier for an individual to transfer their business from one organisation to another more competitive organisation that offers them lower prices, without the individual having to go through a great deal of hassle in getting the new organisation familiar with their past history of transactions, preferences or other relevant factors.

Evidently, the Commission has been keen on exploring the concept of data portability in Singapore for at least a year and, quite possibly, much longer. It issued a consultation paper on it in May 2019 and received quite a bit of feedback. Now we see its final proposals in the form of data portability provisions in the draft amendment bill. The consultation document says that the data portability will give individuals greater choice and control over their personal data, prevent consumer lock-in and enable switching to new services.

To do this, the draft amendment bill would insert a new Part VIB – Data Portability into the PDPA. However, almost everything of substance under the new rules is yet to be 'prescribed' by regulation. Perhaps it is correct to say therefore that Part VIB establishes an outline for data portability. But the details are yet to be filled in and until that happens a Data Protection Officer cannot figure out what might need to be done to get their organisation ready for data portability.  

So that it is possible to keep track, each time the word prescribed is used, that is how I am going to show it!

What is the purpose of data portability?

The purpose of Part VIB of the PDPA is stated to be to:

1. provide individuals with greater autonomy and control over their personal data and
2. facilitate the innovative and more intensive use of specified personal data in the possession or under the control of organisations to support the development, enhancement and refinement of products and services provided by other organisations located or operating in Singapore or elsewhere.

What is the basic rule about porting personal data?

The basic rule is that an individual may give a porting organisation a data porting request asking it to transmit to a receiving organisation any applicable data specified in the data porting request. This basic rule applies only to applicable data that:

• is in electronic form on the date the porting organisation receives a data porting request relating to the applicable personal data and
• was collected or created by the porting organisation within the prescribed period before the date the porting organisation receives the data porting request relating to that applicable data

This basic rule does not affect any prohibition or restriction on the disclosure of any personal data in the possession or under the control of an organisation under any other written law (that is, under any law that is not the PDPA).

Immediately, we meet our first three uncertainties: 

• a 'porting organisation' means an organisation that is, or that belongs to a class of organisation that is, prescribed
• 'applicable data', in relation to a porting organisation, means any personal data in the possession or under the control of the porting organisation that is, or belongs to a class of personal data that is, prescribed
• the applicable data has to be collected or created by the porting organisation within a prescribed period before the data porting request is received

Without the legalese, this means that there has to be regulations made under the PDPA to 'prescribe' – that is, to identify:

1. organisations that will be porting organisations
2. personal data that can be ported and 
3. the timing for the collection or creation of that personal data

Are there geographic restrictions on data portability?

Yes. And no.  

A 'porting organisation' must be an organisation that is within the scope of the PDPA. This is because regulations made under the PDPA could not prescribe a 'porting organisation' that is not an organisation, as defined in the PDPA - any attempt to do so would simply be 'beyond the power' of the person or body / public agency making the regulations.  

The proposed Part VIB also defines a 'receiving organisation'. It means an organisation that receives applicable data from a porting organisation, where the organisation is:

1. formed or recognised under the law of Singapore or an applicable country or 
2. resident, or has an office or a place of business, in Singapore or an applicable country.  

You might spot that this is the same as the definition of 'organisation' in the PDPC, except for the reference to an 'applicable country'.

'Applicable country' means a country or territory outside Singapore that is prescribed. So, again, we come up against the need for regulations that could have the outcome that personal data can be ported by an organisation within Singapore to a recipient outside of Singapore. But we do not know which country or countries.

Note: When 'applicable countries' have been prescribed, porting organisations will need to keep the transfer limitation obligation under the PDPA in mind.

What does a porting organisation have to do when it receives a data porting request?

Subject to the rules below, a porting organisation must, upon receiving the data porting request, transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any requirements prescribed.  

If a porting organisation does not transmit any applicable data about an individual as requested, the porting organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the refusal.

Here are the rules to which this requirement is subject:

1. The requirement applies only if:

• the data porting request satisfies any requirements prescribed and
• the porting organisation, at the time it receives the data porting request, has an ongoing relationship with the individual - in determining whether an ongoing relationship with the individual exists, the porting organisation must have regard to any matters prescribed

2. The requirement does not apply if any applicable data about an individual relates to any excluded class of applicable data prescribed

3. The porting organisation must not transmit any applicable data about an individual if:

• the transmission of the applicable data can reasonably be expected to threaten the safety, or physical or mental health, of an individual other than the individual to whom the applicable data relates
• the transmission of the applicable data can reasonably be expected to cause immediate or grave harm to the safety, or physical or mental health, of the individual to whom the applicable data relates 
• the transmission of the applicable data can reasonably be expected to be contrary to the national interest
• the receiving organisation is, or belongs to a class of organisation that is, prescribed to be an excluded receiving organisation or
• the Commission directs the porting organisation not to transmit the applicable data

How is ported personal data of a third party treated?

The following rules apply where giving effect to a data porting request in respect of personal data about an individual (P) would transmit personal data about another individual (T) to a receiving organisation.

1. a porting organisation may disclose personal data about T to a receiving organisation without T's consent only if the data porting request:

1. is made in P's personal or domestic capacity and
2. relates to P's user activity data or user-provided data

2. a receiving organisation which receives from a porting organisation any personal data about T must use that personal data only for the purpose of providing any goods or service to P

Note that we meet two new concepts here that are defined in the PDPA for the first time:

• 'user activity data', in relation to an organisation, means personal data about an individual that is created in the course or as a result of the individual's use of any product or service provided by the organisation
• 'user-provided data', in relation to an organisation, means personal data provided by an individual to the organisation

Written by Lyn Boxall, Director, Lyn Boxall LLC

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.