JULY 18 — More than three years ago, I wrote that there was a need to review personal data protection law in the country.
The law is contained in the Personal Data Protection Act 2010 (PDPA).
The PDPA is based on a set of data protection principles applying in the European Union (EU) but with an important limitation. It does not apply to the federal government and state governments.
Legal scholars have long argued that for the sake of personal data protection, the PDPA should be extended to include personal data processed by the government.
The EU law on data protection is contained in the General Data Protection Regulation (GDPR) of the European Union (EU) (Regulation 2016/679).
The GDPR provides for mandatory rules on how organisations and companies must use personal data in an integrity friendly way. Each organization that processes personal data (which is every organisation with employees and customers) must ensure that the personal data it uses fulfils the requirements of the GDPR.
Article 3(1) of GDPR states that the Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, without exempting the government. “Controller” and “processor” include public authority ― Article 4 GDPR.
In the United Kingdom (UK), the Data Protection Act 2018 applies to “public authority” and “public body” for the purposes of protecting personal data, requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis, among others.
In Singapore, data management in the public sector is governed by the Public Sector (Governance) Act 2018 and the Government Instruction Manual on IT Management. The Personal Data Protection Act 2012 on the other hand, applies to the private sector.
There are therefore two different legal frameworks governing data management – one in the public sector and the other in the private sector. They are needed because there are different expectations of the services provided by the government and the private sector.
The Madani government, however, does not seem to share the need to use personal data in an “integrity friendly” or “lawfully and fairly” way even by the government or the need for a different legal framework governing data management in the public sector.
The Personal Data Protection (Amendment) Bill 2024, which was passed by Parliament on Wednesday (July 17), does not include amendments to extend the application of the PDPA to the federal and state governments.
It is a big disappointment that Digital Minister Gobind Singh Deo — a lawyer by training — has not grabbed the opportunity that the Bill presented to follow in the footsteps of the EU, the UK and neighbouring Singapore, and reform the law.
