SINGAPORE Law and Practice Contributed by: Lim Chong Kin, Drew & Napier LLC
by the Personal Data Protection Commission (PDPC). There are cross-border data transfer restrictions in the PDPA. Under Section 26, an organisation must not transfer any personal data to a country or territory outside Singapore, except in accord - ance with prescribed requirements to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that given under the PDPA (the transfer limitation obligation). The prescribed requirements, as set out in the Personal Data Protection Regulations 2021 (PDPR), require the transferring organisation to ensure that the recipient of the personal data is bound by legally enforceable obligations. These “legally enforceable obligations” include: • any laws in the jurisdiction to which the per - sonal data is transferred; • contracts; • binding corporate rules (BCRs); and • any other legally binding instrument. BCRs may be used for recipients that are “relat - ed” to the transferring organisation (eg, a parent company or subsidiary), whilst contracts may be used for data transfers to any party. In particular, BCRs and contracts must specify the countries and territories to which the personal data will be transferred under said BCRs or contract. In addition, under the PDPR, an overseas recipi - ent of personal data is taken to be bound by legally enforceable obligations to provide com - parable protection for the transferred personal data if it holds an Asia Pacific Economic Cooper - ation (APEC) Cross Border Privacy Rules (CBPR) System or Privacy Recognition for Processors (PRP) System certification (which is granted
or recognised under the laws of the country or territory to which the personal data is trans - ferred). That said, transferring organisations that are seeking to rely on this transfer mechanism should ensure that they carry out the necessary due diligence to determine that the overseas recipient is indeed CBPR or PRP-certified under the laws of the country or territory in question. Furthermore, the PDPC has published a chap - ter on cloud services in its non-legally binding Advisory Guidelines on the PDPA for Selected Topics, which clarify the application of the PDPA in respect of cloud services (the “Cloud Services Guidelines”). Specifically, an organisation should ensure that the cloud service providers (CSPs) that it engages only transfer personal data in accordance with the PDPA – namely, to locations with comparable data protection regimes – or otherwise have legally enforceable obligations to ensure a comparable standard of protection for the transferred personal data. On 7 May 2024, the Cybersecurity (Amendment) Bill was passed in Parliament. The amendments have yet to come into force (as of 1 January 2025), but when they do the scope of the Cyber - security Act 2018 will be expanded to regulate designated providers of cloud computing ser - vice. Cloud computing service is defined as a service delivered from a computer or computer system in Singapore or outside Singapore, that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations. When the amendments come into force, such designated cloud computing service providers will have to, amongst others, provide cyberse - curity information on the service to the Com -
408 CHAMBERS.COM
Powered by FlippingBook