Francis Zhang, who leads the Policy team at the Personal Data Protection Commission (PDPC) of Singapore, joined Grab’s public policy podcast series, Grab Conversations on Air, for a mini four-part series on Data Protection.
Speaking with Shivi Anand, Grab’s Regional Public Policy Manager, they discuss Singapore’s regulatory perspectives on Data Protection.
Listen to the full Episode 3 podcast on Spotify
Transcript of podcast
Shivi Anand
Today we have with us Francis Zhang. Francis leads the Policy team at the Personal Data Protection Commission (PDPC) of Singapore. He is also a member of the Singapore Legal Service and is experienced in data protection laws and regulations for both public and private sectors. The Policy team at the Personal Data Protection Commission develops and refines the Personal Data Protection Act’s (PDPA) policies and Singapore’s cross-border data strategies to support data sharing across the economy and across borders. Welcome to the show Francis.
Francis Zhang
Hi Shivi, thanks. Good morning. Thanks for the introduction.
Shivi Anand
Thanks so much for joining us today. It’s great to have you here. Could you give us a quick background of your work in data protection in Singapore and the Southeast Asia region more broadly?
Francis Zhang
In PDPC, I lead the Policy team. We develop and refine policies relating to the PDPA as well as cross-border data flow strategies. When it comes to how data in Singapore can be transferred overseas, including this region (SEA), my team and I look into policies and strategies relating to this as well.
Shivi Anand
Got it. That sounds great. Let’s get started with the conversation. There have been discussions at length about the free flow of data across borders enabling key digital services like international payments and online order fulfilments. Despite the key enabling role that cross-border data transfers play, the regulation determining its use varies widely across different countries in the region. Some require data to be stored locally within the physical jurisdiction of the country, and other countries have allowed trusted, open cross-border data flows in and out of the country. Where does Singapore fall on this spectrum of cross-border regulation? And what is your view on the benefits and challenges of this position?
Francis Zhang
Before I answer that question, let me talk a bit about the PDPA and PDPC’s role. In Singapore, the reality is that we need the digital economy and because of that cross-border data flows are important to us. We think it should not be unduly restricted, although countries can impose certain regulations and restrictions based on legitimate policy objectives. But by and large the cross-border transfer of data should be allowed as long as there are safeguards in place. PDPC focuses not just on data protection but also data innovation. We want businesses to use data, including transferred data, in a safe and legitimate way but also allow them to innovate. In fact, the PDPA takes a balanced approach; for example if I look at Section 3 of the PDPA (for those listening, the PDPA can be found on Google via PDPA Singapore Statutes, which would be one of the first few results), this balance is actually reflected there. Let me just read it out: “The purpose of this Act is to govern the collection, use, and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use, or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances”. So there is this balance between the rights of individuals and the needs of organisations. It is not purely about data protection but also the use of data to help businesses.
This approach is also reflected in our safeguards for transfer of personal data outside of Singapore, as seen in Section 26 (transfer of personal data outside of Singapore). It is quite general. It says “an organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act”. And what follows are the restrictions we impose on transfer “…to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act”. We want personal data to be transferred as long as there are protections in place to ensure that if it is sent overseas, it is protected to an equivalent standard to the PDPA. Section 26 is quite broad but you can actually look at what are the ways/measures to ensure you comply with this obligation which is in the Personal Data Protection Regulation A, which is a subsidiary of the PDPA.
Under the PDP Regulations, if you go to Regulation 10 & 11, there are transfer mechanisms — ways that companies in Singapore can use to transfer data overseas. There are a few mechanisms that are available.
- You could rely on binding contracts. For example, as a business in Singapore if you transfer personal data overseas, you have a contract between you and the recipient, and that contract imposes obligations on the recipient to safeguard personal data with that which is comparable to the PDPA.
- We also allow binding corporate rules; this is intra transfer between a group of companies belonging to the same group and you are transferring to another entity in the same group. You can rely on binding corporate rules and there are certain requirements that the rules need to comply with and that can be found in the regulation as well.
- We also have something called certification, and this is really talking about the APEC CBPR, or the Asia Pacific Economic Cooperation Cross-Border Privacy Rules. Basically, a few countries have signed up to this and we have agreed to implement this and allow our businesses to be certified. Once a business is certified, for example, a business in Japan is certified to be compliant to APEC CBPR, then a business in Singapore can transfer personal data to that recipient in Japan by relying on the fact that the recipient has been certified and is APEC CBPR compliant. So that is also a basis to satisfy Section 26’s transfer obligation under the PDPA.
So actually we have a range of mechanisms to allow businesses to transfer data, and the intent is to facilitate the transfer of personal data for legitimate uses, and that’s why we have a range of mechanisms.
Shivi Anand
Thanks Francis. That sheds a lot of light on some of the tools available to businesses today to successfully transfer data across borders and ensure that data is safeguarded. So you mentioned contracts, you mentioned certification, and also at the country level the cross-border privacy rules which help safeguard data across borders, especially between certain countries who are signatories to the CBPR.
Since we’re now touching on regulations or frameworks at the regional level, what is your assessment of other tools available at the Southeast Asia regional level? What do you think is the current status of such regulation in other countries in Southeast Asia that are looking at either enabling or restricting the flow of data across borders?
Francis Zhang
For the landscape of ASEAN, we are not very aligned with regard to data protection laws. So we have some countries without a data protection law or rather without a consolidated data protection law. They might have sectoral laws regulating certain sectors but not legislation that talks about data protection at a nation-wide level. There are countries like that, and then we have countries like Singapore, Philippines, Malaysia, Thailand, who have proper data protection structures. Not to say that those countries without data protection laws are inferior, or don’t have laws in place. But because of this mismatch we can’t really compare our laws across ASEAN.
But at an ASEAN level we have a few things in place to ensure there is some consensus on data protection.
- One is the ASEAN Framework on Personal Data Protection; this is a document that all ASEAN member states have agreed to. If you Google it, you’ll be able to find the document. So basically we agreed on principles, so even though some of us do not have data protection laws, we agree on the principles of personal data protection. So what are the principles? Principles on consent, notification, purpose limitation, accuracy of personal data, security safeguards, the rights of individuals to access and correct personal data, the retention of personal data and limitations on that, accountability of businesses, as well as data transfers i.e. what kind of safeguards do we need on transfers to another country or territory. So we have consensus on the principles, and in fact, these principles were based on the APEC Privacy Framework, which was in turn based on the OECD Privacy Principles. So in a way, you can say that the ASEAN framework on personal data protection is based on OECD principles. So at a very high level, we have this ASEAN framework where member states have agreed to these principles.
- But practically, we have something called the ASEAN MCCs, the Model Contractual Clauses, which were also agreed to by Member States. So this is actually very useful, and if you Google ASEAN MCCs you should be able to find the document issued by ASEAN containing the contractual provisions. PDPC also has a guide on how to use the MCCs, which should be available on the PDPC website. These MCCs ensure that there is a baseline standard of protection when a business in member state A transfers data to member state B within ASEAN. The contractual provisions ensure that there are contractual obligations on safeguarding the personal data that is transferred.
So that is the first objective – to have a baseline standard of protection, even though at the Government level there might not be an alignment of data protection laws. The second objective is if there is a data protection law (for example; in Singapore, you have the PDPA Section 26 on transfer limitation obligation), the ASEAN MCCs can be a way for businesses to satisfy these transfer limitation obligations. In Singapore, as I mentioned earlier, to satisfy Section 26, one of the ways is to rely on contracts, so if you use the ASEAN MCC’s contractual provisions in your contract between you and the recipient, you would have satisfied the PDPA Section 26 obligation. So that is the practical way at the ASEAN level how we help businesses to assure the governments that with these contractual obligations in place, personal data has a baseline standard of protection.
- Maybe I will touch on something called the data management framework. This goes beyond contractual obligations and reassuring the government, but it is really about helping businesses. So the ASEAN Data Management Framework, or the ASEAN DMF, is a guide for businesses and particularly SMEs to put in place a data management system. In a way, this is about accountability. The DMF will raise the knowledge and competence of ASEAN businesses in managing data and help them to comply with personal data protection requirements while enabling them to use data for business growth. And there are six foundational components under the DMF. If businesses are interested again, you can easily find this online by Googling. The ASEAN Data Management Framework is a very comprehensive document on how businesses can be guided to have their data management system in place so as to equip them with the knowledge and processes that they need to put in place which would then increase consumer trust.
Shivi Anand
Got it. Singapore is considered a very business-friendly country, particularly to entrepreneurs and tech startups. So it’s very heartening to hear that there are so many tools available for young entrepreneurs as well as startups to make sure that their cross-border data transfer mechanisms are aligned with not just regional benchmarks, but also international benchmarks like the OECD’s as you mentioned. To round it up, the DMF or data management framework is a resource that’s available to small and medium-sized businesses out there for them to organise their data within the company, as well as as model contractual clauses which can be built into their contracts to ensure that data transfers that are happening internationally abide by the law. So I think that’s really useful information for any listeners out there who are looking to start businesses in the data economy space and also to existing startups out there. You also mentioned that there’s a lot of harmonisation and cross-cutting effort across the region to make sure that data transfers as well as data protection in general is at a very high standard.
I want to touch on another important aspect of cross-border data flows. For data transfers to happen in a trustworthy manner so that end-users are comfortable with it, they need to be ensured that the privacy of their data is maintained. Can you talk about any tools that governments in the region have developed to promote and guarantee data privacy and security?
Francis Zhang
The way that Singapore has done it, besides the PDPA which has 10 or 11 parts/obligations, we also provide guidance to companies on how to anonymise data. So PDPA has issued a guide to basic anonymisation where you can learn about the different concepts of anonymisation as well as the techniques to do it. We also have a tool to help you anonymise data, it’s available on the PDPC website.
So related to anonymisation, some companies (the bigger ones), or even the universities or research centres have increasingly done more research and development into something called privacy enhancing technologies (PETs). So this is basically anonymization techniques and a lot of such techniques are actually available commercially, and even more coming in the pipeline. And really these are techniques you can use to in a way, to shift your personal data into an area that is not regulated by data protection laws, to take it out of the remit of PDPA. So if your personal data is anonymized to an extent it cannot be really re-identified, but it is still useful for your use cases, then in a way it is not regulated under the PDPA and so you have more freedom on what you can do with the data.
Let me just give you some examples of PETs, if you are unfamiliar with this area this would mean nothing to you, but for those who are familiar with this area this might sound familiar. So you have techniques like differential privacy, homomorphic encryption, federated learning, multi-party computing. So these are very technical terms. But there’s a lot of research done in this series and some commercial solutions available as well. So in a way, this is a private sector led initiative because the Government, if we really wanted to develop PETs, could provide funding but we do not have the technical expertise. So usually the bigger companies, like the digital giants like Google & Microsoft, might have their own R&D on such techniques because it is in their interest to ensure that data is protected, and also easily comply with data protection laws.
For Singapore, we recently launched a sandbox for PETs, and that is because we are aware when we consult companies, when we talk to industry partners, we try to help as we know that companies are aware of PETs but face deployment challenges. For example, there is a lack of benchmarks for PET solution providers which may lead to difficulty in businesses identifying and selecting the right solution provider. There might be a lack of knowledge about which PET they need to use and how to shape their use cases. And there might be a lack of clarity over compliance requirements. For example, if I use this PET for personal data use, is it compliant with the PDPA? So we came up with this initiative called the PET Sandbox to provide a testing ground for businesses to pilot their PET use cases. So we invited businesses to come forward, to present their use cases and their proposed solutions, and then we support them. How do we support them? We try to matchmake them to qualified PET solution providers that we have pre-identified. We even co-fund the pilot projects, and we provide guidance along the way to address questions and provide clarity on how they can comply with the PDPA. I’m not sure by the time this episode is aired if the application period is over, but it is until 31st October 2022. If you Google IMDA PET Sandbox, you should be able to find a lot of information on this, and we really invite companies to come forward to propose solutions and then we can see what are the ways the Government can help.
And I suppose across the region this is what Governments can look into – helping the private sector develop their tools because very often data protection regulators do not have the technical expertise to come up with such tools. So it is better sometimes to engage the industry to find out what is going on because businesses have the incentive to come up with such tools and technologies to help their businesses so they can make use of the data but also not fall foul of any regulations concerned.
Shivi Anand
That sounds like a great tool that’s available out there for businesses to go and test out. So do check out the Singapore government’s PET Sandbox. To conclude this conversation, I just have one final question: what are your views on how governments and companies can work together to further facilitate the trusted flow of data across borders as well as the privacy of data?
Francis Zhang
So regulatory sandboxes will be one; not just in terms of PETs because even before this PET sandbox we had other types of sandboxes relating to data protection. So if you have a use case, a new business idea, product, or service and you’re not sure whether what you intend, i.e., how you deploy the product or service will comply with PDPA, we invite companies to come to us to seek guidance, and we have a framework in place in three stages. Depending on how we see your product or service, we will place you in certain categories and we have varying levels of guidance on, or even recommendations on, how you can tweak your service, your product processes to ensure compliance with the PDPA. So that’s something that Governments and companies can work together on. So instead of companies launching a product or service on their own and then the customers complain and regulators have to step in, from the start I think Governments and companies can work together to ensure compliance of any new technology, new business processes, or innovation, because businesses have to innovate to come out with new things. So if the new idea, concept, or process can have both parties, by both parties I mean Governments and companies, come together and look at it, I think that will give companies the assurance without impeding innovation. So that is one aspect.
Another aspect, and again, I bring in this other ASEAN concept called the ASEAN Digital Master Plan. You can Google for the document – it is a very long document on how ASEAN member states want to really expand the digital economy. One of the things is to equip businesses with digital skills. So in Singapore we have something called the SMEs Go Digital Initiative. There are a lot of projects under that initiative to really help businesses. There are a few stages. At the base level there are certain businesses that have not even gone online or considered going online, so we help them go online in the event that they they know what are the requirements from them, for example, cybersecurity baseline requirements – if they are collecting, using or disclosing personal data, how do they put in place proper safeguards. So in a way we are focusing on the start. We don’t wait till the breach has happened, then we take action. We ensure that businesses have the skills and the policies and practices in place right from the start. And even if they haven’t considered, we introduce programs to ask them – “Okay, have you considered going digital? These are the things that you can do, and these are the schemes that you can apply for”. And then along the way, as we help them make their businesses, at the same time we are also ensuring that we have safeguards in place to comply with data protection laws as well as other requirements like other sectoral laws. So, perhaps this is something governments can look at working with companies right from the start instead of taking just a very pure regulatory approach.
Shivi Anand
Yeah, that’s fascinating. Lots of room for collaboration there, and I think some great ideas for other governments to also pick up down the line on how they can increase the conversation as well as input from companies and vice versa. So thanks so much, Francis, for this really interesting conversation and for shedding light on the regulatory view in Singapore on this very important topic. We loved having you on the show. Thank you very much.
Francis Zhang
Alright, thank you for that. Have a good day.
