The European Union's GDPR - A View from Singapore

The PDF version of this article is available for download here.


 

The European Union’s gdpr – a view from singapore

 

This article was first submitted for publication in July 2018, two months after the GDPR came into force. At the time of publication, the GDPR has not seen any further amendments.

 

Ong Kye Jing

 

 

Introduction

 

The European Union’s [EU] long-awaited General Data Protection Regulation[1] [GDPR] finally came into effect on 25 May 2018. The product of a decade-long legislative endeavour,[2] the GDPR promised a much–needed update to the EU’s Data Protection Directive [DPD],[3] the latter having been introduced when less than 1% of EU citizens were Internet users.[4]

The GDPR has gotten off to an exciting start. Complaints were filed within an hour of it coming into force,[5] as were billion-dollar lawsuits within the first 24 hours.[6] Consumers were subjected to a flurry of emails as businesses scrambled to secure fresh consent.[7] This anxiety is understandable: the GDPR empowers supervisory authorities to impose fines as high as EUR 20,000,000 or 4% of an organisation’s total worldwide annual turnover, whichever is higher.[8] Prior to this, maximum penalties had only amounted to EUR 3,000,000 in France and EUR 300,000 in Germany.[9]

An equally significant change is the GDPR’s theoretically–universal territorial reach. Applying the principle of lex loci solutionis, data controllers that (i) offer goods or services to individuals in the EU, or (ii) monitor their behaviour within the EU, could face obligations under the GDPR despite not being physically or legally established in the EU.[10] Processors (or data intermediaries) that handle such data may also face obligations, albeit of a more limited nature.

In other words, several Singapore–based organisations will now face dual obligations under both the GDPR and Singapore’s Personal Data Protection Act[11] [PDPA]. This article attempts to briefly but critically compare the approaches taken under each regime, with a focus on controllers’ obligations. Broadly, it will explore the themes of consent, purpose limitation and notification, and accountability.

 

Consent

 

Under the PDPA, controllers cannot collect, use or disclose personal data[12] without the data subject’s consent.[13] Under the GDPR, consent retains its privileged position. In fact, the GDPR goes further to stipulate that consent must be a “freely given, specific, informed and unambiguous indication of a data subject’s wishes”.[14] Each element deserves some scrutiny.

To an extent, the second and third requirements – of “specific” and “informed” consent” – are nothing new vis-à-vis the PDPA. Consent must be “specific” in that the controller’s exact purpose(s) for data processing must be explicitly delineated and sufficiently granular. And for consent to be “informed”, consent requests need to be communicated in clear and plain language, separately from other matters, and together with other relevant information like the controller’s identity, the data subject’s right to withdraw consent, and the possible risks of data transfers.[15]

One notable difference with the GDPR is that consent must also be “freely given”. Building upon the procedural ingredients above, this injects a substantive element to the test for consent. Data subjects must have a “genuine [and] free choice” and be able to “refuse or withdraw consent without detriment”.[16] A statutory presumption against freely–given consent will likely apply where (i) parties experience clear power imbalances, like in employment relationships, or (ii) separate consent cannot be given for different data processing operations.[17] Accordingly, controllers should (i) identify an alternative basis for processing where an imbalance exists, and (ii) seek standalone consent for each class of processing operations.

Finally, consent must amount to an unambiguous indication of the data subject’s interests. This requires a clear statement or affirmative act from the data subject;[18] silence, inactivity, and pre–ticked boxes do not suffice.[19] One might query whether such an exclusionary rule against apparent omissions unduly places form over substance. In this regard, the PDPA’s discretionary position towards opt–out clauses is perhaps preferable. Singapore’s Personal Data Protection Commission [PDPC] recognises, for example, that a data subject who leaves a clause stating “tick here if you do not wish your personal data to be provided” unticked, but who otherwise meticulously fills out and submits the remainder of an application form, could reasonably be said to have consented.[20]

Two further observations should be made:

First, the theme of fairness which underlies these requirements appears to feature even more prominently in the GDPR’s recitals. In particular, rec 42 stipulates that a declaration of consent “should not contain unfair terms”,[21] in line with Council Directive 93/13/EEC[22] on unfair terms in consumer contracts. Unfortunately, it is unclear how much weight ought to be placed on rec 42. Recitals are not substantive provisions in their own right, but mainly serve to explain the basis for legislation. Moreover, the GDPR does not expound on the manner and extent to which these provisions, which apply predominantly to the sale of goods, are to be transposed to data protection. Any attempt at directly transplanting these considerations into Singapore might entail an even further leap, given that European consumer protection standards and the law on unfair terms in Singapore might not be doctrinally compatible.[23] In short, rec 42’s practical significance remains to be seen.

Second, unlike the PDPA, the GDPR rejects the notion that consent can be deemed. Therefore, even if an individual voluntarily provides her personal data, for purposes she was aware of, and in circumstances where providing such data is reasonable, this alone would not constitute valid consent under the GDPR.[24] A controller seeking to legitimise such data processing should instead rely on another basis for processing.[25]

 

 

 

 

Lawful bases for proCessing

 

Apart from explicit consent, a controller can justify the collection, use or disclosure of data using one of five other bases enumerated under art 6 of the GDPR.[26] These have been adapted from the DPD, although EU Member States are now further empowered to introduce additional bases.[27] This is comparable to relying on one of the exceptions to the Consent Obligation under the PDPA.[28]

Most GDPR bases and PDPA exceptions are founded on necessity, and some are even virtually identical. For example, under both regimes, processing that is necessary in the national or public interest is generally lawful,[29] as is processing necessary to protect the data subject’s “vital interests” (GDPR),[30] or “life, health or safety [in an emergency]” (PDPA).[31]

Two bases that are unique to the GDPR are of greater interest: (i) processing necessary for contractual performance, and (ii) processing necessary for the controller’s or a third party’s legitimate interests (balanced against the data subject’s reasonable expectations).[32] On their face, they appear to provide generous exceptions to the obligation to obtain consent. Notably, the EU legislator accepts that even processing for direct marketing purposes might qualify.[33] It is submitted that these bases could, possibly inadvertently, operate to mop up the PDPA’s ‘deemed consent’ cases. Using an example from the PDPC,[34] under the PDPA, a data subject who provides her credit card details in exchange for facial treatment could be deemed to have consented to data collection. While consent cannot be deemed under the GDPR, such processing could instead be justified under the banner of being necessary for contractual performance. Either way, lawful processing becomes possible.

However, the GDPR’s ambit is narrower in one critical way: the fact that personal data is publicly available is not in itself a ground for lawful processing. Under the PDPA, data generally available to the public – including that reasonably observable in public spaces – can be processed with few restrictions.[35] The GDPR departs from this in two ways. First, the personal data must be manifestly made public by the data subject.[36] Second, even where data is manifestly made public, the effect this has is not to legitimise data processing, but only to lift the blanket prohibition on the processing of special categories of data under art 9 of the GDPR.[37] In such circumstances, an additional lawful basis must still be established under art 6. While this second difference could be seen as unnecessarily technical and onerous on controllers,[38] the first is to be celebrated. The requirement is ostensibly borne out of a respect for data subjects’ rights; the act of volunteering one’s information is a normatively significant exercise of one’s autonomy. The mere fact that data is publicly available is not. In fact, where data has been made public against the data subject’s wishes, this could well constitute the very antithesis to the data subject’s interests.[39]

Will Singapore follow the EU’s lead? As it stands under the PDPA, organisations can lawfully use and disclose personal data so long as that data was publicly available for at least an instant in time, even if the individual never intended it for public access and removed it from the public sphere at the earliest opportunity. However, insofar as the PDPA remains an instrument that strives to balance data subjects’ rights with organisations’ interests;[40] Europe’s data subject-friendly approach is unlikely to gain traction in Singapore. This stems from the PDPC’s recognition that, were it otherwise, organisations would have to incessantly verify the data’s continued public availability, which would be “excessively burdensome”.[41]

 

purpose limitatIOn and notification

 

Under the GDPR, a controller must – regardless of its specific basis for processing personal data – (i) ensure that processing occurs in a manner compatible with its declared purposes (purpose limitation), and (ii) inform data subjects of these purposes (purpose notification).[42] This is common ground under both regimes, except that the notification obligation does not apply under the PDPA where consent is deemed or where an exception from the Schedule applies.[43] Where consent is required, however, the PDPC has routinely stressed that the ‘neighbouring obligations’ of purpose limitation and notification must be met.[44]

Where purpose limitation is concerned, the GDPR mandates that personal data may only be collected for “specified, explicit and legitimate purposes”.[45] Like the PDPA,[46] vague or generic purposes like “improving user experience”, “IT-security purposes” and “future research” are unlikely to pass muster.[47] Under both regimes, a flexible and fact-sensitive approach will probably be taken to determine whether a purpose is legitimate (or objectively appropriate under the PDPA[48]), based on parties’ reasonable expectations, societal attitudes, etc.[49]

As to the notification obligation, the GDPR sets out relatively more demanding requirements.[50] Controllers are to provide wide-ranging information on their organisations, the data collected (if not already known), the purpose and bases for processing, and any intended data transfers or recipients,[51] along with storage periods, data subjects’ rights, the existence of automated decision-making, and where applicable, the data source.[52]

The GDPR counterbalances these demands by providing for exceptions to the notification obligation. However, these exceptions are not consistently available. Whereas art 14(5) of the GDPR sets out four exceptions (in cases where the data originates from a third-party source), only one exception applies under art 13 (cases where the data originates from the data subject).[53] It is doubtful whether these differences, if deliberate, are justified. As an example, circumstances constituting “disproportionate effort” in an art 14 context are likely to be no less disproportionate or demanding on the controller in an art 13 case.[54] Considerations of fairness and coherence support extending the exception’s application to both contexts. One could make the case that it should be the judge who then determines whether the particular factual matrix crosses the threshold of disproportionality. That being said, EU Member States are empowered to introduce further exceptions pursuant to art 23 of the GDPR, which could leave the final list of exceptions looking quite different.[55]

 

accountability

 

Relative to its predecessor, the GDPR is decidedly better grounded in the principles of governance and demonstrable accountability.[56] Controllers and processors are expected to take proactive, ex ante measures to ensure the lawfulness and integrity of all data processed, as early as when determining the means of processing (i.e. Privacy by Design).[57] Another enshrined principle, Privacy by Default, requires controllers to ensure that, by default, only data necessary for their processing purposes are processed.[58] This expectation of data minimisation applies to both the amount of, and access to, data, and the extent and period of their processing retention.[59] Unlike the PDPA, which permits the collection of most data relevant to a controller’s purposes, only data that is “adequate, relevant and limited” to these purposes can be collected under the GDPR.[60] Be that as it may, organisations unaffected by the GDPR might still benefit from adopting data minimisation practices, seeing as this might lower the risk of a data breach – a violation under both regimes.[61]

This emphasis on safeguards stems, in part, from a recognition of the consent model’s deficiencies. The consent model regards the data subject’s consent as the key touchstone of data protection. It presumes, at its heart, the existence of the informed and interested data subject – an idealised construct.[62] In reality, whereas meaningful consent is predicated on carefully-considered choices, the saturation of consent requests and privacy policies today only serve to desensitise data subjects, weakening their ability to respond to such requests.[63] The rise of distributed networks, cloud computing, and the Internet of things has only worsened this predicament by making transactions less discrete and more opaque. Determinations of when and how, or even by whom, our data is processed are thus increasingly difficult to make.[64] An accountability-centric model seeks to resolve these problems by orienting the organisation’s interactions – and obligations – to the regulator, rather than the disinterested or overwhelmed data subject.

In Singapore, the PDPC has always had this second string to its bow, in the form of the Protection Obligation. Organisations are to protect any data they possess or control using “reasonable security arrangements”.[65] Likewise, the GDPR instructs controllers and processors to implement “appropriate technical and organisational measures” to ensure the confidentiality, availability and security of data.[66] Both regimes also contain provisions on data accuracy[67] and limitations on data storage and retention periods.[68]

Both “reasonable” (PDPA) and “appropriate” (GDPR), in this context, likely involve similar evaluations. Reasonableness in the context of the PDPA considers the nature, form, volume, sensitivity and accessibility of information held, and the potential impact of any unauthorised access, modification or disposal.[69] Indicators like industry practice and software currency are relevant,[70] as are risk levels.[71] Appropriateness in the context of the GDPR considers “the nature, scope, context and purposes of processing as well as the risks … for the rights and freedoms of natural persons”.[72] Indicators like adherence to approved codes of conduct and certification under approved mechanisms help demonstrate compliance.[73] What is distinct is that appropriateness also factors in the cost of implementing safeguards,[74] tailoring the assessment to the particular organisation’s means. It has been suggested that the PDPA lacks such a consideration.[75]

Another difference is that compliance must be demonstrable under the GDPR. From obtaining consent[76] to performing internal assessments, organisations are required to document and maintain a record of processing activities,[77] presentable to a supervisory authority on request. While penalties for non-compliance do not appear to include administrative fines, authorities can enforce the obligation using its investigative powers under art 58 of the GDPR,[78] or account for it during sentencing.[79]

The GDPR also elevates the status of Data Protection Impact Assessments [DPIA] from a recommended practice[80] to a mandatory step in some circumstances. Where processing is “likely to result in a high risk”, such as where it involves, inter alia, evaluations using automated processing, large-scale processing of special data, or large-scale monitoring of public spaces, controllers are to first perform an assessment of the processing’s potential impact on data protection.[81] Where such a risk cannot be mitigated, consultations with the supervisory authority should be arranged.[82] One point of interest is art 35(9) of the GDPR, which requires the controller to “seek the views of data subjects … on the intended processing” where appropriate.[83] It is unclear how much weight these opinions will have on supervisory authorities’ directions on the scope and permissibility of processing.

Finally, the GDPR mandates the reporting of personal data breaches. Where the integrity of confidentiality of data has been compromised,[84] controllers are bound to notify the relevant supervisory authority of the breach without undue delay.[85] Where the breach is likely to pose a high risk to data subjects, they must too be notified.[86] The PDPA is currently on a convergence path to adopt similar obligations, the PDPC having announced its intention to do so in February 2018.[87]

 


 

conclusion

 

While the fundamental tenet of consent is here to stay, the GDPR’s broader embrace of accountability is both unmistakable and welcome. In this connection, there is much to be said on the GDPR’s treatment of issues like automated decision making and the right to be forgotten. These are exciting developments in a fast-moving area of the law. The impact they will have on future PDPA amendments is certainly a space to watch.

 



[1] EC, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), [2016] OJ, L119/1 [GDPR].

[2] Paul de Hert & Vagelis Papakonstantinou, “The new General Data Protection Regulation: Still a sound system for the protection of individuals?” (2016) 32 CLSR 179 at 180.

[3] EC, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, [1995] OJ, L 281/31.

[4] EC, Press Release, IP/12/46, “Commission proposes a comprehensive reform of data protection rules to increase users’ control of their data and to cut costs for businesses” (25 January 2012), online: Press Release Database <http://europa.eu/rapid/press-release_IP-12-46_en.htm> For a survey on the development of EU data protection laws, see generally Bart van der Sloot, “Do data protection rules protect the individual and should they? An assessment of the proposed General Data Protection Regulation” (2014) 4(4) IDPL 307.

[5] Jeewon Kim Serrato et al, “One week into GDPR – what you need to know” (4 June 2018), Data Protection Report (blog), online: <https://www.dataprotectionreport.com/2018/06/one-week-into-gdpr-what-you-need-to-know/>.

[6] David Hart QC, “$8 billion lawsuits started on GDPR day” (31 May 2018), UK Human Rights Blog (blog), online: <https://ukhumanrightsblog.com/2018/05/31/8-billion-lawsuits-started-on-gdpr-day/>.

[7] Alex Hern, “Most GDPR emails unnecessary and illegal, say experts”, The Guardian (21 May 2018), online: <https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts>.

[8] GDPR, art 83(6).

[9] As highlighted in Paul Voigt & Axel von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide (Cham, SUI: Springer International, 2017) [GDPR Practical Guide] at 209, n 45, citing the relevant French and German statutes.

[10] GDPR, art 3. See also EC, European Data Protection Board [EDPB], “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)” (16 November 2018), online: <https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf>.

[11] Personal Data Protection Act 2012 (No 26 of 2012, Sing) [PDPA].

[12] Similarly defined under both PDPA, s 2 and GDPR, art 4, but note in particular GDPR, arts 8–9. Where personal data is obtained from a child below 16–years–old in relation to information society services, art 8 of GDPR, carves out special rules. Art 9 of GDPR, identifies special categories of personal data that are regarded as more sensitive and as requiring greater protection. The absence of similar protections for the personal data of children in Singapore has been regarded as a “significant gap”: see Simon Chesterman, “From Privacy to Data Protection” in Simon Chesterman, ed, Data Protection Law in Singapore: Privacy and Sovereignty in an Interconnected World, 2nd ed (Singapore: Academy Publishing, 2018) 13 [Chesterman] at paras 2.63–2.67.

[13] PDPA, s 13.

[14] GDPR, art 4(11). Under certain circumstances, such as where special categories of personal data are concerned, an even higher standard of “explicit consent” is required: see EU Article 29 Data Protection Working Party, “Guidelines on consent under Regulation 2016/679” (WP259 rev.01) (10 April 2018) [WP29 Guidelines on Consent] at 18.

[15] WP29 Guidelines on Consent at 11–18.

[16] GDPR, rec 42.

[17] GDPR, rec 43. See also Lukas Feiler, Nikolaus Forgó̤ & Michaela Weigl, The EU General Data Protection Regulation (GDPR): a commentary (Woking, Surrey: Globe Law and Business, 2018) at 88; WP29 Guidelines on Consent at 10.

[18] WP Guidelines on Consent at 15.

[19] GDPR, rec 32.

[20] Personal Data Protection Commission Singapore, “Advisory Guidelines on Key Concepts in the Personal Data Protection Act” (27 July 2017) [PDPA Key Concepts] at para 12.10. See also Re YesTuition Agency [2016] SGPDPC 5 generally for a relatively liberal approach to opt–out clauses (there, the PDPC did not object to the existence of a broadly–worded, opt–out clause).

[21] Supra note 16.

[22] EC, Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts, [1993] L 95/29 [Directive 93/13/EEC].

[23] Compare the breadth of the definition and illustrations of “unfair terms” in Directive 93/13/EEC, art 3 and Annex, with Singapore’s Unfair Contract Terms Act (Cap 396, 1994 Rev Ed Sing), ss 2–4.

[24] PDPA, s 15(1). See also PDPA Key Concepts at para 12.28.

[25] In fact, organisations are already being advised to bypass the consent requirement altogether by considering alternative bases: GDPR Practical Guide at section 4.2.1.

[26] GDPR, art 6(1)(b)–(f).

[27] GDPR, art 6(2) and rec 40.

[28] PDPA, Second, Third and Fourth Schedules, on collecting, using and disclosing personal data respectively.

[29] GDPR, art 6(1)(e) (“necessary for the performance of a task carried out in the public interest …”); PDPA, paras 1(d) of the Second Schedule, 1(d) of the Third Schedule and 1(e) of the Fourth Schedule (“necessary in the national interest”).

[30] GDPR, art 6(1)(d).

[31] PDPA, paras 1(b) of the Second, Third and Fourth Schedule.

[32] GDPR, arts 6(1)(b) and 6(1)(f). See also EU Article 29 Data Protection Working Party, “Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC” (WP217) (9 April 2014) for specific examples.

[33] GDPR, rec 47.

[34] PDPA Key Concepts at para 12.23.

[35] PDPA, s 2(1); PDPA Key Concepts at paras 12.57-12.59. See, for example, Re SG Vehicles Asia Pte Ltd [2018] PDP Digest 361.

[36] GDPR, art 9(2)(e).

[37] On ‘special categories of data’, see GDPR, art 9(1). These categories include data relating to racial or ethnic origin, political opinions, health data, data concerning one’s sexual orientation, etc. By contrast, the PDPA does not adopt a bright red line approach. Instead, examples of sensitive data that warrant a higher standard of protection are explored in the PDPC’s decisions and advisory guidelines. See, for a summary of these, Re Aviva Ltd [2017] SGPDPC 14 at [17]-[18].

[38] There has been suggestion that this would be unnecessary, e.g. Maria Roberta Perugini, “ Personal data made public by the ‘data subject’ and the use of information published on social networks: early observations of GDPR art 9, para 2, letter e” (23 January 2017), Lexology (blog), online: <https://www.lexology.com/library/detail.aspx?g=ce9e10b9-de43-4771-9f7b-f52963f7a7b4>.

[39] Cf. PDPA Key Concepts at para 12.63. The PDPC’s advisory could be construed as evincing some unease with the exception for publicly-available data. The examples raised at para 12.63 all recommend that organisations collecting personal data in public spaces should, as good practice, put members of the public on notice that their personal data may be collected.

[40] Chesterman at para 2.49.

[41] PDPA Key Concepts at paras 12.60-12.61. See also Re My Digital Lock Pte Ltd [2018] SGPDPC 3.

[42] GDPR, art 5(1)(b); Re AIA Singapore Private Limited [2016] SGPDPC 10 at [18].

[43] PDPA, ss 18 and 20.

[44] Re Jump Rope (Singapore) [2016] SGPDPC 21 at [10]. See also Re AIA Singapore Private Limited [2016] SGPDPC 10 at [18].

[45] GDPR, art 5(1)(b).

[46] PDPA Key Concepts at para 14.16.

[47] EU Article 29 Data Protection Working Party, “Opinion 03/2013 on purpose limitation” (WP203) (2 April 2013) [WP Opinion on purpose limitation] at 16 and 52.

[48] PDPA, s 18; see also Re AIA Singapore Private Limited [2016] SGPDPC 10 at [19]-[20] for an application of this requirement.

[49] WP Opinion on purpose limitation at 19–20.

[50] Cf. PDPA, s 20.

[51] GDPR, arts 13(1), and 14(1).

[52] GDPR, arts 13(2) and 14(2).

[53] EU Article 29 Data Protection Working Party, “Guidelines on transparency under Regulation 2016/679” (WP260) (11 April 2018) at paras 56–57.

[54] GDPR, art 14(5).

[55] GDPR, art 23.

[56] GDPR, art 5(2).

[57] GDPR, art 25(1).

[58] GDPR, arts 5(1)(c), 5(1)(e) and 25(2).

[59] GDPR, art 25(2).

[60] GDPR, art (5).

[61] Hannah YeeFen Lim, Data Protection in the Practical Context: Strategies and Techniques (Singapore: Academy, 2017) at para 5.25.

[62] Policy and Research Group of the Office of the Privacy Commissioner of Canada, “Consent and Privacy: A discussion paper exploring potential enhancements to consent under the Personal Information Protection and Electronic Documents Act” [OPC discussion paper] at 9. See also Gabriela Zanfir, “Forgetting About Consent. Why The Focus Should Be On “Suitable Safeguards” in Data Protection Law” in Serge Gutwirth, Ronald Leenes & Paul de Hert, eds, Reloading Data Protection: Multidisciplinary Insights and Contemporary Challenges (Dordrecht: Springer, 2014) 237.

[63] Bart W Schermer, Bart Custers & Simone van der Hof, “The crisis of consent: how stronger legal protection may lead to weaker consent in data protection” (2014) 16 Ethics and Information Technology 171 at 176-179.

[64] OPC discussion paper at 6.

[65] PDPA, s 24.

[66] GDPR, arts 24(1) and 32(1).

[67] PDPA, s 24; GDPR, art 5(1)(d).

[68] PDPA, s 25; GDPR art 5(1)(e).

[69] PDPA Key Concepts at paras 17.2 & 17.4.

[70] Re K box Entertainment Group Pte Ltd and another [2016] SGPDPC 1 at [26] and [29].

[71] Re Metro Pte Ltd [2016] SGPDPC 7 at [15].

[72] GDPR, art 24(1).

[73] GDPR, arts 24(3) and 32(3).

[74] GDPR, art 32(1).

[75] Foo Ee Yeong Daniel, “Suggestions on the relevance of the Organization’s Size to Section 11 of Singapore’s Personal Data Protection Act” at section II, online: (2017/2018) 9 Juris Illuminae <http://www.singaporelawreview.com/juris-illuminae-entries/2018/suggestions-on-the-relevance-of-the-organizations-size-to-section-11-of-singapores-personal-data-protection-act>.

[76] GDPR, art 7(1) and rec 42.

[77] GDPR, art 30.

[78] GDPR, art 58(1).

[79] GDPR, art 83(2)(f).

[80] PDPA Key Concepts at para 17.4.

[81] GDPR, art 35. See also EU Article 29 Data Protection Working Party, “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679” (WP248 rev.01) (4 October 2017) at 8-12 on other situations where a DPIA may be warranted.

[82] GDPR, rec 84.

[83] GDPR, art 35(9).

[84] Though not when they are only made temporarily unavailable, e.g. in the event of a power outage.

[85] GDPR, art 33(1). A processor which becomes aware of such a breach is to inform its controller instead: GDPR, art 33(2).

[86] GDPR, art 34(1), though see exceptions under GDPR, art 34(3).

[87] Personal Data Protection Commission Singapore, “Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy” (1 February 2018) at 1015 (Part III: Mandatory Data Breach Notification). In any case, prompt notification of breaches is already an encouraged practice, and could amount to a mitigating factor in some cases, e.g. in Re Credit Counselling Singapore [2017] SGPDPC 18 at [37].