I. INTRODUCTION

Singapore’s Personal Data Protection Act¹ [PDPA] has been in effect since four years ago,² and serves to balance the protection of individuals’ personal data with the ‘need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances’.³ Since then, the Personal Data Protection Commission [PDPC], with the help of public consultations,⁴ has continually revisited and augmented⁵ the PDPA’s various advisory guidelines.⁶

The PDPA stipulates various obligations, which organisations should fulfil based on ‘what a reasonable person would consider appropriate in the circumstances’, as per section 11(1) of the Act (the “reasonableness test”). This standard of reasonableness underpins the standard of compliance for all obligations under the PDPA,⁷ and the Advisory Guidelines on Key Concepts in the PDPA⁸ [Guidelines] clarifies that this applies to all private organisations⁹ as defined in section 2, regardless of their size.

This article aims to explore the relevance of an organisation’s size to the PDPA’s reasonableness test, and submits that the former should be considered as a factor in applying the latter. This may be done, for instance, by providing for it in the Guidelines.

II. MINIMAL SCOPE FOR SIZE IN THE PDPA’S REASONABLENESS TEST

Currently, the size of the organisation appears to be contemplated only by the Protection Obligation – when determining whether reasonable security arrangements have been made to prevent unauthorised handling of personal data under section 24 of the PDPA. This is seen from the Guidelines, which provide only general guidance for compliance¹⁰ and mention the size of the organisation only once: as a factor in risk assessment exercises determining whether information security arrangements are adequate.¹¹ Otherwise, the PDPA legislation and jurisprudence do not feature the size of the organisation in applying the reasonableness test for any other obligation. There does not appear to be any debate on this issue; one can only guess that the drafters of the PDPA believed that fulfilling these other obligations was more important than the strain of compliance on organisations and/or that the obligations were generally undemanding for organisations that already had strong data protection practices. In any case, the PDPA prevents organisations from invoking their small size to unjustifiably exempt themselves from obligations to protect personal data.

Instead, the reasonableness of measures appears to turn on the impact on the individual whose personal data is mishandled and the compliance measures themselves. For example, the Accuracy Obligation under section 23 considers, inter alia, the nature of the personal data,¹² as well as the impact on the relevant individual should the data be inaccurate.¹³ Another example is the Notification Obligation under section 20, which considers the ‘circumstances and manner in which [the organisation] will be collecting the personal data’,¹⁴ the ‘frequency at which the personal data will be collected’¹⁵ and ‘the channel through which the notification is provided’.¹⁶ The size of the organisation does not appear to feature in the reasonableness test for any of the obligations under the PDPA, except for in the Protection Obligation.

III. ORGANIZATIONAL SIZE SHOULD BE A FACTOR

As a result of the above, the reasonableness test arguably fails to take into account the resource-scarce reality of many small organisations when determining whether they have discharged their obligations to a ‘reasonable’ standard under the PDPA. One example is where an organisation transfers personal data to its parent company overseas, and has to fulfil its Transfer Limitation Obligation under section 26 of the PDPA. The Guidelines suggest that the organisation reviews the corporate rules binding both organisations and assesses that they comply with these regulations, as well as that the data protection is ‘comparable to the standard under the PDPA’.¹⁷ This envisages studying rules, designing and executing appropriate transfers, as well as deciding whether corporate practices sufficiently comply with legislation – all difficult processes that require a certain amount of manpower or at least expertise that small organisations will not be as privy to as large ones. Except for in the Protection Obligation, the PDPA’s current reasonableness test essentially demands the same standard of compliance from the sole proprietor as that from the large, multinational company. This raises issues of resource inequality and disadvantage to small organisations, for which sustainability is already a challenge without the PDPA.

Considering the organisation’s size when applying the reasonableness test would better accord with the plain meaning of ‘reasonableness’. It appears unreasonable, in the barest and most layman sense of the word, to expect small organisations to comply with the PDPA as rigorously as large organisations. Then-President of the Singapore Chinese Chamber of Commerce and Industry, Mr Teo Siong Seng, emphasised during the Second Reading of the Personal Data Protection Bill that small organisations would struggle more with manpower, time-related and even consultancy costs of compliance with the PDPA.¹⁸ SMEs have since reportedly had to grapple with ‘overburdened staff’¹⁹ and five-figure costs on ‘new procedures, staff training and the upgrading of technology]’.²⁰ In particular, the obligation to ‘develop and implement policies and practices that are necessary’ to comply with the PDPA, as per section 12(a) of the Act, is manifestly more difficult for small organisations than it is for large ones. Taking into account an organisation’s size would achieve better approximations of what a ‘reasonable person would consider appropriate in the circumstances’. This would in turn produce more practical benefits: guiding the PDPC to achieve fairer adjudicative outcomes – ensuring that small organisations are not penalised for failing to take compliance measures beyond their means.

Further, having regard for the size of the organisation would better achieve the PDPA’s purpose of mitigating compliance costs.²¹ Organisations should save costs when implementing essential PDPA-compliant processes, as doing so guards against actionable, personal data breaches ‘under other statutes, at common law and equity’.²² This helps organisations save costs on litigation and compensation, which would be greater than the costs incurred for compliance with the PDPA. However, as the PDPA’s reasonableness test now apparently does not accommodate the inherent differences between small and large organisations, small organisations may find themselves tending toward the safest practices or ‘best solution[s]’ adopted by large organisations, which may be too costly for them.²³ Recognising that the size of the organisation should affect what is considered ‘reasonable’ compliance would give a green light to small organisations and their consultants (if they can afford any) to exercise latitude in adopting more cost-efficient practices that would still comply with the PDPA.²⁴

Considering the organisation’s size would also better achieve the PDPA’s purpose of enhancing Singapore’s business competitiveness.²⁵ Holding small organisations to the same standard of ‘reasonableness’ as large organisations in complying with the PDPA has deleterious effects on the former’s operations.²⁶ This is because compliance with the PDPA requires a large amount of time, cost and effort that could otherwise be invested productively into the organisation’s operations.²⁷ Such resource-demanding measures include studying the PDPA, appointing a Personal Data Officer,²⁸ developing policies and practices for compliance²⁹ that must be then communicated to staff,³⁰ as well as training staff to receive and respond to PDPA-related inquiries and complaints.³¹ This has arguably even worse consequences for small social service organisations, which already struggle to make the most of their resources to perform their charitable works. Imposing the reasonableness test for compliance – without considering their sizes – risks impeding the good work of these organisations and generally inhibiting the progress of Singapore’s social service sector – a result that is normatively undesirable. A reasonableness test that accounts for the organisation’s size would encourage small organisations to consider practices that are less operationally disruptive than those that large organisations adopt but would still comply with the PDPA. Such would not only facilitate the Act’s aim of business productivity and competitiveness, but also the socially desirable aims of various social service organisations.

IV. THE DANGERS OF CONSIDERING ORGANIZATIONAL SIZE

The dangers of considering an organisation’s size in applying the reasonableness test may be observed from the effects of Australia’s Privacy Act 1988³² [APA], which makes exemptions for small businesses.³³ This ‘small business exemption’ has been heavily criticised, and the Australian Law Reform Commission even recommended its repeal in 2008.³⁴ In particular, it has been argued that organisational size is unrelated to the risk of personal data breach; such depends instead on the nature of the data, its handling and the organisation’s operations.³⁵ There have been concerns that the APA may be abused by small organisations, which are given a statutory backdoor to misuse personal data in the name of cost-effectiveness.³⁶

Including the organisation’s size as only a factor in the PDPA’s reasonableness test would be an appropriately moderate approach that mitigates the risk of completely exempting small, rogue organisations. In fact, as suggested, the organisation’s size could be mentioned as a factor only in the Guidelines. Since the Guidelines are ‘advisory’ and ‘do not constitute legal advice’,³⁷ this would mitigate the risk of giving small organisations carte blanche to breach the PDPA – holding small organisations to baseline standards of compliance. The non-conclusive status of a ‘factor’, as well as the non-binding nature of the Guidelines, also collectively preserve the PDPC’s ability to find PDPA breaches regardless of the organisation’s size. The only difference would be that the PDPC should be persuaded to weigh the small size of the organisation as one of many factors in deciding whether there is a breach of the Act.

V. MOVING FORWARD: CHALLENGES IN DEFINING ‘SIZE’

In sum, an organisation’s size should be considered as a factor in the PDPA’s reasonableness test as such better accords with the plain meaning of ‘reasonableness’, as well as better achieves the Act’s purposes of enhancing Singapore’s business competitiveness while managing compliance costs.

Having explored the legal and normative justifications of incorporating the organisation’s size as a factor in the PDPA’s reasonableness test, this article notes that defining ‘size’ has proven and can be expected to be tricky. The Australian Privacy Act’s definition of a ‘small business’ may be used as a case study. It sets out what would and would not qualify for the exemption, and has two significant features: first, it pegs ‘size’ primarily to the organisation’s annual turnover.³⁸ Second, it adopts a binary view of what would be ‘small’ and not. Suggestions have been made to raise the Privacy Act’s turnover threshold, to account for inflation.³⁹ There have also been suggestions to base the definition instead on specific levels of risk ⁴⁰ or simply the number of employees in the organisation.⁴¹ Each of these has attracted its criticisms.

Thus, careful thought should be given as to what definition of ‘size’ would be a suitable factor in the PDPA’s ‘reasonableness’ test, considering the Act’s aim of promoting business competitiveness and data protection while moderating compliance costs. These, as well as other matters related to how the size of the organisation may or should affect its compliance obligations, should also be further considered.