Zscaler and Singapore’s Personal Data Protection Act
Introduction
Singapore’s comprehensive personal data protection law, the Personal Data Protection Act (“PDPA”), was enacted in 2012. The PDPA was amended in November 2020, with some of the amendments becoming effective as of February 1, 2021 and other amendments expected to go into effect early next year.
The PDPA regulates the collection, use and disclosure of personal data by individuals and private organizations. It does not apply to the public sector, which is subject to separate data protections laws and regulations.
With limited exceptions, the PDPA requires that an organization obtain the consent of an individual in order to process that individual’s personal data. Consent can be either express or deemed. Express consent is only valid if the individual has been provided with adequate notice of the purposes of data collection, use and disclosure. Deemed consent includes a situation where an individual (i) voluntarily provides personal data to an organization for a notified purpose and (ii) it is reasonable that the individual would voluntarily provide the personal data. In addition, consent may be deemed when an individual provides personal data to an organization with a view to entering into a contract with that organization where reasonably necessary for the conclusion of the contract.
The 2020 amendments to the PDPA expanded the concept of “deemed consent.” In addition, the amendments added two new bases for the processing of personal data: (i) legitimate interests (similar to the concept under the GDPR) and (ii) business improvement purposes.
With respect to transfers of personal data outside of Singapore, the PDPA requires that organizations provide a standard of protection that is comparable to the protection under the PDPA. An organization’s obligations under the PDPA apply regardless of whether the organization has a physical presence in Singapore.
The Personal Data Protection Commission of Singapore is responsible for overseeing and enforcing the PDPA. Among the Commission’s enforcement powers are:
• Stopping the collection, use or disclosure of personal data in contravention of the PDPA;
• Destroying personal data collected in contravention of the PDPA;
• Providing or refusing access to or correction of personal data; and/or
• Requiring payment of financial penalties.
The 2020 amendments to the PDPA increased the potential financial penalties for violations of the PDPA to 10% of annual gross turnover in Singapore or S$1 million, whichever is higher. These penalties are expected to go into effect in early 2022.
What Is Personal Data Under the PDPA?
Personal data is defined simply (but broadly) under the PDPA as any data about an individual who can be identified (i) from that data or (ii) from that data and other information to which the organization has or is likely to have access.
The PDPA does not apply to business contact information. The exclusion of business contact information encompasses an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number, and any other similar information about the individual that is provided for business and not solely for personal purposes.
There is no definition of sensitive information under the PDPA. However, guidance published by the Personal Data Protection Commission provides that certain types of information, such as national identity numbers, passport numbers and work permit numbers, should not be collected unless certain narrow exceptions apply. In addition, the Commission’s guidance indicates that organizations should take into account the sensitivity of personal data in determining the appropriate levels of security (e.g., encryption is recommended for personal data that would have a higher adverse impact if subject to unauthorized access).
How Does Zscaler Comply with the PDPA?
Although the PDPA has limited applicability to a “data intermediary” (defined as an organization that processes personal data on behalf of another organization), Zscaler is committed to assisting its customers in complying with the PDPA as well as satisfying Zscaler’s own obligations under the PDPA, including by taking the following actions:
1. Accountability. Zscaler has appointed individuals who are responsible for Zscaler’s compliance with the PDPA. These responsibilities include: (i) ensuring that Zscaler’s policies and processes are compliant with the PDPA; (ii) fostering a data protection culture among employees; (iii) managing personal data protection-related queries and complaints from the public; (iv) alerting Zscaler management to any risks that might arise with regard to personal data; and (v) being the point of contact for the Personal Data Protection Commission on any data protection matters.
2. Purpose Limitation. Zscaler only collects, uses, and discloses customer personal data for the purpose of providing Zscaler’s services and as otherwise permitted under the PDPA.
3. Notifications. Zscaler provides notifications of the purposes for which it collects, uses and discloses personal data and only collects, uses, and discloses personal data for such purposes.
4. Access and Correction. Zscaler facilitates its customers’ ability to access and/or correct the personal data in its possession or under its control.
5. Accuracy. Zscaler makes reasonable efforts to ensure that the personal data it collects is accurate and complete.
6. Security. Zscaler protects the personal data in its possession or under its control by making reasonable security efforts to prevent (i) unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (ii) the loss of any storage medium or device on which personal data is stored.
7. Retention Limitation. Zscaler ceases to retain personal data when (i) the purpose for which the personal data was collected is no longer being served by retention of the personal data; and (ii) retention is no longer necessary for legal or business purposes.
8. Transfer Limitation. When Zscaler transfers personal data outside Singapore, it ensures a standard of protection comparable to the protection under the PDPA.
9. Data Breach Notification. If Zscaler has reason to believe that a data breach has occurred in relation to personal data that Zscaler is processing on behalf of and for the purposes of its customers, Zscaler will, without undue delay, notify its affected customers of the occurrence of the data breach.
10. Data Portability. When the relevant amendment to the PDPA becomes effective, Zscaler will assist its customers in complying with data porting requests.
Helpful Links Regarding the PDPA
Singapore Personal Data Protection Commission: https://www.pdpc.gov.sg/
Text of the PDPA: https://sso.agc.gov.sg/Act/PDPA2012
Regulations under the PDPA: https://sso.agc.gov.sg/SL-Supp/S63-2021/Published/20210129?DocDate=20210129
Advisory Guidelines on Enforcement of the PDPA: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-on-Enforcement-of-DP-Provisions-1-Feb-2021.pdf?la=en