(This article was first published in the Volume 9 of RT ASEAN’s Review Times)
In Singapore, personal data is protected under the Personal Data Protection Act 2012 (“PDPA“), which is administered by the Personal Data Protection Commission of Singapore (“PDPC“).
With the advent of cloud computing and the ubiquity of cloud storage services being utilised by organisations across various industries in today’s Internet Age, the PDPC published Chapter 8 to its Advisory Guidelines on the PDPA for Selected Topics (“Guidelines“) in October 2019, specifically pertaining to the use of cloud services. The Guidelines do not have the force of law, but are helpful in clarifying the obligations that organisations in Singapore must comply with when engaging the services of a Cloud Service Provider (“CSP“) who may host or process personal data within or outside of Singapore.
Chapter 8 of the Guidelines clarifies that any organisation that engages the services of a CSP still remains responsible for complying with the PDPA in respect of personal data processed (which includes the holding and retrieval of data) by its CSP on its behalf and for its purposes.
For instance, organisations should ensure that reasonable security arrangements are put in place to protect the personal data that the organisation possesses or transfers to its CSP. In December 2019, Honestbee Pte Ltd was sanctioned with a fine of $8,000 for omitting to put in place the necessary security measures necessary to protect personal data that was placed in its Amazon Web Services (“AWS“) file repository. Honestbee had mistakenly placed personal data into a file folder without access restrictions, thereby allowing anyone with AWS’s command line to gain access to the personal data.
Where a CSP hosts or processes data outside of Singapore, the organisation engaging such CSP must also comply with transfer limitation obligations under the PDPA for any overseas transfer of personal data. In particular, the organisation must ensure that its CSP only transfers personal data to locations with data protection regimes of a standard which is comparable to the standards of the PDPA, or include terms in the agreement between the CSP and the organisation to establish a standard of protection comparable to that of the PDPA for any personal data transferred to local or overseas locations.
In light of the above, organisations in Singapore that wish to engage the services of CSPs must familiarise themselves with their obligations under the PDPA and carefully consider the following when selecting its CSP:
It should be noted that the Personal Data Protection (Amendment) Bill 2020 (“PDP Bill“) has been introduced and read for the first time in the Singapore Parliament on 5 October 2020. The PDP Bill introduces a slew of key amendments to the PDPA, including but not limited to:
While none of the proposed amendments under the PDP Bill have a direct impact on the information set out above, organisations are advised to familiarise themselves with the changes proposed in the new PDP Bill prior to its anticipated enactment in the near future.
 The Advisory Guidelines on the PDPA for Selected Topics may be accessed at: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-PDPA-for-Selected-Topics-9-Oct-2019.pdf?la=en. Chapter 8 on Cloud Services can be found at pages 56-58.
 A summary of the PDPC’s decision on Honestbee Pte Ltd’s breach of the PDPA may be found at: https://www.pdpc.gov.sg/all-commissions-decisions/2019/12/breach-of-the-protection-obligation-by-honestbee.
 The PDP Bill can be accessed at https://www.mci.gov.sg/-/media/mcicorp/doc/public-consultations/public-consultation-on-pdp-amendment-bill—14may2020/pdp-amendment-bill.ashx.
We, at PDLegal LLC, take pride in being astute, meticulous and holistic in our approach. Our “clients first” philosophy is guaranteed to build lasting relationships.