The European Union Privacy Directive (also known as the EU Data Protection Directive) came into effect on 25 October 1998.  On or after this date, all EU member states are required to enact comprehensive privacy legislation to ensure that organisations have in place data protection policies to protect the privacy of personal data. 

How will this EU Privacy Directive impact Singapore?  Firstly, under Article 25,  the transfer of personal data to countries outside the EU member states is not allowed unless that country has in place an  “adequate level of protection” to safeguard and to protect the privacy of personal data. Singapore is home to many multinational companies who will need to exchange and transfer business and personal data from their offices in the EU member states to Singapore.  Their EU offices will need to demonstrate that their Singapore offices can comply with Article 25.  

Secondly, there is a growing international trend and demand for privacy laws to protect personal data in the light of the rapid development of the information technology tools, telecommunications and the internet.  Information can now be easily transferred rapidly and to millions of outsiders, leaving the individual with no control over the privacy of his personal data. 

If Singapore wishes to progress as an international electronic commerce hub, Singapore will have to take steps to keep in line with the comprehensive privacy codes of its major trading partners such as the European Union.  A comprehensive privacy code is important to create trust and confidence with consumers.          

S Y N O P S I S

This paper will examine the levels of protection and safeguards required by the EU Privacy Directive on the protection of individuals with regard to the privacy of their personal data.  It will discuss the requirements imposed under articles 25 and 26 of the EU Privacy Directive to the transfer of personal data to third countries outside the EU.   The paper will survey generally the legislative provisions, rules and regulations on offline and online privacy protection in Singapore.  The paper will make an assessment of current privacy practices in Singapore. 

The paper will discuss how the EU Privacy Directive will impact Singapore and Singapore-based companies.  In particular, the paper will discuss the barriers to the transfer of personal data from EU offices to their Singapore offices.  Finally the paper will discuss what changes, if any, need to be made on the protection of the privacy of personal data in Singapore.

CONCLUSION

Privacy practices, including the protection of personal data, vary from country to country. Commentators, such as Prof Ang Peng Hwa, have noted that the EU has the most comprehensive privacy rules whilst privacy rules in the United States are not comprehensive enough. The United States is an example of a country which, as of now, relies on industry self-regulation as well as legislation for the protection of personal data. There are good grounds to opt for industry self-regulation instead of government legislation. 

The most important is the rapid pace of technological changes taking place in the information and telecommunications industries including the internet.  Government legislation will have to be kept constantly up-to-date with technology changes in requiring businesses to uphold genuine standards of safeguards for the protection of personal data. In the worst case scenario, businesses may close down due to the high costs of compliance.

Singapore’s position is somewhat analogous to that of the United States. The rigorous provisions on the confidentiality of personal data in the legislation may be explained partly by Singapore’s small geographical size and population and partly by the national interest exemptions and exceptions as set out in article 13 of the EU Privacy Directive.  Indeed the events of September 11 have led the United States Congress to pass legislation,  signed by President Bush on 26 October 2001, to expand the powers of law enforcement agencies at the expense of the individual’s privacy rights including the disclosure of intelligence information and personal data to combat terrorist activities.

The Infocomm Authority of Singapore (“IDA”), which looks after the licensing, development and advancement of the information and telecommunications industries, in a paper entitled “Infocomm 21 : Dotcomming the Private Sector”,  published on 1 August 2000, noted that “the personal privacy protection of online users is becoming a crucial component of trust in the cyber-world”. 

It announced that IDA “is in the midst of studying the experiences of other countries and the rising domestic concerns” (on privacy protection issues). It noted that with online linkages and the convergence of technologies, personal information could easily be transferred through networks. The concern is presumably the loss of control over the privacy of personal data.

Singapore acknowledges the concerns of online users on the protection of personal data on the internet, and by implication, also the concerns of consumers on the protection of personal information collected by businesses whether online or offline.  The  IDA  noted that some countries have moved towards “co-regulation” that is a mixture of legislation and self-regulation.

What is needed is the response of the Singapore Government on how to take the protection of personal data forward so as to address the challenges to online privacy faced by consumers and internet users in Singapore.

 

<< BACK