Introduction
On 12 June 2020 the Diet promulgated the Amendment Act of the Act on the Protection of Personal Information, which will come into force by June 2022.(1) Many of the act s provisions have been delegated to subordinate regulations, including:
the Cabinet Order to Enforce the Act on the Protection of Personal Information; and
the Personal Information Protection Commission s (PPC s) Enforcement Rule for the Act on the Protection of Personal Information.
In December 2020 further proposed amendments to these regulations were published.(2) This article outlines the effect that these proposed amendments will have on businesses disclosure requirements when transferring personal data to overseas third parties.(3)
Singapore data privacy law updates 2020
In June 2020, the Personal Data Protection Regulations 2014 (“
Regulations”) were revised to recognise the Asia Pacific Economic Cooperation (“
APEC”) Cross Border Privacy Rules (“
CBPR”) System and, for data processors, the Privacy Recognition for Processors (“
PRP”) System certifications as an additional data transfer mechanism under the PDPA for transferring personal data outside Singapore.
Section 26 of the PDPA restricts an organisation from transferring personal data outside Singapore (“
Transfer Limitation Obligation”), unless at least one of the prescribed safeguards has been put in place to ensure that the data recipient will provide a standard of protection to the transferred personal data that is comparable to the protection under the PDPA. The Regulations further specify the steps that an organisation may take to ensure that the overseas recipient of personal data is bound by legally enforceable obligation