Data: Other notable/interesting events lately
Developments in Singapore, China, Thailand, and Saudi Arabia
Singapore
Highest fine since 2022 amendments to the PDPA: On 2 Aug 2024, the PDPC published a decision, fining Keppel Telecommunications & Transportation Ltd $120,000. These factors led to the quantum:
The organisation negligently breached the Protection Obligation for more than 2 years.
The organisation failed to provide clear instructions and supervise its staff during processes to migrate and transfer data to an entirely cloud-based storage solution.
There were approximately 22,659 affected individuals, of which, up to 7,184 individuals’ personal data could have been exfiltrated.
Some of the personal data affected included specimen signatures, full images of identification cards and/or bank account numbers. This exposed certain individuals to greater risks of identity theft or actual financial losses.
DPO appointment and registration deadline? There have been posts floating around the internet saying that the blurb below on the website of the Personal Data Protection Commission (PDPC) means that the PDPC requires all organisations to both appoint a DPO and/or put their business contact information (BCI) on ACRA by 30 Sep 2024.
I do not think that is the PDPC’s intention.
First, there wouldn’t be a deadline to appoint a DPO. You should already have appointed one - section 11(13) of the Personal Data Protection Act (PDPA) requires organisations to designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA.
Second, putting the BCI in ACRA and on the organisation’s official website are two ways to satisfy the PDPA’s requirement that organisations make available to the public the business contact information (BCI) of that individual.1 The law does not state that the DPO’s BCI must be filed with ACRA. So I don’t think the PDPC would set a deadline for DPO registration with ACRA either.
However the PDPC has been encouraging organisations to do so, so that DPOs can get support from resources created by the PDPC.
China
On 26 Jul 2024, the Ministry of Natural Resources issued the Measures for Providing Confidential Surveying and Mapping Results to External Parties. Before you can provide such results to foreign entities, individuals, as well as foreign-invested enterprises in foreign exchanges and cooperation, you must seek approval from the State Council or local people’s governments. If you receive approval, you must sign a confidentiality agreement with the foreign recipient.
Approval will not be granted if: (a) the government has not approved the foreign exchange and cooperation activity, (b) the purpose and use of the results are unclear, or the content of the results to be exported is inconsistent with the intended use, (c) exporting the results may endanger national security and interests, and (d) existing non-confidential surveying and mapping results can meet the need.
Sounds like the authorities will be scrutinising applications. Companies will have to be prepared to answer questions quickly because the Measures say that if the approving authority cannot make a decision within 20 working days, they can extend it by 10 working days (and then that might be it!). Companies will also have to be prepared for onsite inspections - the Measures say that if necessary, the approving authority may organise that together with “confidentiality identification” and safety assessment.
On 1 Aug 2024, the Ministry of Industry and Information Technology (MIIT) published for consultation the draft Notice on Furthering Strengthening the Management of Access, Recall and Online Software Upgrades of Intelligent Vehicles. The Notice requires enterprises to strengthen capacity building and improve product functions, performance, and quality and safety. It promotes the establishment of an intelligent connected vehicle quality certification system, and deepens the State Administration for Market Regulation’s supervision of the automobile safety sandbox.
Thailand
On 17 Aug 2024, the Personal Data Protection Committee (PDPC) published the Royal Decree Determining the Characteristics of Businesses or Agencies Exempted from Certain Provisions of the Personal Data Protection Act (PDPA).
The Decree lists circumstances under which public and private sector data controllers are exempted from parts of the PDPA. Examples are:
A data controller receives a request for personal data (PD) from the National Anti-Corruption Commission, Revenue Department, Customs Department, Excise Department.
A government agency is empowered to request PD in order to carry out legally defined duties and responsibilities.
Agency data leakage cases dropped from 31.50% in Nov ‘23 to 1.62% in Jul ‘24, according to an announcement by the Minister of Digital Economy’s. The Personal Data Violation Watch Center (PDPC Eagle Eye) had been monitoring 31,561 websites of agencies, They found 6,086 cases of leakage, and asked agencies to fix 6,081 cases. 139 cases of data sales were found, and 11 offenders were arrested.
I think it is commendable that the PDPC has been taking action to ensure that Thai government agencies are safeguarding citizens’ personal data. The Minister said that if agencies are found to have committed wrongdoings with serios impact, they will be severely punished and fined in accordance with the law.
Saudi Arabia
Rules for Appointing Personal Data Protection Officers: On 27 Aug 2024, the Saudi Data and Artificial Intelligence Authority (SDAIA) published the Rules. The Rules apply to Controllers only, and set out e.g., the circumstances under which Controllers must appoint a DPO, the minimum requirements for appointing DPOs, DPO roles and tasks.
Elaboration and Developing Privacy Policy Guideline: On 28 Aug 2024, SDAIA published the Guideline. It requires data controllers to generally include ten key elements in their privacy policy (e.g., methods and purposes of personal data collection, complaint and objection filing mechanism), and runs through controllers’ obligations in respect of each element.
See s11(5) of the PDPA and regulation 1A(1) of the Personal Data Protection Regulations.