Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Employers who continuously comply with the Transfer Limitation Obligation in the Personal Data Protection Act 2012 (PDPA, Sec. 26) and the Personal Data Protection Regulations 2014, are allowed to transfer personal employee data outside of Singapore. The law requires that any transfers of personal data outside of Singapore follow the standards set by the Act, by taking appropriate steps to ensure compliance. The recipient of the employee data is also bound by ‘legally enforceable obligations’ to provide a standard of data protection that is at least equivalent to the PDPA. There is no requirement to notify or obtain approval from the Personal Data Protection Commission (PDPC) when transferring employee data internationally.
Recipients of data protection can meet these 'legally enforceable obligations' through (Advisory Guidelines on Key Concepts in the PDPA, July 2017):
- any law;
- contracts which require the recipient to provide a comparable or higher level of data protection as the standard under the PDPA and, specify the countries/territories where the data may be transferred;
- binding corporate rules that: require all data recipients to provide a comparable or higher level of data protection as the standard under the PDPA; and, specify the countries/territories where the data may be transferred, the recipients, and the rights/obligations set by the rules; or,
- other legally binding instruments.
In terms of international standards, Singapore has joined the Asia Pacific Economic Corporation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems. This enables personal data transfers between Singapore and other APEC Privacy Framework members (including Australia, Chinese Taipei, Japan, the Republic of Korea, the USA, Canada and Mexico).
In June 2020, the PDPC amended the Personal Data Protection Regulations to provide that recipients of personal data outside Singapore are considered to be legally bound to provide comparable protection for the transferred personal data if the recipient holds an APEC Cross-Border Privacy Rules (CBPR) or Privacy Recognition for Processors (PRP) certification granted/recognized under the laws of the country/territory to which personal data is transferred. This would allow Singapore employers to transfer personal data overseas to CBPR or PRP certified organizations more easily without meeting additional requirements. That said, organizations relying on this provision would need to complete the necessary due diligence to confirm whether the overseas recipient is CBPR or PRP certified under the laws of the relevant country/territory.
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside Singapore when a level of protection comparable to those under the PDPA can be ensured. Singapore employers who transfer personal employee data internationally to a related group of companies often use binding corporate rules. When transferring data to unrelated third parties who may transfer data out of Singapore (such as accounting firms), employers often use data transfer agreements.