India’s omnibus data protection legislation, the Digital Personal Data Protection Act, 2023 (“India’s DPDPA”), was passed and gazetted in August 2023. Notably, it shares several common concepts with Singapore’s Personal Data Protection Act 2012 (“Singapore’s PDPA”), some of which are not readily found in other laws including the European Union’s General Data Protection Regulation (“GDPR“). These commonalities are beneficial in several ways:
- For companies unfamiliar with the concepts in India’s DPDPA and looking to gain a better understanding, Singapore may serve as a useful point of reference, at least until supplemental regulations are issued in India.
- From a harmonisation perspective, there are opportunities for the regulators in India and Singapore to collaboratively develop the jurisprudence around the common concepts. The two countries can potentially look to each other for ideas, precedents, or knowledge.
- Compliance costs may be reduced for Indian and Singaporean entities involved in bilateral trade, as well as global corporations operating in both countries. They will benefit from the familiar concepts and less friction in their regional compliance efforts.
- VOLUNTARY PROVISION/DEEMED CONSENT
Under India’s DPDPA, a Data Fiduciary (i.e. the equivalent of a Data Controller under the GDPR) may process personal data of a Data Principal (i.e. the equivalent of a Data Subject under the GDPR) “for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data”. India does not explicitly recognise contractual necessity or legitimate interests as lawful grounds for data processing. As a result, organisations are naturally looking to rely on this concept of “voluntary provision” as a significant alternative legal basis. It remains to be seen how this will be developed in India’s supplemental regulations.
The “voluntary provision” concept appears to be comparable to Singapore’s “deemed consent by conduct”. Under Section 15(1) of Singapore’s PDPA, “an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if (a) the individual … voluntarily provides the personal data to the organisation for that purpose; and (b) it is reasonable that the individual would voluntarily provide the data”. This concept of “deemed consent by conduct” in Singapore is elucidated by advisory guidelines issued by the Personal Data Protection Commission of Singapore (“Singapore’s PDPC”), which for example explain that “the purposes [for which organizations can process personal data in reliance on deemed consent] are limited to those that are objectively obvious and reasonably appropriate from the surrounding circumstances”.
- EXEMPTIONS FOR PUBLICLY AVAILABLE DATA
India’s DPDPA does not apply to “personal data that is made or caused to be made publicly available.” It provides a helpful illustration as to how personal data may be made publicly available, but does not otherwise expand on the concept of public availability.
In Singapore, an exemption for publicly available data also exists, albeit to a narrower degree. Under Singapore’s PDPA, publicly available data can be collected, used, and disclosed without consent. Singapore’s PDPA provides a definition of publicly available data, which is “personal data that is generally available to the public,and includes personal data which can be observed by reasonably expected means at a location or an event (a) at which the individual appears; and (b) that is open to the public”. Singapore’s PDPC has published advisory guidelines explaining the nature of public availability and providing guidance on interesting issues such as the status of CCTV footage, in-vehicle recordings, and data found on public websites and online social networks.
Outside of India, Singapore and a few other jurisdictions (including, notably, China), broad exemptions for publicly available data are not common in the global context. This was recognized in a recent joint statement from twelve jurisdictions (including Australia, Canada, Hong Kong, and the UK) on data scraping on social media platforms and other publicly accessible sites. In this, the regulators noted that there was no general exemption for publicly available data under their data protection laws.
- EXEMPTIONS FOR PUBLIC AUTHORITIES
India’s DPDPA provides a significant range of exemptions for the processing of personal data by public authorities. Additionally, the government is empowered to vary the scope of certain exemptions by notice from time to time.
Under Singapore’s PDPA, broad exemptions are also available for public authorities, which include (a) the government and any ministry, department, agency, or organ of state; (b) any tribunal appointed under any written law; or (c) any statutory body specified by notification in the gazette.
Notably, the exemptions for public authorities under the GDPR are significantly narrower.
- BUSINESS CONTACT INFORMATION
India’s DPDPA requires that “a Data Fiduciary must publish the business contact information of a Data Protection Officer…” However, “business contact information” is not defined.
The term “business contact information” is also found in Singapore’s PDPA and is defined as “an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes”.
Significant sections of Singapore’s PDPA do not apply to business contact information. This strikes a balance between an individual’s privacy rights and commercial needs. Although India’s DPDPA does not currently harness the concept of business contact information in this way, this could be an opportunity for harmonization.
It is evident and encouraging that India’s DPDPA and Singapore’s PDPA share several common concepts which, taken collectively, are rather unique to these countries. This creates opportunities for further regional harmonization. In the meantime, companies may find it helpful to refer to Singapore’s PDPA for assistance in understanding these common concepts.
Advocate and Solicitor
HERBERT SMITH FREEHILLS CONTACTS