The Singapore Parliament has recently on 2 November 2020 passed the Personal Data Protection (Amendment) Bill 2020 (Bill No. 37/2020) to amend the Personal Data Protection Act 2012 (PDPA It has now been announced that the amendments will enter into force in phases, with the first phase taking effect from 1 February 2021. These include the mandatory data breach notification requirement, provisions relating to consent and access, and the Do Not Call Provisions.
Yet to take effect is the data portability obligation, which was introduced into the PDPA by the 2020 amendments. While pending regulations prescribed by the Singapore government on the details of this data portability obligation, we will explore in this article the European experience and some of the challenges in dealing with a similar right to data portability under the General Data Protection Regulation (EU) 679/2016 ("GDPR").
How should businesses get ready to comply with the data portability obligation and what are the common pitfalls they should beware of and be ready to address now?
Organisations need to:
Understand to what extent the legislation applies to their business
Is the organisation subject to the requirements of the PDPA? Are the organisations' customers entitled to the rights (including the data portability obligation) enshrined in the PDPA? Where the answer to the preceding questions is yes, then what is the information in the organisations' possession and control that is subject to the data portability obligation? Once the relevant information is identified, then organisations should work on a standard procedure for the fulfillment of requests.
Enable the exercise of the customers' right to data portability
The organisation should ensure the data protection role in its business is properly staffed. A channel to receive rights requests (including the right to data portability requests) needs to be established and should be notified to the concerned individuals. In practice, this can be achieved by the creation of a dedicated email inbox for requests made available in the organisation's privacy notice. In the alternative, organisations may consider establishing automated or self-service portals that may help streamline the response process. On the other hand, organisations offering digital services may wish to join existing initiatives, such as the Data Transfer Project developed by Apple, Facebook, Google, Microsoft and Twitter, that aims to 'enable all individuals across the web [to] easily move their data between online service providers whenever they want.'
Operationalise the data portability obligation
First and foremost, an organisation needs to be able to identify a data portability request, which may be challenging, particularly for requests received via email that are not explicit enough and may be confused as a request for access to personal data instead. It is likely necessary to train staff to identify such requests.
The organisation should establish, maintain and review a policy for dealing with requests to ensure (i) the relevant staff have a point of reference and (ii) all requests are dealt with in the same way. The policy should establish, among others, a process for:
verifying the requesting individuals' identity; i.e. is the individual genuinely making a request in respect of their own personal data?
verifying the requesting individual is entitled to the right to data portability in respect of the information requested to be ported; i.e. is the data personal?
acknowledging receipt of a rights request; i.e. when does the clock start ticking?
monitoring compliance with the applicable timeframe (which is one month under the GDPR); i.e. when is the deadline?
carrying out data extraction; i.e. what data is subject to the request and what isn’t?
carrying out data porting; i.e. what data formats does the recipient accept?
informing the individual of the fulfillment of their request; i.e. is the case effectively closed?
Operationalising the data portability obligation may be challenging in practice. The below list of issues covers some of the challenges related to the right to data portability identified in the European experience in dealing with the same right under the GDPR.
Verifying the requesting individuals' identity
Before attending to a data portability request, the organisation needs to verify the requestor's identity. Such verification would inevitably involve the processing of some personal data. Such additional processing must be proportionate. For example, asking a requestor to provide a passport copy and a recent utility bill is very likely to be excessive if the requestor is an existing customer of the organisation and his/her identity can be confirmed by far less intrusive means, such as requiring the requestor to log in a secure portal using a username/email address and a password.
Identifying and extracting the relevant data
Most data datasets are mixed and entail both personal and non-personal data. However, the right to data portability covers personal data only. Organisations need to decide whether it is worth investing in systems that enable segregating personal data from non-personal data or whether it is (commercially) preferable to port the entire relevant dataset to the recipient organisation, which in many cases will be a competitor.
Formatting the relevant data
European Guidance on Data Protection Legislation suggests ‘structured, commonly used, and machine-readable’ formats are XML, JSON and CSV, together with the underlying metadata. Studies suggest that EML, ICS, MBOX, TEX and VCS are also suitable. Where personal data is not held in such formats by the affected organisations, the same need to ensure (i) datasets are exportable in such formats and that (ii) such formats are acceptable by the receiving organisation.
In a study conducted in the EU involving 230 real-world data portability requests across a wide range of data controllers, the most popular formats used were tabular CSV or Excel (XLS or XLSX) files, but a variety of formats such as screenshots and PDF scans which were not machine-readable and non-compliant were also used, showing that many data controllers were unsure which file formats should be used for such responses and that there was no industry standard for data portability.
The development of new guidance, standards, or codes of conduct involving multiple stakeholders including lawyers, policymakers, computer scientists, and data controllers may help convince receiving organisations to accept and action such data formats.
The exercise of the right to data portability will inevitably entail the transfer of information via the Internet. No transfers over the Internet are entirely secure but utmost attention must be paid to taking all reasonable measures to make the transfer as secure as possible. It is not inconceivable that poor security practices resulting in an unauthorised disclosure of personal data in transit to a recipient organisation as a result of a data portability request will expose the organisation to a personal data breach under the PDPA. Indeed, the aforementioned study observed one data breach where the data controller's response included the personal data of other data subjects.
Password protection and encryption in transit are the bare minimum measures organisations can adopt to ensure the security of the transferred data. Means of exchange should also be agreed, as some channels of exchange are inherently less secure than others. For example, transmission of personal datasets over email is likely to be considered inadequate where another more secure alternative is available, such as downloading through a secure portal. It is worth noting that many file types used to fulfill porting requests are often flagged by email spam filters and may fail to reach the requestor.
Depending on the amount of personal data in respect of each customer held, and on the preferred approach for fulfilling the right to data portability, a 30-day period of compliance with a request would be challenging to comply with, as seen from studies conducted in the EU. That may particularly be the case where the approach is to manually segregate personal data from non-personal data. On the other hand, agreeing on what a 'structured, commonly used, and machine-readable’ format means for the receiving organisation may as well take time. Reformatting information may produce extra delays.
In practice, it is most likely that individuals exercise their right to data portability in order to port data to organisations offering equivalent or at least similar services. With this in mind, it may be prudent to liaise with other players on the market (just like Apple, Facebook, Google, Microsoft and Twitter have done with the Data Transfer Project) in view of agreeing on suitable data formats which could help expedite fulfilling any incoming requests.
It is hoped that there will be greater clarity on the PDPA's data portability obligation once the relevant regulations are issued. In the meantime, organisations in Singapore may learn from the European experience in dealing with the GDPR's right to data portability and begin to lay the groundwork for operationalising the PDPA's data portability obligation.