Singapore: Evolving data privacy laws and what it means to privacy professionals


As the data privacy domain continues to evolve, Ethos BeathChapman reached out to Withers KhattarWong’s international arbitration specialist and tech disputes strategist, Shaun Leong, FCIArb, to seek his perspective on the changes and challenges ahead for data privacy professionals. Read his in-depth interview below.

What are the biggest topics or trends data privacy professionals must be well-versed on or learn more about?

A.I. technology is set to be an upcoming area of focus in data protection that data privacy professionals would have to watch out for. I think regulation trends come in waves. We are all familiar with the wave of financial regulation that came with the collapse of Lehman. In more recent times, the past two years have seen tremendous focus and activity in the area of data protection. I foresee that we are moving on slowly but surely to the next wave which will focus on the governance of the use of A.I. technology. In some countries, white papers and guidelines have been published on this topic around the fair, ethical and transparent use of A.I. data technology. We may very well be looking at “ethical regulation” very soon when it comes to the use of A.I.

In the realm of dispute resolution, the incidence of A.I. disputes is increasing where autonomous systems start making mistakes. This gives rise to several novel key issues around A.I. liability, including the multiple stakeholders who may be liable (the A.I. producer, developer, maintainer and operator), as well as situations where harm was caused by the technology after the proprietary principal has licensed or sold away from its technology.

The next aspect data privacy professionals should pay attention to is digital security, or what is commonly termed cyber security. This is closely aligned with disciplines in data protection. We are becoming more focused on digital security in terms of data security across all realms and data privacy professionals play a major role. This is not limited to the technical or legal aspects but encompasses different practices.

What are the major challenges in data privacy resulting from the Covid-19 pandemic?

It is imperative that data privacy professionals first understand that being knowledgeable in GDPR, PDPA, or any data protection rules is no longer enough. The realm of data privacy or data protection laws has taken on a new angle with Covid-19 as many jurisdictions and countries around the world now have to balance public health, public security and the right to privacy or data protection.

As such, data privacy professionals would have to be adept at involving themselves in other areas of law (for example, public health and safety laws), in addition to the usual familiarity with data protection rules. This is even more so for data privacy professionals working at the international level, where there is a need to manage the differing approaches to public health and safety laws, and data protection across a myriad of jurisdictions.

For most governments, personal data, data protection and rights to privacy were focus areas even before the pandemic struck. What the pandemic revealed was that the conversations around these issues cannot not take place in a vacuum. Any conversation about our rights to privacy must take place in the real world. Analysing it from that perspective gives rise to the conversation that privacy, while fundamental, may not necessarily be an absolute right, but an important right that has to be balanced against other considerations.

The pandemic offers governments and major corporations all over the world an opportunity to learn from the lessons of today’s crisis and prepare for the next health crisis or the next disaster.

What do you forecast will be the biggest changes in data privacy and security in 2021 and beyond?

In Singapore at least, we are looking at an increase in financial penalties. We have borrowed from the mandatory reporting regime from the USA. This means that parent companies that collect data from customers and share this data with their business vendors downstream must ensure that any data breaches in their vendors or sister companies be reported immediately to them so that the breach can be reported to PDPC in a timely manner. It is early days yet and it remains to be seen how the new rules will pan out in practice.

Governments all over the world will also be expected to reform data protection laws in the post-crisis (or post Covid-19) world. I see this happening in two major areas, the health sector and the economy. To ensure that governments maintain an optimal level of readiness to tackle future crises, personal data protection rights would have to be balanced against public health considerations. On the economic front, governments may step up the gathering of data for analysis of employment figures for instance, in order to implement the right policies.

Finally, private regulation (in addition to public regulation) of data protection is set to become a real game changer in shaping business conduct. There is a rising trend where you see people suing for damages en masse, via a class action for example, for breaches of privacy. We already have quite a few notable cases in Europe, and this trend could make its way to Asia in time to come. For instance, customers of British Airways were subject to form-jacking in 2019. This resulted in half a million customers suing British Airways. The High Court of England and Wales gave the approval for class action suits to proceed. This shows that aside from government fines, companies may have to pay millions in damages to customers.

Do you expect exponential growth in demand for data privacy expertise to continue in 2021 to 2022?

In the current climate, I am not sure if this is necessarily a priority focus for businesses in this tough economic situation throughout the Covid-19 pandemic. However, data privacy laws all over the world are expected to evolve and go through reforms in due course, perhaps in the second half of 2021, and likely in the post-pandemic world. Companies will likely allocate more resources for data privacy professionals than to manage the changes in regulations.

Why is a career in data privacy rewarding?

A career in data privacy uniquely positions you in the frontline, where you get to immerse yourself in the latest innovations in technology and involve yourself in modern, contemporaneous problems. You would face challenges created by novel situations, an evolving legal environment and your challenge is to manage these with an acute understanding of the latest laws.

At the same time, you have to keep your finger on the pulse and be attuned to what the tech companies are doing, from blockchain to cloud, to the internet of things, to the latest developments in a smartphone application, so that your advice is relevant and commercially viable. If you are a dynamic individual who thrives in a rapidly evolving environment; if you love the challenge of integrating your knowledge of the law with your interest and passion in data and the latest technology – you will find this path a rewarding one.

What actionable advice would you offer to lawyers wanting to pivot into data privacy?

My advice would be to be constantly learning and reading. One simple way to ensure that you are regularly updated on the latest developments in the technology sector is to subscribe to the technology section of major publications. Constantly shaped by advancements in technology that impact key aspects of daily life, data privacy is an area like no other that continues to evolve every day.

This article was first published by Ethos BeathChapman here on 19 January 2021.

Category: Article