I.C Privacy and data protection

Privacy and data protection are important elements of the legal landscape of electronic commerce as they may impose conditions to data transfer between the parties. This section is aimed at identifying laws relating to privacy and data protection, with special attention to those relevant to paperless trade.

I.C.1 Is there a law on privacy and data protection? If so, what are its features? Is it based on international standards?

Privacy and data protection are notions that may differ depending on regions and contexts. For the purposes of the checklist, privacy and data protection law is the law that sets the condition for the collection of, access to, use and transfer of data as well as for data storage and preservation. Often, that law establishes a dedicated authority for its enforcement.

The content of privacy and data protection laws may vary significantly. States may take inspiration from international standards. At the global level, the Organization for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 2013 offer a set of relevant principles. At the regional level, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework 2015 also contains relevant principles that can be implemented through the APEC Cross-Border Privacy Rules (CBPR) System.

Privacy and data protection laws often protect a specific set of data, referred to as personal data, personal information or personally identifiable information. This set of data may include data relevant for paperless trade.

I.C.2 Does domestic law address the transfer of data abroad?

Privacy law may deal with the transfer of data (including data used in paperless trade) overseas. Often, exporting data is allowed only on the condition that the destination country provides equal data protection.

Section 26 of Singapore Personal Data Protection Act 2012 makes this kind of rule very clear.

26. Transfer of personal data outside Singapore

1. An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act to ensure that organisation provide a standard of protection to personal data so transferred that is comparable to the protection under this Act.

While Personal Data Protection Act 2012 is a baseline privacy legislation, it does not supersede other existing statues dealing with the protection of personal data such as the Banking Act 2008 (Cap. 19). Instead, it works in conjunction with them.

Section 26 of the Personal Data Protection Act 2012, Regulation 9 of the Personal Data Protection Regulations 2014 and Paragraph 19 of the Personal Data Protection Commission jointly provide a wide range of legal bases and mechanisms for transferring personal data to a country or territory outside Singapore. These measures include the use of contractual agreements to ensure that the recipient overseas is bound legally to provide a comparable standard of protection. The use of a contractual arrangement (bilaterally or regionally) is consistent with Article 7 of the Association of Southeast Asian Nations (ASEAN) Protocol to Establish and Implement ASEAN Single Window (ASW) 2015 (“Legal Framework”), to which Singapore is a party.

PART III to VI, Regulation 9(1)(a) and (b) of the Personal Data Protection Regulations 2014 sets out the requirements for transferring personal data outside Singapore and what constitutes a “legally enforceable obligation” that provides a standard of protection that is at least comparable to the protection under the Personal Data Protection Act 2012 to personal data transferred overseas pursuant to section 26.

Privacy and data protection in cross-border data transfer may also be governed by industry-specific agreements. For example, the privacy regime in the financial sector may be enforced by a delegated authority that regulates financial institutions and enforces the obligation under the laws governing financial transactions.

In some cases, laws are enacted to permit data flows from commercially significant partners. The European Union Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data – known as the General Data Protection Regulation, or “GDPR” – establishes a system for the transfer of data outside the European Union that may require such legislative action.

I.C.3 Do international agreements contain provisions relevant to privacy and data protection?

Cross-border provisions on privacy and data protection may also be contained in international agreements such as the electronic commerce chapters of free trade agreements. These provisions, which aim to ensure a level of legal uniformity, require States to develop privacy and data protection laws accordingly and may refer to international principles and guidelines.

For example, Article 14.8 of the Comprehensive and Progressive Agreement for Trans-Specific Partnership (CPTPP).

14.8. Personal information protection

1. … each Party shall adopt or maintain a legal framework that provides for the protection of the personal information of users of electronic commerce. In the development of its legal framework for the protection of personal information, each Party should take into account principles and guidelines of relevant international bodies.

5. Recognising that the Parties may take different legal approaches to protecting personal information, each Party should encourage the development of mechanisms to promote compatibility between these different regimes. These mechanisms may include the recognition of regulatory outcomes, whether accorded autonomously or by mutual arrangement, or broader international frameworks. To this end, the Parties shall endeavour to exchange information on any such mechanisms applied in their jurisdictions and explore ways to extend these or other suitable arrangement to promote compatibility between them.

International agreements may be bilateral or multilateral, of general application or sector specific.

I.C.4 Does the law require data localization? If so, does it apply to paperless trade?

The law may prescribe “data localization”, i.e. collection, processing and storage of data, or of certain types of data, in a particular jurisdiction. This may be done for security or other reasons. Data localization requirements may also be agreed upon in contracts. Data localization may significantly affect the design and operation of an information system; for instance, it may in practice impede the use of certain technology such as cloud computing.

Provisions on data localization may be found also in free trade agreements (FTA). However, in that case the provisions normally aim to limit the ability of states to require data localization, as this is seen as an obstacle to dataflows.

For example, Article 14.13 of the CPTPP.

14.13. Location of computing facilities

1. The Parties recognise that each Party may have its own regulatory requirements regarding the use of computing facilities, including requirements that seek to ensure the security and confidentiality of communications.

2. No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.

3. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure: (a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (b) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the objective.

I.C.5 Is there any special rules on privacy and data protection for paperless trade?

The notions of data integrity and data protection are usually used in different context. Data integrity has more to do with individual records: do I have a valid PKI certificate giving me assurance that this record has not been tampered with? Data protection has to do with protecting a database: do I have multifactor authentication to access my office email? Privacy is about limits to transfer data. As noted above (I.C.1), general privacy and data protection law could regulate all aspects of protecting personal information, including in paperless trade. However, sector specific laws (such as on banking or customs) may take precedence over general privacy laws. Contractual agreements (for example, with a single window operator) may also be relevant.

I.C.6 Does the law protect the confidentiality of commercial information in electronic form?

Commercial and trade-related documents may contain information, such as undisclosed know-how and trade secrets, that is confidential. Such information may be useful, for example, for marketing, supply-chain management or manufacturing purposes.

Confidentiality protects information from unauthorized access, use or disclosure that could be prejudicial to businesses’ interest. General laws on commercial confidentiality may apply to information in any form, including electronic. Specific laws on confidentiality of electronic information may also exist.

In Singapore, section 28 of the Electronic Transaction Act 2010 (Cap. 88) imposes confidentiality obligations where information is obtained in the performance of duties or exercise of powers under the Act.

28. Obligation of confidentiality

1. No person shall disclose any information which has been obtained by him in the performance of his duties or the exercise of his powers under this Act, unless such disclosure is made –

a. With the permission of the person from whom the information was obtained or, where the information is the confidential information of a third person, with the permission of the third person;

b. For the purpose of the administration or enforcement of this Act;

c. For the purpose of assisting any public officer or officer of any other statutory board in the investigation or prosecution of any offence under any any written law;

d. Or in compliance with the requirement of any court or the provision of any written law.

2. For the purposes of this section, the reference to a person disclosing any information includes his permitting any other person to have access to any electronic record, book, register, correspondence, information, document or other material which has been obtained by him in the performance of his duties or the exercise of his powers under this Act.

3. Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both.

Moreover, specific provisions may apply to certain instances, for example, disclosure of information submitted to an electronic single window. Australia has adopted a provision for protecting confidential information submitted in accordance with the Customs Act 1901 (Cth) from unauthorized disclosure, including information whose disclosure could prejudice the competitive position of the person providing the information.

233BABAF. Using information held by the Commonwealth

1. A person commits an offence if:

a. the person obtains information; and

b. the information is restricted information;

c. the person uses the information to commit an offence against a law of Commonwealth, a State or a Territory.
Penalty: Imprisonment for 2 years or 120 penalty uses, or both.

4. In this section:

restricted information means information:

a) held in a computer owned, leased or operated by the Commonwealth for use for the purpose of the Customs Act: and

b) to which access is restricted by an access control system associated with a function of the computer.

Liability for disclosure of confidential information may arise from statutory or contractual provisions. Either civil or criminal liability is possible, or both.

I.C.7 Are there provisions on cybercrimes that are applicable to paperless trade?

Many countries have established general penalties against abusive access or alteration and other misuse of the information stored, communicated, or processed by a computer system or network. General cybercrime law could apply also to unauthorized access to information held in paperless trade systems.

In some cases, dedicated provisions may exist. Articles 30 to 33 of the Electronic Trade Facilitation Act 2015 of the Republic of Korea impose criminal sanctions for various abuses of the information of an electronic trade infrastructure business entity, which is an entity designated to manage an information system that “intermediates, keeps and certifies electronic trade documents by systematically interlinking traders with trade-related agencies through information and communications networks”.

30. (Penalty Provisions)

(1) Any of the following persons shall be punished by imprisonment with labor for not more than ten years or by a fine not exceeding 100 million won:

1. A person who forges or alters any electronic trade document recorded in the computer files of an electronic trade infrastructure business entity, a person sending or receiving electronic trade document, a trader, or a trade-related agency, or any trade information entered in their database, or uses any forged or altered electronic trade document or trade information, in violation of Article 20 (1);

2. A person who has a certificate under Article 17 (1) issued by means of information processing, etc. after entering false information or improper orders in a computer or any other information processing device of an electronic trade infrastructure business entity, in violation of Article 20 (2).

(2) A person who attempts to commit a crime as described in paragraph (1) shall be punished.

31. (Penalty Provisions)

Any of the following persons shall be punished by imprisonment with labor for not more than five years or by a fine not exceeding 50 million won:

1. A person who conducts the business affairs provided for in Article 6 (2) 1 through 3 without having been designated as an electronic trade infrastructure business entity, in violation of Article 6 (3);

2. A person who damages any electronic document recorded in the computer files of an electronic trade infrastructure business entity, a person sending or receiving electronic trade document, a trader, or a trade-related agency, or any trade information entered in their database, or infringes on their business secret, in violation of Article 20 (3);

3. A person who divulges or abuses any confidential information pertaining to electronic trade documents or trade information that he/she has become aware of in conducting business, in violation of Article 20 (4);

4. An electronic trade infrastructure business entity who fails to keep electronic documents or databases for three years, in violation of Article 20 (5).

32. (Penalty Provisions)

A person who conducts business affairs falling under any subparagraph of Article 12 (1) by means of electronic documents without using electronic trade infrastructure in violation of the proviso to Article 12 (1) shall be punished by a fine not exceeding 20 million won.

33. (Joint Penalty Provisions)

If the representative of a corporation, or an agent, or employee of, or any other person employed, by the corporation or an individual commits any violation falling under any of Articles 30 through 32 in conducting business affairs of the corporation or individual, not only shall such violator be punished, but also the corporation or individual shall be punished by a fine referred to in the relevant provisions: Provided, That this shall not apply to cases where such corporation or individual has not negligent in giving due attention and supervision concerning the relevant duties in order to prevent such offence.