Cloud Control - What Singapore’s new data protection law means for mobile app development

27 December 2012

Jinesh Lalwani

Mobile apps are keen miners of information. Many of these apps are designed to “pull” information stored on a mobile device - such as location-based data, photos and contact information - and send them to remote servers ‘in the cloud’ for a variety of services. These services include e-commerce, storage and gaming. The idea is that the more data is pulled, the more robust the user experience on the app and the more revenue generated.

While it is tempting to make mobile apps as information rich as possible, app makers and owners - being companies that commission and ultimately own the app - should carefully consider what sort of information is being managed by these mobile apps as well as how APIs handle information, as these are impacted by Singapore’s Personal Data Protection Act 2012 (“PDPA”).

The PDPA, Singapore’s first general law governing the protection of data, comes into effect in 2013, with an 18 month sunrise period for organisations to comply with data protection requirements.

Mobile app makers and owners should consider data protection implications at the early stages of development, in order not to be tripped up later down the road when seeking funding or capital injections, crucial for scaling and monetizing apps.

Here are 6 pointers about the PDPA to keep in mind when building a mobile app:

1. Know what information is considered personal data under the PDPA

The PDPA governs the collection, use and disclosure of “personal data” by organisations. While most mobile apps collect information from users, not all mobile apps collect personal data. “Personal data” means “data, whether true or not, about an individual who can be identified - (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access” (Section 2 PDPA).

Objective markers of identification, such as names and NRIC numbers, would be considered personal data. Other information commonly collected by apps - such as email addresses, phone numbers, traits, habits and observations - may or may not be personal data. Whether such information is considered personal data would depend on the totality of information an app maker or owner has on the individual as well as the uniqueness of the data which could lead to the individual being identified.

Crowd-sourced data, including location-based data and user-generated content, may also be personal data, depending on several factors, including whether the data has been anonymised.

2. Know the exceptions to consent under the PDPA

Under the PDPA, consent is required before the collection, use or disclosure of personal data. However, there are exceptions where no consent is required. The exceptions to this requirement may influence the type of apps to develop. One exception is that no consent is required for the collection, use and disclosure of personal data which is publicly available. Online sites, including blogs and social networking websites, may be considered publicly available sources. App makers may wish to build apps to take advantage of this exception.

3. Mobile app development companies operating outside of Singapore may have to comply with the PDPA

The PDPA applies to private sector organisations whether or not formed, resident or having an office or place of business in Singapore. It also applies to individuals who are using the data other than for domestic or personal use. The PDPA would therefore apply to app makers and owners, whether they are companies or individuals.

If personal data is collected from Singapore, including from individuals in Singapore, the Act will bite. App makers and owners looking to offer their apps to a Singapore market should bear this in mind before launching the app on the Singapore Apple App store or the Google Play store.

Be picky about your cloud operator

Many app makers and owners leverage third party cloud storage or backend IT architecture solutions in order to minimize upfront capital expenditure on infrastructure. App makers and owners may need to scrutinize these third parties more carefully under the PDPA.

If the personal data is transferred outside Singapore, app makers and owners must ensure that organisations receiving this data provide a standard of protection to personal data comparable to that under the PDPA. This may have an impact on an app owner’s choice of an overseas 3rd party cloud vendor or server company, if data is transferred to them. Low cost cloud storage solutions provided by companies with poor data protection standards may not be feasible. Likewise, using servers based in countries with comparatively weaker data protection regimes may also be a risk factor.

5. App makers are responsible for personal data in their possession or under their control

While app makers are ultimately responsible for personal data, data intermediaries which process personal data on behalf of the former do not have to comply with the data protection rules (except with regard to protection and retention of the data), if these intermediaries process personal data on behalf of and for the purposes of another organisation pursuant to a written contract. The act of processing includes recording, holding, retrieval, transmission and adaptation. 

It is important therefore that contracts between app owners and data intermediaries balance the allocation of risk appropriately, with adequate representations and warranties.

6. Ensure your privacy policy is compliant with data protection requirements

Even though there is a sunrise period before the data protection provisions of the PDPA become effective, we would encourage app makers and owners to identify vulnerabilities in their data protection strategy.

App makers and owners may consider putting in place a compliance plan for data protection, conducting privacy audits or ensuring an app’s privacy policy is complaint with the PDPA. The Personal Data Protection Commission is empowered to impose financial penalties of up to $1 million for non-compliance with the PDPA.

Other articles related to the Pulse newsletter for December 2012:

> Shareholders of suspended SGX-listed companies need timely updates and adequate disclosure

> Divorce Proceedings by Habitual Residents – The Singapore Courts’ Jurisdiction

> No tax avoidance - Singapore High Court upholds corporate restructuring

> Amendments to the Securities and Futures Act and regulations thereunder