Sidestepping the perils of data breaches in Singapore

Data privacy has become an increasingly pertinent issue in recent times. Currently hogging all the headlines is, of course, Facebook. It has been reported that hundreds of millions of Facebook users are likely to have had their private information harvested by companies that exploited the same terms as the firm that collected data and passed it on to Cambridge Analytica.

The increasing reliance on cloud hosted information storage raises questions for both businesses and governments about how best to protect the privacy of consumer data. In the years prior to 2012, Singapore-based businesses saw an increased reliance on collecting, using, and storing personal data as part of their operations.

In 2015, China-based smartphone maker Xiaomi slid into legal hot water in Singapore, about its apparent lack of privacy protection. A complaint was filed by a phone user here, alleging that his personal data had been disclosed without consent.He claimed he had received unsolicited calls from overseas after using his Xiaomi phone.

More recently, the personal information of 380,000 people, including names, e-mail addresses and mobile phone numbers, were exposed when Uber was hacked in 2017 - owning up to what is Singapore's largest data breach to date, weeks after Uber came under fire for trying to conceal the hack that involved 57 million Uber riders and drivers worldwide.

Sandy Parakilas, a former platform operations manager at Facebook responsible for policing data breaches by third-party software developers, told The Guardian “a majority of Facebook users” could have had their data harvested by app developers without their knowledge.

"Privacy on Facebook is a contradiction in terms," said Silkie Carlo, the director of Big Brother Watch. "This 'scandal' isn't a data breach, but rather Facebook's business model laid bare. People have finally been confronted with the democratic risks of big data exploitation that privacy advocates like us have been warning about for years."

Although Mark Zuckerberg has increased data security protocols – and vowed to be more responsible with users’ data in the future – the reputational damage was reflected in the social media monopolist’s stock price tumbling. Full page apologies to Facebook users have been posted in the press in an attempt to show contrition and re-establish trust. However, it is clear that there is a disparity between Facebook’s business model and the concept of data protection. Consequently, users worldwide are currently reconsidering the value of their privacy balanced against the benefits of the platform – and the #DeleteFacebook movement has gained momentum, with proponents ranging from Elon Musk to the co-founder of social media rival Snapchat.

The Facebook scandal – if that’s what it is – comes hot on the heels of news regarding Mossack Fonseca. The now notorious Panamanian firm, the world’s fourth-biggest offshore law firm, was at the centre of the Panama Papers scandal: an unprecedented leak of 11.5m files from Mossack Fonseca’s internal database.

The leak was one of the biggest ever – larger than the US diplomatic cables released by WikiLeaks in 2010, and the secret intelligence documents given to journalists by Edward Snowden in 2013. The records were obtained from an anonymous source by the German newspaper Süddeutsche Zeitung – and the leaked files from the company provoked a global reaction in 2016 after exposing how certain offshore corporations were being used. The substance of the activities revealed by the leak (as is the case with the subsequent Paradise Papers) is quite insignificant, in comparison to the impact on the firm itself. Mossack Fonseca is announcing it is shutting down; the firm’s directors blamed the economic and reputational damage inflicted by the leak for its closure.

The Mossack Fonseca story is purely a data security issue, whereas the Facebook story asks wider questions about handling user data responsibly. It is clear that data security and responsibility are increasingly serious issues. In the UK, for example, such incidents are prompting moves to fast track tougher data protection laws in response. Emergency measures will be added to the UK Government's Data Protection Bill.

Meanwhile, the EU's General Data Protection Regulation (“GDPR”), the culmination of four years of efforts to update data protection for the 21st century, will apply in all EU member states from 25 May 2018. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. It will cover the data of all EU nationals – including those in Singapore.

In Singapore, data protection is nothing new. In 2014, the Personal Data Protection Act (“PDPA”) established a comprehensive data protection regime. The PDPA carries significant implications for all organisations operating in Singapore that hold data on natural persons. It imposes a set of data protection obligations with which organisations must comply – including the requirement for all companies to appoint data protection officers (“DPOs”), whose job is to better equip companies for an increasingly digital future. DPOs will help ensure that organisations safeguard against the wrongful collection, use and disclosure of personal data. Organisations that fail to comply with its data protection obligations risks regulatory sanctions in the form of heavy fines, as well as private civil action.

To cite a couple of recent examples, a penalty of $10,000 was imposed on Credit Counselling Singapore for failing to make reasonable security arrangements to protect personal data of its debt management programme clients when sending out email. The same fine was imposed on ComGateway for not protecting its webpage against URL manipulation, which resulted in unauthorised disclosure of its customers' personal data.

All organisations in Singapore, whether sole traders, partnerships, or holding/trading companies, should note the increasing public concern about this issue, and the local and international legal framework that is evolving in response. There are many companies assisting companies in Singapore to comply with PDPO and GDPR. This will keep our clients in line with current regulations and help avoid the substantial business impacts felt by Facebook and Mossack Fonseca.