postimage

    10:31 PM Gary Leow (LL.B., Singapore Management University) and Sean Lim (LL.B., Singapore Management University)

    Examining the Proposed Legitimate Interests Basis in Singapore’s Personal Data Protection Act: Comparisons with European Data Protection Regulations

        

    Under Singapore’s Personal Data Protection Act (No. 26 of 2012) (“PDPA”), an organisation must obtain an individual’s consent in order to process the said individual’s personal data (the “Consent Obligation”), save in limited circumstances: PDPA at s 13. In the Personal Data Protection Commission’s (“PDPC”) Response to Feedback on the Public Consultation on Approaches to Managing Personal Data in the Digital Economy (“PDPC Response”), the PDPC proposed to provide for “Legitimate Interests” as an additional basis of processing personal data, or as an exception to the Consent Obligation (the “proposed Legitimate Interests Basis”). While the proposed Legitimate Interests Basis has yet to be crystallised in legislative text, the article proceeds on the premise that the eventual legislative provision will substantively mirror the proposal set out in the PDPC Response.

    The proposed Legitimate Interests Basis has its roots in Article 6(f) of the General Data Protection Regulation 2016/279 (“GDPR”), which was in turn adopted from Article 7(f) of its predecessor, Directive 95/46. In respect of Article 7(f) of Directive 95/46, the Court of Justice of the European Union (“CJEU”) has held that an organisation may process an individual’s personal data in pursuit of a legitimate interest if three cumulative conditions are satisfied: CJEU Judgment of 4 May 2017 (Case C-13/16). First, the organisation must pursue a legitimate interest. Secondly, the processing of the individual’s personal data must be necessary for the pursuit of the legitimate interest. Thirdly, the organisation’s legitimate interest must outweigh the rights and interests of the individual in a balancing exercise. This framework has been held to apply to Article 6 of the GDPR, and would likely apply to the proposed Legitimate Interests Basis in the PDPA.

    This article focuses on the first condition. For this condition, the EU Data Protection Working Party (“Working Party”) has laid down several threshold requirements: Working Party Opinion 06/14 on the Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/46 (“Opinion 06/2014”) at P25. Briefly, the pursuit of the interest must be lawful, the interest at stake must correlate with the organisation’s existing activities, and the interest must be clear and articulated. These requirements would likely be retained in some form in the proposed Legitimate Interests Basis. More interesting questions arise, however, when considering the differences between the proposed Legitimate Interests Basis and Article 6(f) of the GDPR, as well as the differences between their respective data protection regimes.

    This article explores three questions. First, does the proposed Legitimate Interests Basis represent a revolutionary expansion of the current regime for processing data? Secondly, how should an overlap between the legitimate interest relied on and a public agency’s function be addressed? Thirdly, what does the possible absence of the right to object, a key feature of the GDPR, mean for the proposed Legitimate Interests Basis?

    Measured expansion of the data protection regime

    The proposed Legitimate Interests Basis refers to the processing of personal data on the basis of “legitimate interests that will have economic, social, security or other benefits for the public (or a section thereof)”: PDPC Response at [5.7]. By comparison, the European data protection regulations state that processing of the personal data must be necessary for the “legitimate interest pursued by the controller or by a third party”, with the “controller” being the entity processing the personal data. It is apparent that the need for public benefit does not feature in Article 6(f) of the GDPR or Article 7(f) of Directive 95/46. Accordingly, the proposed Legitimate Interests Basis appears to be more restrictive than its European equivalent because it demands some form of public benefit before an organisation can process personal data.

    This requirement of public benefit represents a measured, rather than revolutionary, expansion of the data protection regime in Singapore. At present, an organisation can only process an individual’s personal data if it satisfies the Consent Obligation, unless authorised by other provisions in the PDPA: PDPA at s 13. Introducing an open-ended alternative basis for the processing of personal data could well result in unpredictability and uncertainty: Opinion 06/2014 at P51. The proposed Legitimate Interests Basis avoids this uncertainty by incorporating the public benefit requirement. This requirement restrains the otherwise open-ended nature of the basis by providing for limited circumstances in which an organisation may process an individual’s personal data in the absence of his or her consent.

    This measured approach is also reflected in how public benefit is already accounted for to some extent under the PDPA’s existing framework. Currently, s 17 of the PDPA provides that an organisation may collect, use or disclose personal data without obtaining the individual’s consent if circumstances and conditions in the Second, Third or Fourth Schedules to the PDPA are met. Taking the Second Schedule to the PDPA for instance, paragraph (e) provides that an organisation may collect an individual’s personal data in the absence of his or her consent where “the collection is necessary for any investigation or proceeding, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data”. In tabling the proposed Legitimate Interests Basis, the PDPC suggested that the prevention of fraud would constitute a valid legitimate interest: PDPC Response at [5.7]. The PDPC’s suggestion and paragraph (e) of the Second Schedule may overlap, because the situations in which personal data is collected to identify and prevent fraud may very well coincide with the situations in which personal data is collected to investigate the allegedly fraudulent activity. Another possible area of overlap is paragraph 1(d) of the Second Schedule, which permits collection of data in the “national interest”. This, in turn, is defined in s 2(1) of the PDPA as including national defence and security, public security, the maintenance of essential services and the conduct of international affairs. If any doubt remains, s 63 of the PDPA provides that the relevant Minister may conclusively determine a matter to be of national interest by signing a certificate. These provisions allude to how the conception of “national interest” is likely more narrow and demanding than “public interest”. Thus, there is still room for the proposed Legitimate Interests Basis to operate. Yet, this underlines the point than the proposed Legitimate Interests Basis would likely be a measured, rather than revolutionary, expansion of the existing exceptions to the Consent Obligation as encapsulated in the Second to Fourth Schedules of the PDPA.

    Possible overlaps with regulatory function

    The proposed Legitimate Interests Basis’ focus on public benefit rather than the organisation’s legitimate interest raises the question of whether organisations should be allowed to invoke an interest that falls more suitably within a public agency’s domain. In Decision 14-01190-8 by Norway’s DPA (“Datatilsynet”), an issue was whether a restaurant’s surveillance of the area outside its premises was permissible under Article 8 of Norway’s Personal Data Protection Act, which is similar to Article 6(f) of the GDPR. The Datatilsynet found, amongst other things, that the processing was justified to protect the restaurant’s legitimate interest of monitoring its security, but that this task was for the police to discharge. Cases like the above appear to be uncommon in European jurisprudence, because the GDPR’s legitimate interests basis focuses on the organisation’s interests, which are not necessarily in the public interest. In contrast, the public benefit requirement in the PDPC’s proposed Legitimate Interests Basis would tend to overlap more with the functions of public agencies.

    There is a case to be made that an overlap between the public benefit relied on by an organisation and a public agency’s functions should be taken into account in determining whether a private organisation is entitled to process personal data by relying on the said benefit. It is allocatively inefficient for a private organisation process data to further a public interest that could be more effectively furthered by a public agency with greater expertise in the area.

    Proceeding on this basis, the question is how such overlap should be accounted for. An option would be to impose the absence of such overlaps as a threshold requirement, such that it should be impermissible to process data on the basis of a public interest that falls more appropriately within the purview of a public agency. The difficulty, however, would lie in formulating a test for when precisely a public interest relied on should be deemed to impermissibly overlap with a public agency’s function.  A more measured approach would be to take the overlap into account in the third condition of the framework, where the public interest relied on is balanced against the individual’s right to his or her personal data. For an organisation to invoke the proposed Legitimate Interest Basis as an avenue for processing an individual’s data, the public interest relied on by the organisation must outweigh the interests of the individual whose data is sought to be processed. Arguably, where the public interest at play is already protected to a substantial degree by a public agency, this should tilt the balance in the individual’s favour.

    Accounting for the absence of the right to object

    Under Article 21(1) of the GDPR, the data subject shall have the right to object to data processing under Article 6(f) on grounds relating to his or her particular situation. If the individual invokes this right to object, the controller must demonstrate compelling legitimate grounds for the processing of personal data. Accordingly, the GDPR envisages two thresholds of legitimate interest. The first, which applies at the juncture where organisations first determine whether to rely on Article 6(f), is merely that the interest in question must be lawful, real, and articulated. The second, which applies when a data subject makes an objection, is that the interest relied on must also be compelling. The European Data Protection Board has defined a “compelling” interest as connoting a higher threshold, which requires the pursuit of the relevant legitimate interest to be essential for the data controller: European Data Protection Board Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679” (25 May 2018).

    In the PDPC Response, the PDPC did not address the right to object, and it is therefore reasonable to assume that no such right will be imported into the PDPA regime along with the proposed Legitimate Interest Basis. Proceeding on that assumption, it raises the question of whether and how the “compelling” threshold would feature in the PDPA regime. It can be argued that the mere absence of the right to object should not detract from the protections that the PDPA secures for individuals. If so, the organisation’s legitimate interest must be compelling right from the outset. Yet, this would appear to unduly restrict the scope of the proposed Legitimate Interests Basis. A better resolution might be to acknowledge that a legitimate interest for the public benefit - as required under the proposed Legitimate Interests Basis - is inherently (or presumed to be) compelling. In this connection, the Working Party has noted that the fact that a controller acted in both its private interest and the interest of the wider community gives more weight to the former interest: Opinion 06/14 at p35. Although the Working Party was not contemplating this point, its comment lends force to the idea that a public interest is more essential than a private organisation’s legitimate business interest. Hence, the right to object under the GDPR, and the accompanying need for a compelling legitimate interest, is already accounted for in the requirement of public benefit in the proposed Legitimate Interests Basis.

    Conclusion

    As discussed above, the proposed Legitimate Interests Basis might be narrower than originally thought. Yet, there are some categories of situations in which the basis would likely apply. For instance, financial institutions would likely be able to rely on the basis for limited purposes. The Spanish Data Protection Agency (“AEPD”) suggested that financial institutions may be able to process personal data on the basis of pursuing legitimate interests in (1) analysing an individual’s creditworthiness; (2) preventing fraud; and (3) guaranteeing the security of the financial institution’s network or system: AEPD Gabinete Juridico (Informe 0195/2017) at P4. It is likely that these interests will be permissible in relation to the proposed Legitimate Interests Basis. While the aforementioned interests are beneficial for a financial institution insofar as they ensure that the financial institution’s operations are not compromised, they are also in the public interest of ensuring stability in Singapore’s financial system: see e.g. MAS Notice 654. The pursuit of these functions falls within a financial institution’s responsibilities: MAS Notice 626 at [1-4-7]. Accordingly, it is likely that the proposed Legitimate Interests Basis will encompass the interests of financial institutions that further the stability of the nation’s financial system. Nevertheless, it should be recalled that the application of the PDPA is subject to other written laws, including banking secrecy provisions: PDPA at s 4. That being the case, a financial institution relying on this interest to process personal data should ensure that it does not violate any other written law.

    The inherent flexibility of the proposed Legitimate Interests Basis will assist organisations to better manage personal data in view of technological advances and global developments that engender difficulties in fulfilling the Consent Obligation. Clarity in the basis’ scope and application will be required to temper its open-ended nature. It is hoped that this article provides a meaningful contribution to elucidating the underlying complexities of the proposed Legitimate Interests Basis.

    * This blog entry may be cited as Gary Leow & Sean Lim, “Examining the Proposed Legitimate Interests Basis in Singapore’s Personal Data Protection Act: Comparisons with European Data Protection Regulations” (12 May 2019) (http://www.singaporelawblog.sg/blog/article/233)

    ** A PDF version of this entry may be downloaded here

     

     

Comment Section