It is widely anticipated that several proposed amendments to the PDPA will take effect this year.
One is a mandatory notification obligation where an organization is required to notify the authority within 72 hours once it has determined that a data breach had occurred. I have earlier written an article on this, so I will turn my attention to another proposed amendment: Data Portability Obligation. (There is also a proposed Data Innovation Provision. This I will address in another article later. Watch this space for update)1
What do we mean by data portability? Very briefly, this means that an individual can request an organization which holds his data to transfer that data to another organization. Hence the word “portability”.
What are the benefits for doing this?
First, it is supposed to make it easier for customers to switch from one service provider to another.
Second, this should stir greater competition and innovation in the digital economy.
Come to think of it, today, consumers can port their mobile phone numbers from one telco to another. This has removed a significant hurdle in switching service provider. Consumers have also benefited from increased competitions among the telcos.
But benefits aside, the devil is in the implementation details.
Devil is in the (implementation) details
What data does the new provision cover? It is proposed that the data covers “user provided data”, “User activity data” (such as transactions data, past purchases, even step count and pulse rate), and can include “third party data” (such as the personal data of a travel companion or photos of third parties uploaded by the individual to his social media account).
Among others, the data should be portable in a machine-readable format and completed within 7 calendar days of receiving a request.
Based on feedback from the public consultation, PDPC has indicated it will make some adjustments. For example, a data porting request can be fulfilled in 30 days instead of 7 calendar days, making it consistent with the existing Data Access obligation.
PDPC intends to prescribe a standard set of data categories which it refers to as “whited-listed dataset” to provide clarity and reduce compliance costs. It will issue regulatory instruments incrementally in consultation with industry stakeholders.
Not unexpected, PDPC will not prescribe what are the “machine-readable” formats and what is a reasonable fee to charge for fulfilling a data porting request. Nevertheless, it will have the right to review any refusal, failure to act within the stipulated period, or fees charged.
Organisations should be concerned with the cost of complying with this obligation and the penalties for failure to comply. However, if one look at the list of respondents to the public consultation2, these are large corporations: banks, insurance companies, financial companies, telco.
SMEs were not represented
How will this affect the SMEs? Will the SMEs be able to comply with this new provision? More likely than not, they will have to pay their software vendor for a new, optional “data porting” module.
The large corporations have the resources to review and respond to the request for public consultation. It is also in their interest to influence the policy as it can have a big impact on their competitive position.
On the other hands, the SMEs lack the wherewithal to fathom what this means to them. Yet, they are the ones which need the most guidance and help. I hope the PDPC can make an effort to actively reach out to the SMEs to engage with them and to solicit their feedback, say, through their trade associations.
1. PDPC public consultation paper released in May 2019 to solicit feedback on data portability and data innovation provision. (PDPC consultation paper on data portability (May 2019))
2. PDPC Response to feedback on public consultantion on proposed data portability and data innovation provisions (PDPC response to feedback on data portability consultation paper)