In a 2014 speech, Singapore’s Prime Minister Lee Hsien Loong left no doubt as to his government’s plans for Singaporeans. Within the not-too-distant future, he said, Singaporeans will essentially live their lives in a “Smart Nation”.^[1]

As part of this national push to get “smart”, new schemes will be implemented and old ones revamped to shift people’s lives onto technological platforms. For example, the current Electronic Road Pricing (ERP) system—which automatically deducts a toll whenever a vehicle passes under a gantry—will be replaced by a new, satellite-based one which charges motorists based on distance spent on designated roads.^[2] It will also soon become mandatory for healthcare providers to enter patient information into the National Electronic Health Record (NEHR).^[3] GovTech, the Singapore government agency in charge of the “Smart Nation” project, recently announced a pilot programme to install surveillance cameras on Singapore’s lampposts, linked to facial recognition software. If fully implemented, this would potentially enable them to track any person anywhere in Singapore within range of one of Singapore’s 110,000 lampposts.^[4]

Some have raised concerns about this proposed nationwide digitisation, specifically regarding its impact on Singaporeans’ privacy.^[5] Putting information online makes it more vulnerable to being stolen; making it more accessible also means it’s more easily misused. Such centralisation of personal data also triggers worries about surveillance.

The government has naturally argued that its benefits outweigh its drawbacks.^[6] Yet, with the potential stakes so high, it must be asked: do people really understand how far “Smart Nation” policies infringe on Singaporeans’ data security? In any event, must the pursuit of convenience and efficiency, no matter how well-intentioned, come at the cost of personal privacy?

A theoretical “Smart Nation” ought to maximise both efficiency and data privacy, but the actual “Smart Nation” that Singaporeans are living in is one where personal data is widely collected, inadequately protected, and easily misused. Furthermore, criticisms of Singapore’s flimsy data protection regime are valid but insufficient. There are deeper issues which must be fixed for real progress to be possible, including a ruling elite that benefits from keeping the public in a state of ignorance and apathy.

What is “personal data” and why does it matter?

“Personal data” is defined by Singapore’s Personal Data Protection Act (PDPA) as “data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access”.^[7] Basically, any data, even if untrue, that can lead to identification falls under the definition.

This includes, for example, one’s medical history, vehicle licence plate number, or web-browsing history, as they can be used alone or in conjunction with other information to identify someone. They are thus considered “personal data”, just like one’s name, picture, or state-issued identification number. If someone (or their company) gathers such information, they are, by definition, collecting “personal data”.^[8]

According to a 2016 survey conducted by audit firm KPMG, 32% of the 200 Singaporean respondents labelled themselves as “extremely concerned about the way companies handle and use their personal data”—an even greater percentage said they were “concerned”.^[9] While 200 residents is a small sample size, it nevertheless suggests that Singaporeans are at least aware and concerned about the problematic nature of personal data privacy.

However, there are also many Singaporeans who either view this issue as not particularly concerning or have rationalised it as an acceptable trade-off for benefits ranging from safety to savings. For example, the government’s 2016 announcement of its plan to significantly increase closed-circuit television (CCTV) coverage across the island^[10] was praised by some (at least in the government-influenced mainstream media) as a necessary step towards strengthening domestic security. ^[11] Anecdotally, many Singaporeans are happy to “provide vast amounts of personal data to companies in exchange for the chance to win a lucky draw prize or a discount”.^[12]

Regardless of one’s personal view on the matter, it’s still important to understand how the handling and mishandling of personal data can have extremely dangerous and far-reaching consequences.

For example, a person applying for health insurance may be charged higher premiums than normal if the insurance provider finds out that, for example, he eats at the McDonald’s outlet near his school every other day (as determined by the location data on his mobile phone) or that she participates in extreme sports frequently (as seen in photos uploaded to her Facebook account). The idea that the applicant should be paying more given his or her unhealthy or risky lifestyle, while theoretically valid, misses the point.

Firstly, it’s impossible to determine a person’s health risk solely from abstracted points of data. There are people who lead extremely healthy lives who still develop terminal illnesses. Conversely, ostensibly dangerous activities like extreme sports may have numerous health benefits.

Secondly, the data belongs to the person and not to the corporation. Even if it is intangible, it’s personal property.

Thirdly, and perhaps most importantly, corporations are not disinterested. Insurance companies may aim to avoid pay-outs in order to increase their profits, and so exploit any information they have about you to deny you coverage. That even seemingly innocuous information, when disclosed, could have adverse consequences to individuals. That’s why regulation designed in the interest of people (and not corporations) is so important.

It’s not just about trust

Some might say that they don’t have a problem with the rapid consolidation of personal data as they trust that the information will not be misused—but it’s not about trust. Handing one’s personal data over to the “right” entity, whether such entity be public or private, may nevertheless result in such data landing in the “wrong” hands due to hacking or security breaches. Several examples of such breaches have already been documented: in Singapore, for instance, the personal information of over 300,000 customers of karaoke company K Box was made publicly available.^[13] Not even the government is immune: in 2014, over 1,500 SingPass accounts (which allow citizens to manage everything, from their taxes to applications for state subsidies for training courses, via a government portal) were compromised.^[14]

All these risks are exacerbated by how the buying and selling of personal data has become common practice. In January, former telemarketer Sharon Tang became the first person in Singapore to be convicted for the unauthorised sale of personal data.^[15] Over a two-year period, Tang bought over 30,000 “leads” (packets of information about individual persons, in this case including identification numbers and income levels) at SGD0.20 to SGD0.30 (USD0.15 to USD0.23) each and sold this data at a profit. Tang’s case was an instance of illegal activity, but there are many other instances—both legitimate or otherwise—of trading in personal data.

Vague reassurances made by collectors of personal data that such information will be “anonymised” are of little help. Data anonymisation involves the encryption or removal of personal information from datasets so that people are unidentifiable. However, according to the authors of 88 Privacy Breaches to Beware of: Practical Data Protection Tips from Real-Life Experiences, people “can be re-identified through a few pieces of information about them”; for example, by matching particular data points against other publicly-available information.^[16]

In one notable case in 2006, Netflix issued an open challenge for people to devise a better movie recommendation algorithm than its existing one.^[17] As part of this challenge, the video streaming company released its database of 10 million movie ratings made by 500,000 users.^[18] This database was anonymised—Netflix had replaced subscribers’ information with random names and numbers—yet two graduate students were able to identify selected users simply by cross-referencing the ratings in Netflix’s dataset against public film reviews made on the Internet Movie Database (IMDb).^[19] Among other things, they were able to find out users’ names, movie rental records and even socio-political views (as derived from comment histories on public threads).^[20]

Essentially, the problems associated with losing personal data do not end with others knowing more about one than one would like—they have the potential to affect multiple facets of one’s life, from securing insurance coverage to finding jobs. These risks are numerous and real, and Singapore’s existing data protection laws do not do enough to mitigate them.

The inadequacies of the PDPA and personal data laws

Enacted in 2012, the PDPA prohibits the collection, use and disclosure of an individual’s personal data without that individual’s consent.^[21] It also requires organisations that collect personal data to safeguard it, ensure its accuracy, and destroy it once retention is no longer necessary.^[22] On the surface, it appears to provide robust protections against the abuse of personal data.

However, the safeguards offered by the PDPA are far weaker than they initially appear. In fact, the PDPA is as much about facilitating the collection, use and disclosure of personal data, as it is about protecting people against these things.^[23] Even as the statute strengthens the protection of data, it also makes data easier to collect. Significantly, the many obligations set out in the PDPA relating to the collection, disclosure and care of personal data do not apply to certain classes of actors, including “public [agencies]” such as the government.^[24]

One crucial assumption underpinning the entire PDPA is that individuals’ rights are no more important than the assumed needs of corporations and the government. This theme pervades Singapore’s data protection regime.

Take the Banking Act, for example.^[25] In general, the law bans banks from disclosing customers’ personal information—but it also lists a whole suite of exceptions, including one that allows a bank officer to disclose personal information when it is “solely in connection with the performance of duties as an officer or a professional adviser of the bank”.^[26]

This is incredibly vague. Who decides the scope of a bank officer’s duties? Who decides when a particular disclosure is connected to the performance of such duties? What exactly is a “professional adviser”? This creates uncertainty as to whether banking secrecy applies in any given situation, to say the least, and in a worst case scenario, provides a massive loophole which can be exploited by the unscrupulous.

There is also the Telecommunications Act, which does not itself govern the collection of personal data,^[27] but instead authorises the Infocomm Media Development Authority (IMDA) to do so by issuing practice codes and performance standards “from time to time”.^[28] The practice code issued by the IMDA contains the same worrying assumption found in the PDPA and the Banking Act: it cursorily subjects IMDA licensees (a group which includes major telecommunications companies like SingTel and Starhub) to PDPA obligations, then carves out situations where users’ personal information may be used for certain purposes regardless of whether their consent has been obtained.^[29] The mobile and internet usage of all Singaporeans flows through these companies. Again, this creates a dangerous opportunity where information may be legally but immorally exploited by someone at one of these companies.

The Computer Misuse and Cybersecurity Act—the last of the statutes commonly cited as being part of Singapore’s data protection regime—is an exception. It is not structured the same way that the other three pieces of legislation are.^[30] Nevertheless, its data privacy protections apply only in the limited context of data obtained through unauthorised access, use or modification to or of computer material.^[31] In other words, such protections are incidental rather than targeted—after all, the statute is, as its name suggests, first and foremost about computer offences.

These four laws collectively form Singapore’s data protection regime. An examination of these laws reveals that our data could be much better protected.

Yet, the problem lies less with the laws themselves and more with how they are arrived at. Data protection is not accorded much weight in the country’s legislative framework. The bigger issue—the one that needs fixing the most—is why this is the case: the values and assumptions which underpin how laws are made and decided upon.

The deeper issue: the desire to commoditise data

In spite of all the associated risks, the government wants to continue to make it easier for our data to be traded, especially between its own agencies and organs. This is borne out within messages exhorting Singapore’s embrace of technology and quest to become a “Smart Nation”. Then-Minister for Communications and Information Yaacob Ibrahim made this clear when he said that “[the government wants] to encourage the responsible sharing of personal data in order to generate value for our economy”,^[32] as did Minister for Education Ong Ye Kung in promoting an online platform that relies on “pooling [individuals’] personal data from multiple agencies” to provide a “more hassle-free and seamless online transaction process for [applicants]”.^[33]

The IMDA’s Chief Executive Officer, Tan Kiat How, took things one step further in detailing his vision of establishing the world’s first “global data exchange” to sell user data in a regulated space. While this has not yet been built, Singapore already has a “sandbox” for personal data for businesses; Tan brought up the example of car insurance companies being able to access real-time data on an individual’s driving patterns.^[34]

If these messages could be summarised in one larger narrative, it would be that data protection is important—but must never impede opportunities for economic development. Singapore’s government often presents itself as being in the best position to make decisions in the interests of its citizens; in this case, it has decided that the country stands to gain if people pool their data.

However, this narrative is faulty in at least two respects. Firstly, it presupposes that there has to be a trade-off between data protection and convenience. This is particularly egregious given the country’s self-styled “Smart Nation” goal: should a “smart” nation not strive to maximise both privacy and such other benefits that supposedly come at its expense?^[35] Does framing the issue as a trade-off between privacy and convenience play into a false dichotomy that limits the discourse?

Secondly, and perhaps more importantly, this argument is premised on an old utilitarian viewpoint that what’s best for most is best for all, therefore trivialising the harm, tangible and intangible, sustained by Singaporeans. The victim of identity theft and the athlete paying abnormally high insurance premiums would be hard-pressed to celebrate the attainment of “Smart Nation” status, especially considering that they almost certainly would have had little to no input into its design or creation. This is to say nothing of how problematic it is to determine who decides what is “best” and whether “most” are benefiting in any given scenario.^[36]

This all points back to the main problem with how policy is being formulated and designed in Singapore: without widespread consultation or transparency, based on the values and assumptions of a tiny elite, and with no proper accountability on the part of policy-makers.

Conclusion

Nationwide digitisation offers many benefits, some of which are significant and indisputable. At the same time, it poses real risks to Singaporeans’ privacy and security and therefore, paradoxically, inconveniences citizens by forcing them to be ever-conscious about what they might be, advertently or inadvertently, revealing about themselves.

Unfortunately, the extent of discourse on the drawbacks of large-scale digitisation pales in comparison to the amount of support, reasoned or otherwise, for it—whether in Singapore or elsewhere. This has made it all the easier for the government to sell the idea that a “Smart Nation” can only be a good thing for Singaporeans in general without having to disclose how it is they who stand to gain the most from the lack of privacy and data protection a “Smart Nation” would give rise to.

Thus, while it is useful for people to exercise a degree of personal responsibility by adopting measures to better protect personal privacy and data security,^[37] such measures are merely stop-gap solutions–they do nothing to address the larger issue of how Singapore is headed in policy directions that compromise these things and allow for the government to exert even greater control over Singaporeans’ lives under the guise of being “future forward” or “smart”. What is instead needed is a sea change in mentality or, as one commentator puts it, “[w]e have to create a culture of respect for personal data at all levels of society”.^[38]

If you enjoyed this article and would like to join our movement to create space for research, conversation, and action in Southeast Asia, please join New Naratif as a member—it’s just US$52/year (US$1/week)!

References

[1] Smart Nation Singapore, “Transcript of Speech by Prime Minister Lee Hsien Loong at Smart Nation Launch”, 24 November 2014, https://www.smartnation.sg/happenings/speeches/smart-nation-launch

[2] Channel NewsAsia, “Satellite-based ERP to be ready by 2020, with S$556m contract awarded”, 25 February 2016, https://www.channelnewsasia.com/news/singapore/satellite-based-erp-to-be-ready-by-2020-with-s-556m-contract-awa-8182754.

[3] Channel NewsAsia, “National electronic patient database soon to be mandatory for healthcare providers”, 8 November 2017, https://www.channelnewsasia.com/news/singapore/national-electronic-health-record-mandatory-clinics-9385666.

[4] TODAY, “Singapore to test facial recognition on lampposts, stoking privacy fears”, 13 April 2018, https://www.todayonline.com/singapore/singapore-test-facial-recognition-lampposts-stoking-privacy-fears

[5] See for example Lim Chong Kin and Charmian Aw, “A Survey on the Enforcement of the Personal Data Protection Act 2012” in Personal Data Protection Digest (Yeong Zee Kin ed) (Academy Publishing, 2017) at p. 256, ZDNet, “Singapore losing sight of privacy in next-gen tech ambitions”, 3 October 2014, http://www.zdnet.com/article/singapore-losing-sight-of-privacy-in-next-gen-tech-ambitions/and Phoebe Seers, “Singapore’s Smart Nation initiative raises serious data security, privacy concerns”, 11 November 2016, https://static1.squarespace.com/static/56839c4b0ab377cb56312e28/t/58e8d514e58c6214d47a2754/1491653909313/ukdtjTYuRHmmCtcMP2Qm_MLex_Content-3.pdf.

[6] See for example GovInsider, “Exclusive: Tan Kiat How’s Vision for Data”, 15 January 2018, https://govinsider.asia/security/tan-kiat-how-imda-ceo-regulatory-sandboxes/, The Straits Times, “Personal Data Protection: an intrinsic priority of Singapore’s largest bank”, 9 January 2017, http://www.straitstimes.com/business/banking/personal-data-protection-an-intrinsic-priority-of-singapores-largest-bankand Vulcan Post, “Data tracking concerns of S’pore’s new satellite based ERP are overrated. Here’s why”, 29 February 2016, https://vulcanpost.com/539781/singapore-satellite-based-erp-data-tracking-concerns-are-overrated/

[7] Act No. 26 of 2012, s. 2(1)

[8] Winnie Chang, A Practical Guide to Singapore Data Protection Law (LexisNexis, 2013) at p. 5

[9] Beyond the 32% “extremely concerned” number, the exact percentages were not given in the report. KPMG, “Creepy or Cool?: Staying on the right side of the consumer privacy line”, November 2016, p. 29, https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2016/11/creepy-or-cool.pdf

[10] The Straits Times, “More surveillance cameras as deterrent”, 19 March 2016, http://www.straitstimes.com/singapore/more-surveillance-cameras-as-deterrent

[11] TODAY, “Public security ‘more important than privacy’”, 19 March 2016, https://www.todayonline.com/singapore/public-security-more-important-privacy

[12] Sheena Jacob, “The Role of Culture in Privacy: A Singapore Perspective”, 23 July 2016, https://www.linkedin.com/pulse/role-culture-privacy-singapore-perspective-sheena-r-jacob

[13] TODAY, “Hackers leak data of over 300,000 K Box members”, 17 September 2014, https://www.todayonline.com/singapore/hackers-leak-data-over-300000-k-box-members

[14] The Straits Times, “More than 1,500 SingPass accounts could have been accessed illegitimately: IDA”, 4 June 2014, http://www.straitstimes.com/singapore/more-than-1500-singpass-accounts-could-have-been-accessed-illegitimately-ida

[15] The Straits Times, “‘Data monger’ fined $6k by privacy watchdog for selling personal data without notification or consent”, 28 January 2018, http://www.straitstimes.com/singapore/singapore-privacy-watchdog-takes-first-data-monger-to-task

[16] Kevin Sheperdson et al, 88 Privacy Breaches to Beware of: Practical Data Protection Tips from Real-Life Experiences(Marshall Cavendish, 2016) at p. 166

[17] Netflix, “Netflix Prize”, https://www.netflixprize.com/rules.html

[18] Wired, “Why ‘Anonymous’ Data Sometimes Isn’t”, 12 December 2007, https://www.wired.com/2007/12/why-anonymous-data-sometimes-isnt/

[19] SecurityFocus, “Researchers reverse Netflix anonymization”, 4 December 2007, https://www.securityfocus.com/news/11497. The paper detailing the two students’ methodology and application can be found at https://arxiv.org/pdf/cs/0610105.pdf.

[20] Supra note 19

[21] Act No. 26 of 2012, s. 13(a)

[22] See the various provisions of Act No. 26 of 2012 outlining these requirements: s. 24 (for safeguarding personal information), s. 23 (for ensuring the accuracy of personal information) and s. 25 (for destroying personal information that no longer need be retained).

[23] Act No. 26 of 2012, s. 3 (“The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to have their personal data protected and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.”) (emphasis added)

[24] Act No. 26 of 2012, ss. 2(1) and 4(1)

[25] Cap. 19, 2008 Rev. Ed. Sing.

[26] Cap. 16, s.47(1) and Third Schedule

[27] Cap. 323, 2000 Rev. Ed. Sing.

[28] Cap. 323, ss. 2 and 26(1)(viia)

[29] Code of Practice for Competition in the Provision of Telecommunication Services 2012, ss. 3.2.6.2(c)

[30] Cap. 50A, 2007 Rev. Ed. Sing.

[31] Cap. 50A, ss. 3, 4, 5, 6 and 8A

[32] Ministry of Communications and Information, “Speech by Dr. Yaacob Ibrahim, Minister for Communications and Information, at the Personal Data Protection Seminar 2017, at Sands Expo and Convention Centre on 27 July 2017 at 9.35am”, 27 July 2017, https://www.mci.gov.sg/pressroom/news-and-stories/pressroom/2017/7/personal-data-protection-seminar-2017

[33] Singapore Parliamentary Debates, vol. 94, 8 January 2018

[34] GovInsider, “Exclusive: Tan Kiat How’s vision for data”, 15 January 2018, https://govinsider.asia/security/tan-kiat-how-imda-ceo-regulatory-sandboxes/

[35] See for example VentureBeat, “Blockchain tech could fight voter fraud – and these countries are testing it”, 22 October 2016, https://venturebeat.com/2016/10/22/blockchain-tech-could-fight-voter-fraud-and-these-countries-are-testing-it/, which discusses the use of blockchain technology in the context of elections.

[36] The Guardian, “The internet of things – who wins, who loses?”, 14 August 2015, https://www.theguardian.com/technology/2015/aug/14/internet-of-things-winners-and-losers-privacy-autonomy-capitalism. See also Accenture, “Overcome Citizens’ Cyber Insecurity: Five Ways to Increase Security, Privacy and Convenience”, 2017, https://www.accenture.com/t20170225T023047Z__w__/us-en/_acnmedia/PDF-41/Accenture-Cyber-Pulse-FINAL-POV.pdf, where it was found that two-thirds of (over 3,500 American) respondents “are willing to sacrifice convenience for more data security”.

[37] Channel NewsAsia, “Commentary: Our convenience is coming at a (security) cost”, 26 November 2017, https://www.channelnewsasia.com/news/commentary/commentary-our-convenience-is-coming-at-a-security-cost-9435976

[38] Supra note 12