Singapore privacy laws analysis
Although powerful technology can protect company data from cyber threats, strict laws and regulations add an extra layer of protection. It is the main reason we chose to register our company in Singapore, one of the countries with strong data protection laws.
In Singapore, data protection is established by the Personal Data Protection Act 2012 (PDPA), which governs how organsations collect, use and disclose personal data. The bill had been fully effective on July 2, 2014, and on November 2, 2020, with new amendments. PDPA guarantees that all personal data must be collected, used, and disclosed legally.
Section 18 of the PDPA limits the purpose and scope of the organisation's collection, use or disclosure of personal data. Specifically, section 18 stipulates that organisations can only collect, use or disclose personal data about individuals for the following purposes:
(a) that a reasonable person would consider appropriate in the circumstances; and
(b) that the individual has been informed of under section 20, if applicable.
The purpose restriction obligation's primary purpose is to ensure that the organisation collects, uses, and discloses personal data related to the purpose and only for reasonable purposes. Consistent with the notification obligation, the purpose restriction obligation also limits the purposes for collecting, using, or disclosing personal data to those that have been notified to the individual in accordance with the notification obligation (if applicable).
As far as the purpose of Section 18 (and what is described in that Section) is concerned, whether the purpose is reasonable depends on whether a reasonable person considers the situation appropriate. Therefore, when determining whether the purpose of such collection, use or disclosure is reasonable, the particular circumstances involved must be considered. For example, a reasonable person is unlikely to believe that a purpose that violates the law or is harmful to the individual concerned is appropriate.
Liverado collects as little user information as possible to ensure a completely private and anonymous user experience when using the service. Liverado also does not have the technical ability to access the contents of the user's encrypted messages. Liverado will only disclose the minimum user data we have (legal obligation) under the guidance of a fully binding order issued by Singapore's court or qualified government authorities.
Protection of personal data
Section 24 of the PDPA requires organisations to protect personal data:
An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent —
(a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and
(b) the loss of any storage medium or device on which personal data is stored.
There is no guidance on what constitutes a "reasonable security arrangement", but based on the above section, it can be concluded that encryption is not only reasonable but also a necessary means to protect personal data. It lays the legal foundation for data encryption and enables us to provide best practices to protect users' data.
The retention of personal data
Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data:
An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that —
(a) the purpose for which that personal data was collected is no longer being served by retention of the personal data; and
(b) retention is no longer necessary for legal or business purposes.
Retention restriction obligation prevents organisations from permanently retaining personal data without legal or commercial reasons. Saving personal data for an indefinite period increases the risk of violating the Data Protection Provisions. However, because each organisation has its specific business needs, the retention limitation obligation does not specify a fixed period that the organisation can retain personal data. It should be noted that although the PDPA does not specify a specific retention period for personal data, the organisation will need to comply with any laws or specific industry-standard requirements that may apply.
The data retention restrction in PDPA allows Liverado to retain user data as little as possible. The active accounts' data are stored on Liverado's server. However, Liverado does not keep deleted data. When a message is deleted, it's deleted forever. When a Liverado account is closed, the data will be removed from servers immediately. Only when Liverado receives an order from qualified government authorities or court of Singapore will the data be kept for legal purpose.
No law specifying obligation on Key disclosure
In countries such as the United States and the United Kingdom, mandatory key disclosure laws require individuals to hand over encryption keys to law enforcement agencies for criminal investigations. In Singapore, there is no law specifying obligation to disclose passwords or keys.
No national security letter
Unlike the US, there is no such thing as a national security letter, and all surveillance requests must be submitted to the court or issued by qualified government authorities.
In the US and EU, gag order may be issued to prevent individuals from knowing that they are under investigation or surveillance. Although gag orders also exist in Singapore, the Gag orders are usually imposed to protect vulnerable persons, minors and victims in sexual offence cases. The Public Prosecutor may apply for a gag order in appropriate cases in order to enable witnesses to testify freely during the trial without fear of embarrassment from public scrutiny.
Singapore is one of the top tech hubs globally
KPMG's annual survey of global technology leaders reveals which cities, in addition to Silicon Valley/San Francisco, will be leading technology innovation hubs over the next four years. Several cities took significant steps forward in this edition. Singapore, ranked seventh last year, took the top spot this year globally and offers an advanced IT infrastructure, strong government support and IP protection laws, and a deep pool of talent. As a start to economic transformation, the government-sponsored Smart Nation program has been progressing since 2014, and the National Artificial Intelligence Strategy was announced in November 2019
We believe that only by combining technology and legal protection can comprehensive security be achieved. Singapore has a neutral advantage outside the United States and the European Union jurisdiction. With Singapore's advanced IT infrastructure, strong data protection laws and unique legal environment, ensure Liverado provide reliable and secure services.