WhatsApp and the Singapore Personal Data Protection Act 2012
In Singapore, the collection, use and disclosure of personal data by organisations are regulated by the Personal Data Protection Act 2012 (the “PDPA”). The PDPA applies to all organisations, regardless whether they are formed or recognized under the laws of Singapore. In this regard, every organisation is required to comply with the PDPA in respect of activities relating to the collection, use and disclosure of personal data in Singapore unless the collection, use and disclosure of personal data are expressly excluded from the application of the PDPA.
What Is Personal Data?
Personal data refers to data, whether true or not, about an individual who can be identified from that data on its own or from that data and other information to which the organisation has or is likely to have access. Data which can identify an individual on its own is referred to as a unique identifier, and the Personal Data Protection Commission (“PDPC”) generally considers such unique identifiers to include an individual’s full name, NRIC number or FIN, passport number, personal mobile telephone number, facial image of an individual, voice of an individual, fingerprint, iris image and DNA profile.
- A user’s account registration information (including phone number), transaction data, service-related information, mobile device information and IP address;
- Information on how a user interacts with others via WhatsApp;
- Such other information obtained upon notice to a user or based on the user’s consent.
Based on the above, it is apparent that the information that WhatsApp collects and shares with Facebook will include personal data, and as such, Facebook will be required to comply with the obligations set out in the PDPA in relation to the collection, use and disclosure of personal data, namely:
- Whether data is collected, used or disclosed for purposes that a reasonable person would consider appropriate in the circumstances;
- notifying users of the purposes and obtaining users’ consent for the collection, use or disclosure of personal data;
- Allowing users to access and correct their personal data;
- protecting personal data (including observing the requirements for international transfers) and not retaining personal data if no longer needed; and
- Having policies and practices to comply with the PDPA.