Data Protection Regulations Overview

Questions and Answers

What is the main focus of the Purpose Limitation Obligation?

To enhance data accuracy during collection.

To facilitate unrestricted access to personal data.

To ensure only necessary data is collected.

To restrict processing to lawful and legitimate purposes. (correct)

Which obligation requires organisations to notify individuals of the use and disclosure of their personal data?

Data Minimisation Obligation

Protection Obligation

Notification Obligation (correct)

Consent Obligation

What does the Data Breach Notification Obligation require organisations to do?

Encrypt all personal data to prevent breaches.

Inform all employees about the data breach.

Assess if a data breach is notifiable to the PDPC and affected individuals. (correct)

Immediately delete all personal data.

Which obligation is related to ensuring that only necessary data is retained?

Retention Limitation Obligation (B)

Which of the following describes the Accuracy Obligation?

It mandates efforts to ensure data is accurate and complete. (D)

What is one of the key elements that measures must prevent regarding personal data?

Loss of storage media or devices containing personal data (C)

Which factor is NOT considered when developing security arrangements for personal data?

Level of organizational hierarchy (B)

What should an organization do to ensure information security effectively?

Design security arrangements based on the nature of personal data held (A)

What type of measures are included in security arrangements?

A combination of administrative, technical, and physical measures (A)

What does the guideline suggest regarding a 'one size fits all' solution for organizations?

It is ineffective and not recommended (B)

What is the primary goal of cybersecurity?

To defend systems and data from malicious attacks (A)

Which of the following is NOT a motivation for cyber-criminals?

Public health improvement (D)

Which type of malware was reported to have affected 65% of organizations in Singapore in 2021?

Ransomware (A)

What does the acronym CIA stand for in the context of cybersecurity?

Confidentiality, Integrity, and Availability (A)

What is the main purpose of cybersecurity laws?

To regulate how organizations protect against cyber-attacks (A)

What is a primary concern leading to the regulation of cybersecurity?

Significant increase in cyberattacks (D)

Which of the following is an example of identity theft?

A person stealing someone else's personal information for fraud (D)

Which sectoral law specifically addresses the protection of personal data?

PDPA (D)

Which direction under POFMA allows for the correction of false statements?

Correction direction (D)

What is the purpose of the access blocking order under POFMA?

To restrict access to online locations (C)

What type of behavior is targeted under the directions to counteract inauthentic online accounts?

Coordinated inauthentic behaviour (B)

What is NOT a similarity between POFMA and POHA?

Both apply only to individuals, not organizations (B)

Which of the following is a learning objective of the law and technology course?

To appreciate law and technology as its own field (C)

What type of technologies does the law and technology course focus on?

Practice-relevant technologies for legal advice (B)

Which of the following directions helps to stop the communication of false statements?

Stop communication direction (A)

What aspect of the internet does POFMA focus on regulating?

Communication of false statements (C)

What is the primary responsibility of a Data Intermediary (DI) when a data breach is suspected?

To notify the data controller (DC) without undue delay. (D)

What is the timeframe within which a data controller must notify the PDPC if a breach poses a risk of significant harm?

Within 3 calendar days of determining it is notifiable. (C)

What is the maximum time period allowed for a data intermediary to notify the data controller of a suspected data breach?

Within 24 hours. (D)

What must a data controller do once it determines that a data breach has occurred?

Conduct an assessment to determine if it is a notifiable breach. (C)

If a data intermediary discovers a data breach but does not believe it is a notifiable breach, what is their obligation?

They still must notify the data controller without undue delay. (A)

How long does a data controller have to conduct an assessment of the data breach after becoming aware of it?

30 days. (B)

Which of the following statements regarding the notification to affected individuals is correct?

There is no prescribed timeframe for notifying affected individuals. (A)

What triggers the data controller to assess whether a data breach is notifiable?

The alert coming from the data intermediary. (B)

What characterizes the two ways in which law functions, as described by Lessig?

Directly and indirectly (D)

What does Lessig imply about code in the context of law?

Code can replace law in cyberspace. (B)

According to Lessig, what is one potential advantage of software code in a regulatory context?

It is highly malleable and adaptable. (B)

What is indicated by the expression 'constraints bind in a way that regulates behavior'?

Structural constraints influence individual choices. (C)

What does Lessig argue about the relationship between law and norms?

Norms are subject to legal change. (A)

What is a key takeaway regarding the direct operation of law?

It specifies expected behaviors explicitly. (B)

How does Lessig explain the adaptability of software code compared to traditional law?

Code can be revised easily to meet new regulations. (A)

What is one aspect of the regulatory framework that Lessig emphasizes?

Constraints can vary in their method of regulation. (D)

Study Notes

Data Protection and Cyber Regulation

• Data protection is regulated by the PDPA.
• Obligations of organizations include data lifecycle management.
• Individuals have rights regarding their data.
• Cybersecurity regulations are governed by the PDPA and Cybersecurity Act 2018
• Laws regulating cybersecurity protect digital infrastructure from attacks.

Prevention of Online Threats and Falsehoods (POHA)

• POHA regulates online speech.
• POFMA (not tested) is related to online falsehoods.

Law and Technology

• The field of law and technology is multifaceted
• Law and technology issues need to be approached by considering the specific issue: is the problem with law or technology
• Frank Easterbrook's Law of the Horse - is applicable for considering technology issues in law
• Lessig's Counter-Response - offers a different perspective on the interplay of law and technology

Comparative Laws

• General Features of the Civilian System
• Civil law is codified, while common law relies on precedent.
• Civil law systems have a formalized framework for contract law.
• Key differences/ similarities between Common Law and Civilization
• General principles of civil law are found in codes, and case law in the common law

Specific Principles of Civil Law(I): Unilaterally Binding Contracts

• Most contracts are mutually binding (synallagmatic).
• Gifts and mandates are unilaterally binding contracts

Specific Principles of Civil Law(II): Good Faith

• Good faith is a prevalent principle of civil law, obliging parties to act in good faith.
• The principle of good faith can influence legal relations in the context of contract law.
• Consideration of good faith in dealing with contractual terms where there is a dispute.

Specific Principles of Civil Law(III): Enforced Performance

• The promisee is in principle entitled to performance in specie (the exact performance of the contract).
• Secondary remedies (damages) are available in the event of failure to perform.
• Enforced performance is the general rule, and not an exception.
• Situations where there may not be enforced performance (e.g impossible performance)

The Law of Delictual Liability (Torts equiv.)

• French Tort Law – 3 elements
• Fault → Damage → Causal link between fault and damage
• Principle of non-concurrency for contractual and tortious liability are distinct
• French law has a duty to rescue for specific acts, rather than for omissions
• Tort law obliges the wrongdoer to compensate the damage.

(1)Introduction to the Field

• The Big Question: is the issue with the law, the technology, or both?
• Law and technology need to be considered as one entity.
• Core concepts and framework to understand the field of Law and technology.
• Key methods to understand and assess issues arising when law and technology meet.

Case Study 1: Automobiles

• Historical development of automobile liability laws in developed jurisdictions.
• Evolution of legal norms around cars and vehicles.

Case Study 2: Regulating the Early Internet

• How the Internet works (basic overview of protocols, etc)
• Values embedded in cyberspace and their implications for regulation
• Use of codes as regulators for the purpose of understanding and managing use of technology

Case Study 3: Regulating the Early Internet (Part 2)

• How the early internet operated.
• The importance and implications of code as a defining element of the internet.
• How internet technology developed.

Emerging Technologies and Law

• Key principles
• Different types of technologies regulated (e.g. digital platforms)
• The legal and regulatory challenges posed by the development of these technologies.

Artificial Intelligence

• What is Al really?
• Modern Al theory: The relationship between humans vs Al
• Understanding Al systems in law and their implications for legal systems.

Description

Test your knowledge on key data protection obligations and guidelines. This quiz covers essential concepts such as purpose limitation, data breach notifications, and accuracy obligations, giving you a comprehensive understanding of personal data management. Ideal for anyone studying or working in data privacy and security.