CLK PAPER 1 WHACK PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document is a study guide or lecture notes on data protection and cyber regulation, law and technology, comparative laws, and conflict of laws.
Full Transcript
Table of Contents ================= [1. Table of Contents 1](#_Toc183079669) [2. DATA PROTECTION AND CYBER REGULATION 3](#data-protection-and-cyber-regulation) [2.1. DATA PROTECTION 3](#data-protection) [(1) Introduction and Overview 3](#introduction-and-overview) [(2) Purpose and Scope of the...
Table of Contents ================= [1. Table of Contents 1](#_Toc183079669) [2. DATA PROTECTION AND CYBER REGULATION 3](#data-protection-and-cyber-regulation) [2.1. DATA PROTECTION 3](#data-protection) [(1) Introduction and Overview 3](#introduction-and-overview) [(2) Purpose and Scope of the PDPA When does it apply 3](#purpose-and-scope-of-the-pdpa-when-does-it-apply) [(3) Obligations of Organisations 5](#obligations-of-organisations) [(4) Data Lifecycle 5](#data-lifecycle) [(5) Rights of Individuals 7](#rights-of-individuals) [(6) Enforcement of the PDPA 9](#enforcement-of-the-pdpa) [(7) Specific Topics Not Tested 9](#specific-topics) [2.2. CYBERSECURITY REGULATION UNDER PDPA AND CYBERSECURITY ACT 11](#cybersecurity-regulation-under-pdpa-and-cybersecurity-act) [(1) Introduction 11](#introduction) [(2) Laws that Regulate Cybersecurity 11](#laws-that-regulate-cybersecurity) [(3) Cybersecurity Act 2018 12](#cybersecurity-act-2018) [(4) PDPA 2012 17](#pdpa-2012) [2.3. PREVENTION OF ONLINE THREATS AND FALSEHOODS (POHA) 19](#prevention-of-online-threats-and-falsehoods-poha) [(1) POHA 20](#poha) [(2) POFMA (not tested) 24](#pofma-not-tested) [3. LAW AND TECHNOLOGY 25](#law-and-technology) [3.1. INTRODUCTION TO THE FIELD 25](#introduction-to-the-field) [(1) General Framework for Approaching the Field 25](#general-framework-for-approaching-the-field) [(2) (CORE) Frank Easterbrook's Law of the Horse 25](#core-frank-easterbrooks-law-of-the-horse) [(3) Lessig's Counter-Response: What Cyberlaw might teach 27](#lessigs-counter-response-what-cyberlaw-might-teach) [(4) L&T Issues in Contract/Torts 30](#lt-issues-in-contracttorts) [3.2. TECHNOLOGY REGULATION: HISTORY AND PRINCIPLES 36](#technology-regulation-history-and-principles) [(1) Regulation 36](#regulation) [(2) CASE STUDY 1: Automobiles 43](#case-study-1-automobiles) [(3) Case Study 2: Regulating the Early Internet 53](#case-study-2-regulating-the-early-internet) [(4) Electronic Transactions 55](#electronic-transactions) [3.3. EMERGING TECHNOLOGIES AND LAW 59](#emerging-technologies-and-law) [(1) Digital Platforms 59](#digital-platforms) [(2) The Blockchain 69](#the-blockchain) [(3) Artificial Intelligence 80](#artificial-intelligence) [4. COMPARATIVE LAWS 92](#comparative-laws) [4.1. INTRO TO CIVIL LAW TRADITION 92](#intro-to-civil-law-tradition) [(1) General -- Features of the Civilian System 92](#general-features-of-the-civilian-system) [(2) Civil Law as a 'mentality' 92](#_Toc183079705) [(3) Civil Law as a methodology 92](#_Toc183079706) [(4) Civil Law -- Substance 93](#_Toc183079707) [(5) Key Ideas 93](#_Toc183079708) [4.2. General Principles of Civil Law 93](#contract-law-in-civil-law) [(1) Systematic Approach to codifying private law in Germany, Japan, South Korea, Taiwan, and France 94](#_Toc183079710) [(2) How to use Civil Codes for Case Analysis 95](#how-to-use-civil-codes-for-case-analysis) [(3) The Law of Delictual Liability (Torts equiv.) 96](#the-law-of-delictual-liability-torts-equiv.) [(4) Negotiorum gestio -- Spontaneous voluntary agency in which intervenor (gestor) acts on behalf and for the benefit of a principal without the principal's prior consent 98](#negotiorum-gestio-spontaneous-voluntary-agency-in-which-intervenor-gestor-acts-on-behalf-and-for-the-benefit-of-a-principal-without-the-principals-prior-consent) [4.3. Specific Principles of Civil Law (I): Unilaterally Binding Contracts 100](#specific-principles-of-civil-law-i-unilaterally-binding-contracts) [(1) Mutually and Unilaterally Binding Contracts 100](#mutually-and-unilaterally-binding-contracts) [(2) The concept of gifts (donations) 100](#the-concept-of-gifts-donations) [(3) 101](#section) [(4) The concept of Mandate 102](#the-concept-of-mandate) [4.4. Specific Principles of Civil Law (II): Good Faith and absence of Trust Law 103](#specific-principles-of-civil-law-ii-good-faith-and-absence-of-trust-law) [(5) General Provisions on Good Faith Principle 103](#general-provisions-on-good-faith-principle) [(6) Applying the principle of Good Faith 103](#applying-the-principle-of-good-faith) [(7) Principles of Trust Law 104](#principles-of-trust-law) [4.5. Specific Principles of Civil Law (III): Enforced Performance 104](#specific-principles-of-civil-law-iii-enforced-performance) [(1) Enforced Performance 104](#enforced-performance) [(2) Principles relating to Secondary Rights 105](#principles-relating-to-secondary-rights) [(3) Impossibility of Performance 105](#impossibility-of-performance) [5. CONFLICT OF LAWS 106](#conflict-of-laws) [5.1. INTRODUCTION 106](#introduction-1) [(1) What is the Conflict of Laws? 106](#what-is-the-conflict-of-laws) [(2) The Conflicts Process 106](#the-conflicts-process) [5.2. CHOICE OF LAW 106](#choice-of-law) [(1) What are Choice of Law Rules 106](#what-are-choice-of-law-rules) [(2) Contract Rule 106](#contract-rule) [(3) Tort Rule 108](#tort-rule) [(4) Limits on Choice of Law Rules 109](#limits-on-choice-of-law-rules) [5.3. JURISDICTION 110](#jurisdiction) [(1) Structure of Jurisdictional Rules 110](#structure-of-jurisdictional-rules) [(2) Establishing Jurisdiction if Service in 110](#establishing-jurisdiction-if-service-in) [(3) Establishing Jurisdiction if Service Out 112](#establishing-jurisdiction-if-service-out) [(4) Jurisdiction Clauses 113](#jurisdiction-clauses) [(5) Submission by Conduct 115](#submission-by-conduct) [5.4. FOREIGN JUDGEMENTS 118](#foreign-judgements) [(1) Why are Foreign Judgments Important? 118](#why-are-foreign-judgments-important) [(2) Requirements for Recognition 118](#requirements-for-recognition) [(3) Defences to Recognition 119](#defences-to-recognition) DATA PROTECTION AND CYBER REGULATION ==================================== DATA PROTECTION --------------- ### Introduction and Overview Not applicable to collecting personal data in personal capacity - if youre not doing it for an organization / 3P cause. U are doing it for urself. But if youre doing it for ur prof who is doing it as part of their work, even if ure not an organization, you might be regarded as an employee of the university - If doing it in personal capacity, then not subject to pdpa - - The PDPA, Singapore's **first general data protection law**, was enacted in 2012 and came into force in stages up to [July 2014] - Personal Data Protection Commission (PDPC) was established in 2013 - PDPA's Do Not Call and Data Protection Provisions came into force in 2014 - PDPA was **significantly amended in 2020** to introduce new obligations in line with modern data protection laws in other jurisdictions - New provisions on data protection obligations and rights of individuals - New criminal offences relating to misuse of personal data - Enhanced enforcement powers for PDPC/Commissioner - The following subsidiary legislation expand on the obligations of organisations or procedurals aspects of the PDPA: - Personal Data Protection (Appeal) Regulations 2021 - Personal Data Protection (Composition of Offences) Regulations 2021 - Personal Data Protection (Do Not Call Registry) Regulations 2013 - Personal Data Protection (Enforcement) Regulations 2021 - \*Personal Data Protection (Notification of Data Breaches) Regulations 2021 - \*Personal Data Protection Regulations 2021 -- Rules of Court 2021, Order 57 - (\*only these are covered in this unit) - PDPC has issued several advisory guidelines (under PDPA section 49) and may other publications and materials to **assist organisations in complying with the PDPA** - Covered in this unit are: - Key Concepts Guidelines - Selected Topics Guidelines - Enforcement Guidelines - Guidelines are advisory in nature and not legal binding on the Commission, or any other party ### Purpose and Scope of the PDPA When does it apply #### Purpose: PDPA s 3 - Govern collection, use and disclosure of personal data by **organisations** - In a manner that recognises: - [Right of individuals] to protect their personal data - Needs of organisations - Does not confer proprietary rights over personal data (usual laws apply) - Key terms: - Personal data, individuals (target [subject-matter]) - Organisations ([entities] required to comply) - Collection, use, disclosure / data processing ([target activities]) #### Substantive Scope: PDPA s 2(1) \*See exact provision - Personal Data - Data about an [identifiable individual] Direct identifier (conclusive), indirect identifier (see [Specific Topics](#specific-topics)) - 3 kinds of data: direct identifier, indirect identifier, non-identifier - Includes factual information and opinions - Does not depend on truth of the data - Note [exclusions], e.g., for business contact information - Individual - Natural person, living or deceased (though limited effect on deceased) - Organisation - Includes ([non-exhaustive]) any individual, company, association or body of persons regardless of where formed, recognised, resident or having an office / place of business - [Excludes] individuals acting in a personal or domestic capacity or as an employee - [Excludes] public agencies (covered under a separate framework / law) - **Data intermediaries (DIs)** Don't need data for any other purposes - Sometimes known as **data processors** in other jurisdictions' laws - Organisations that process personal data on behalf of another organisation - **Fewer obligations** under the PDPA: only sections 24, 25, 26C(3)(a) and 26E and Part 6B (Not yet in force) s 4(2) - If qn is referring to an organization that is collecting personal data / doing smth to the data on behalf and for the purposes of another organization, then this organization that is doing this is a data intermediary - A data intermediary is a relationship and not a category of organizations. An organization can be a DI in respect of one relationship w an organization and a DC in respect of another (usually wrt ur own employees' info, u r DC) - Data controllers (DCs) Control the processing - Not a defined term in the PDPA - Refers to the organisation on whose behalf a DI is processing personal data - Controls the purposes and sometimes the manner of processing - Responsible for personal data processed on its behalf by the DI - All obligations apply c.f. DI - Data controller vs Data intermediary (DC vs DI) - Using employment agency as eg: - - Collection, use and disclosure - Not defined in the PDPA -- but dictionary meaning - Overlaps with the defined term "processing" - "processing", in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following: - \(a) recording; - \(b) holding; - \(c) organisation, adaptation or alteration; - \(d) retrieval; - \(e) combination; - \(f) transmission; - \(g) erasure or destruction; #### Interaction with other laws: PDPA s 4(6) - [Nothing] in the Data Protection Provisions [affects any authority, right, privilege or immunity conferred], or obligation or limitation imposed, by or under the law - [Performance of a contractual obligation is not an excuse] for contravening the PDPA (**Cannot contract out of PDPA** -- where PDPA requires obligation) - In the event of any inconsistency between the Data Protection Provisions and provisions of another written law, the [provisions of the other written law will prevail] - "written law" → if another written law is inconsistent with the pdpa, the other written law will prevail - Written law includes general legislation, subsidiary legislation, other instruments that qualify as written law (but mainly parliamentary legislation) - If the 2 written laws are consistent w each other and imposes additional requirements, then organisations must comply with both ### Obligations of Organisations Overview #### **When** are organisations permitted to collect, use and disclose personal data? Obligations: - Purpose Limitation Obligation (**s 18**) - Only for appropriate, reasonable, lawful, legitimate purposes - Consent Obligation / Legal Bases for Processing (**ss 13-14**) Obtain consent from individual -- but not an absolute obligation - Many scenarios where consent isn't required - Notification Obligation (**ss 15A, 20**) Notify individuals of use and disclosure of personal data - \*\*Need to know relevant sections tied to obligations #### Organisations' obligations when [processing personal data] - Data Minimisation (part of Purpose Limitation) Ensure only appropriate data is collected - [Accuracy Obligation] Requires organisations to make an effort to ensure data is accurate and complete (esp. where there is collection from secondary source -- need to take steps to make sure that it is accurate; also different from concept of truthfulness) - [Protection Obligation] Requires organisations to implement reasonable security measurements to protect data - [Data Breach Notification Obligation] Requires organisations to assess whether data breach is notifiable to the PDPC/affected individuals - Retention Limitation Obligation Requires organisations to cease retaining documents containing personal data once they are not required #### Organisations' obligations when disclosing / transferring personal data to another organisation (DC or DI)? - Obligations relating to disclosure to DIs - Transfer Limitation Obligation - What **governance measures** must organisations put in place? - Accountability Obligation ### Data Lifecycle ![A diagram of a company Description automatically generated](media/image2.png) A diagram of a diagram Description automatically generated #### Points to Note - Purpose Limitation - Key purposes / allowable purposes or reasons for collection of data: reasonable, appropriate, lawful, legitimate, relevant - Consent - One of several legal bases under which organisations may collect, use and disclose personal data - Legal bases for processing under the PDPA include: - Legal obligations / authority under written law - Consent and general deemed consent - Deemed consent by contractual necessity - Vital interests of individuals - Public matters - Legitimate interests of organisations - Business assess transactions - Business improvement purposes and research - Data Minimisation and Accuracy - Data minimisation is part of [Purpose Limitation] - Limit the collection of information to what is directly relevant and necessary to accomplish a specified purpose - Lay the groundwork for good data analysis and decision-making - Ensures relevant, accurate and complete data is used by organisations - Disclosure to DIs - Pursuant to **contract** - Key Qn: What clauses / obligations must be included? - What optional clauses / obligations may be included (depending on the scope of services)? - E.g., DC can include clause that DI obtains consent on behalf of DC OR DC can find a way to obtain consent directly - Hint: Consider each of the Data Protection Provisions - Transfer Limitation - Permitted modes are set out in PDPR Part 3 -- Transfer of Personal Data outside Singapore - Accountability - Two key elements: - **Responsibility** for personal data (see PDPA section 11(2)) An organisation is responsible for personal data in its possession or under its control. - Being able to demonstrate how the organisation has **discharged its responsibility** - May include: - Measures [specified in the PDPA] (e.g., appoint a DPO, develop data protection policies and practices) - Measures required to comply with the Data Protection Provisions (e.g., conduct a data inventory) - PDPC has given guidance on developing a Data Protection Management Programme (DPMP) and related documents and practices (not covered in this unit) - Do Not Call Obligations - Not covered in detail but note the 3 main obligations (sections 43, 44 and 45) - S 43: Duty to check register (Valid confirmation that the SG telephone number is not listed in the relevant register) - S 44: Contact information (Must not send specific message addressed to a SG telephone number unless specified message includes clear and accurate information of identification) - S 45: Calling line identity not to be concealed - Note that telemarketing is also covered by the Data Protection Provisions ### Rights of Individuals Overview - Organisations must give effect to rights on individuals under the PDPA - Depends on exercise of the right by the individual concerned - Main Rights: - Right to Withdraw Consent - Right of Access (PDPC's Access and Correction Obligation) - Right of Correction (PDPC's Data Portability Obligation) - Right to Data Portability \*Not tested - Right of Private Action Rights of Individuals: Highlights (??) #### Right to Withdraw Consent - PDPA section 16 - \(1) On giving reasonable notice to the organisation, [an individual may **at any time withdraw** any consent given], or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose. - \(2) On receipt of the notice mentioned in subsection (1), the organisation concerned must [inform the individual of the likely consequences of withdrawing his or her consent]. - Organisations **must give effect to the withdrawal of consent** (and not prohibit individual from withdrawing his or her consent), although [this does not affect the legal consequences which may arise] (e.g. them terminating the contract) - Organisations [may continue to collect, use and disclose personal data] if doing so without consent is authorised under written law #### Rights of Access and Correction - PDPA sections 21 and 22 and PDPR Part 2 #### Right to Data Portability - Not yet in force (not covered in this unit) Not tested #### Right of Private Action - **PDPA section [48O]** Person who suffers loss or damage directly as a result of a contravention under specified provisions has a [right of action for relief in civil proceedings in court]. Court may grant to claimant: (a) relief by way of injunction or declaration; (b) damages; (c) any other relief as the court thinks fit - See *Reed, Michael v Bellingham, Alex (Attorney-General, intervener)* \[2022\] SGCA 60 (Note: This case relates to the former PDPA section on right of private action which was repealed and replaced by section 48O) - **Facts:** R contacted A (investor) in the Edinburgh Fund. A found it unacceptable that R knew his name, personal e-mail address and investment activity in the Edinburgh Fund. HC held that R had contravened ss 13 and 18 of PDPA by collecting and using the Personal Data to market QIP's services. However, HC held that the appellant had suffered no "loss or damage" under s 32(1) PDPA. To commence a private action under s 32(1) ("s 32 action"), "loss or damage" had to have resulted directly from the breach of Pts IV--VI of the PDPA. HC rejected the A's argument that his emotional distress and the loss of control over his Personal Data fell within the meaning of "loss or damage" - **Held:** Allowing the appeal - **"Loss or damage" included emotional distress** -- based on statutory interpretation, statute expressly created the right of private action - Step (a): Possible interpretations Noting in text and context of statue justified narrowing the meaning of "loss or damage" - Step (b): General and specific purpose - Regarding the general purpose of the PDPA, Parliament intended a degree of robustness in the protection afforded to individuals' personal data - As for the specific purpose of the "loss or damage" requirement in s 32(1), its scope should not be read down just to prevent frivolous lawsuits. This concern was addressed by the strict causal link requirement in s 32(1) and the principle that there was no legal recourse for minimal loss - Step (c): Ascertaining which interpretation furthered the purpose of the PDPA and s 32(1) - The [Wide Interpretation better promoted the general purpose] of the PDPA and the specific purpose of s 32(1) 1. Parliament intended to provide robust protection for individuals' personal data; 2. Availability of injunctive and declaratory relief under s 32(3)(a) signalled Parliament's recognition that the loss or damage caused by breaches of the PDPA might not be adequately compensated by damages or susceptible to easy quantification - "Loss or damage" [excluded mere loss of control] over personal data - Appellant suffered emotional distress Multi-factorial approach: Relevant factors included the [nature of the personal data] involved in the breach, the [nature of the breach], the [nature of the defendant's conduct], the [risk of future PDPA breaches] causing emotional distress to the claimant and the [actual impact of the breach] on the claimant. Negative emotions that formed part of the ordinary vicissitudes of life did not amount to emotional distress - 1\. R had refused to undertake not to use the Personal Data in the future, rendering A vulnerable to misuse - 2\. The Personal Data included information about the appellant's personal investments. Such information fell within the category of financial data that was sensitive - 3\. A reasonably perceived a real prospect of future misuse of the Personal Data given the respondent's refusal to offer an undertaking - 4\. R was evasive when confronted and dismissive of the appellant's concerns about the Personal Data ### Enforcement of the PDPA PDPC's Investigative and Enforcement Powers - PDPC exercises powers of investigation under PDPA section 50 and various powers of enforcement under PDPA Part 9C - PDPC's powers of enforcement include: - Power to refer a complaint to mediation or other modes of alternative dispute resolution - Power to [review an organisations response] to a request for access to, or correction or porting of, personal data - Power to [issue a direction for non-compliance] (Remedial direction -- e.g. may ask Co to destroy data) - Power to require [payment of a financial penalty] of up to 10% of the annual turnover of the organisation in Singapore or \$1 million, whichever is higher (for breaches of the Data Protection Provisions) High penalty compared globally - Power to accept a voluntary undertaking (usually where organisation has contravened and offers a voluntary undertaking in lieu of investigation) - PDPA includes provisions for [reconsideration of, and appeal against, PDPC's decision] (**s 48N** and **Part 9C**) - Legal effect of advisory guidelines issued by **PDPC** under **PDPA**: - Although advisory guidelines are not legally binding, (bc its not legislation, not subsidiary legislation), but the PDPA advisory guidelines say that it is the guidelines issued by the PDPC on how they are gg to interpret + apply PDPA. - ∴ although not legally binding, they are a v strong indication of how PDPC is going to apply it. - From compliance pov, you would want to comply w the advisory guidelines - Pretty much binding on companies, if not directly in law, at least through their processes ### Specific Topics Consider how the PDPA applies to the following (see Selected Topics Guidelines): - Analytics and research - If personal data is used, individuals have to be informed of and consent to the purposes for which their personal data are collected, used, and disclosed by organisations, unless any exception under the PDPA applies "The Consent Obligation"; "The Notification Obligation" - Exceptions: Collection and use without consent - Part 5 of First Schedule and Division 2 under Part 2 of the Second Schedule ("Business improvement exception") - Division 3 under Part 2 of the Second Schedule to the PDPA ("Research exception") - Anonymisation - Tested: Retention limitation: if organization anonymizes data, you have met retention limitation - Will not test HOW to anonymise data - The term 'anonymisation' refers to the process of converting personal data into data that cannot identify any particular individual and, depending on the specific process used, can be reversible or irreversible. The reversibility of the specific process used would be a relevant consideration for organisations when managing the risk of re-identification - Anonymisation involves a set of risk management controls. Data would not be considered anonymised if there is a serious possibility that an individual could be re-identified - For data to be considered **anonymised**, the following criteria should be met: - \(a) All **direct identifiers** should be removed - Full name, NRIC no. - By definition these are personal data; even if it is a common name - \(b) All **indirect identifiers** that can be used to re-identify individuals when matched with publicly available or proprietary information that the organisation knows the data recipient has access to should be altered or removed to prevent re-identification from the data. - Gender, nationality, age, blood group - With these data, you might be able to identify someone even without an identifier - For example, if there is only one female, 40-year-old Swedish national with AB+ blood type in a particular group, she could be identified with just these details. - Gender + nationality + occupation = Likely to narrow down an individual in a small company or community. - Age + postal code + health condition = May link to a person in a hospital or census data. - Risk of identification = higher risk = higher chance of it being labelled as personal data - \(c) Additional **safeguards** may be implemented by the data recipient to restrict access and use of the **anonymised data** to reduce the risks of disclosure and thus risks of re-identification, depending on the extent of anonymisation performed and assessed re-identification risks, such as - \(i) limiting the number of data recipients to whom the information is disclosed and the number of persons that can access the information; - \(ii) imposing restrictions on the data recipient(s) on the use and subsequent disclosure of the data; - \(iii) requiring the data recipient(s) to implement processes to govern the proper use and disclosure of the anonymised data in line with the imposed restrictions; and/or - \(iv) requiring the data recipient(s) to implement processes and measures for the destruction of data as soon as the data no longer serves any business or legal purpose - \(d) **Stringent internal safeguards** should be implemented on the **set of information** (e.g., identity mapping tables or other datasets containing linkable information) that can be used to re-identify individuals from the anonymised data, such as -- - \(i) organisational structures; - \(ii) policies, administrative rules or processes; - \(iii) technical measures (e.g. using encryption to restrict access to the information, limiting access to only authorised users, and controlling access through passwords); and/or - \(iv) physical measures (e.g. restricted access to information storage areas). - \(e) **Periodic reviews** should be conducted, particularly where anonymised data is disclosed over a period of time in an ongoing relationship, to ensure that the risk of re-identification from the anonymised data is minimised and acceptable. The review should assess - \(i) the adequacy of anonymisation techniques and risk management controls in relation to the current state of technology; and - \(ii) the robustness of organisational, legal, processes and other nontechnical measures to manage the risks of re-identification, considering technological developments over time - Online activities - Data generated include identifiers provided by user or organisations, identifiers that are programmatically generated and assigned (e.g. IP addresses) - Collection of data by organisations from and about customers, when inked to an identifier, will form art of the personal data that the organisation is collecting about individuals) - Consent not required for cookies that: (1) Do not collect personal data; or (2) For internet activities that the user has clearly requested (e.g., streaming content, where activity cannot take place without cookies that collect, use or disclose personal data) - Cloud services - Where the cloud service provider (CSP) is **processing personal data** on behalf and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing, the CSP is considered a **data intermediary** and subject to the Protection, Retention Limitation and Data Breach Notification Obligations under the PDPA. - Its Protection, Retention Limitation and Data Breach Notification Obligations extend to personal data that it processes or hosts for the organisation in data centres outside Singapore. - The CSP, as an organisation in its own right, remains responsible for complying with all Data Protection Provisions in respect of its own activities which do not constitute processing of personal data under the contract. - Data intermediary - CYBERSECURITY REGULATION UNDER PDPA AND CYBERSECURITY ACT --------------------------------------------------------- ### Introduction - What is cybersecurity? - "Cybersecurity is the practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks" (Source: Kaspersky website) - Protecting confidentiality, integrity and availability of systems and data (the "CIA" of cybersecurity) - Resilience of systems - What is cybersecurity law? - Laws that regulate how businesses and other organisations: - Protect their computer systems and data from cyber-attacks - Respond to cyber-attacks and data breaches ### Laws that Regulate Cybersecurity - \*CYSA: CII and other systems - \*PDPA: Protection of Personal Data - Sectoral Laws: Financial information - Sectoral Laws: Healthcare Information - Sectoral Laws: Telecom Systems - Others (e.g. national security laws) #### Why Regulate Cybersecurity? - Significant increase in number of cyberattacks in recent years - Some motivations of cyber-criminals: - Organised crime - To make a profit from their criminal activities - Corporate cyber-espionage - State actors - Individual reputation - Cyber-activism (Hacktivism) - Numerous types of malware: - Ransomware - Hit 65% of organisations in Singapore in 2021 (source: Sophos) -- Trojans -- Viruses -- Spyware -- Worms -- Adware - Phishing - Hacking - Botnets & DDoS attacks - Identity Theft - Website Spoofing #### How does a cyber-attack take place? Singapore Health Services & Integrated Health Information Systems \[2019\] SGPDPC 3 - What were the facts of this case (in brief)? - Cyberattack resulting in personal data of some 1.5m patients and outpatient prescription records of nearly 160k patients exfiltrated - What was the relationship between SingHealth and IHiS? - SingHealth = Group of public healthcare institutions for the provision of healthcare services - IHiS = Central National IT agency for the public healthcare sector in SG -- Centralises all IT functions and capabilities of PHIs. But IHiS designates some IT personnel to be redeployed to the Clusters to be responsible for providing leadership and direction for the IT security program as well as executive management oversight of the local Cluster IT systems - SCM used by SingHealth for patient care and management IT tea, at SingHealth manages it - What were the steps / actions taken by the hacker to gain access to the system and data? - Attacker gained initial access to SCM network by infecting a user's workstation -- likely through a phishing attack, which led to malware and hacking tools subsequently being installed and executed on the user's workstation - Once the attacker established an initial foothold through the affected workstation, the attacker used customised malware to infect and subsequently gain remote access to and control of other workstations - From these compromised workstations, the attacker was able to gain access to and control of two user accounts: (i) a local administrator account, and (ii) another service account (a special user account that applications or services use to interact with the operating system) - Through these Compromised Accounts, the attacker was able to gain access to and control of the Citrix servers located at SGH ("SGH Citrix Servers") thereafter managed to get login credentials for the SCM database from H-Cloud Citrix server - Between 27 June and 4 July 2018, the attacker used the stolen SCM database login credentials to access and run numerous bulk queries from one of the compromised SGH Citrix Servers on the SCM database. Data that was illegally accessed and copied through such queries was then exfiltrated by the attacker through the initial compromised workstations to the attacker's overseas Command and Control ("C2") servers - How did SingHealth and IHiS staff respond in the course of the incident? - Suspicious circumstances were raised, alerted but no formal action was taken Waited passively for updates - After discovery -- Remedial actions: PW changes; Monitoring of administrator accounts; Tightened firewall rules; Reset system etc. - What were the specific security shortcoming identified by the Personal Data Protection Commission in its decision? - Failed to comply with various incident response policies and SOPs - IHiS had not taken sufficient security steps or arrangements to protect personal data Weaknesses, lapses and failures on part of IHiS personnel ### Cybersecurity Act 2018 #### Part 1 and Part 2: Introduction (Preliminary and Administration) Purpose and Overview - Cybersecurity Act 2018, Long title: - An Act to: - require or authorise the taking of measures to prevent, manage and respond to cybersecurity threats and incidents - regulate owners of critical information infrastructure - regulate cybersecurity service providers - Provisions: - Part 1 -- Preliminary - Part 2 -- Administration (appointment of Commissioner of Cybersecurity, etc.) - Part 3 & First Schedule -- Critical Information Infrastructure ("CII") - Part 4 -- Responses to Cybersecurity Threats and Incidents - Part 5 & Second Schedule -- Regulation of Cybersecurity Service Providers \[not covered in this unit\] Scope - Part 3 applies to: - Any CII wholly or partly in Singapore (per s 3(1)) - Any computer or computer system wholly or partly in Singapore (per s 3(2)) - Part 4 applies to activities and service providers in Singapore generally #### Key Definitions (Section 3) - ***CII:*** a computer or a computer system designated under s 7(1) -------------------------------------------------------- **Designation of critical information infrastructure** -------------------------------------------------------- - +-----------------------------------------------------------------------+ | **7.**---(1) The Commissioner may, by written notice to the owner of | | a computer or computer system, designate the computer or computer | | system as a critical information infrastructure for the purposes of | | this Act, if the Commissioner is satisfied that --- | | | | the computer or computer system is necessary for the continuous | | delivery of an essential service, and the loss or compromise of the c | | omputer or computer system will have a debilitating effect on the ava | | ilability of the essential service in Singapore; and | | -- ---------------------------------------------------------------- | | --------------------------------------------------------------------- | | --------------------------------------------------------------------- | | ------------------------------------------------------ | | the computer or computer system is located wholly or partly in S | | ingapore. | | | | - | +-----------------------------------------------------------------------+ - - ***Computer:*** "an electronic, magnetic, optical, electrochemical, or other data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device..." - Excludes prescribed devices (none at present) - ***Computer System:*** an arrangement of interconnected computers and includes: - "An information technology system" - "An operational technology system such as an industrial control system, a programmable logic controller, a supervisory control and data acquisition system, or a distributed control system" - ***Cybersecurity:*** The state in which a computer or computer system is protected from unauthorised access or attach such that the following is maintained (note: the "CIA" of cybersecurity): - **Confidentiality** of information processed, etc. by the computer or computer system (what about the computer / system itself?) - **Integrity** of the computer or computer system or the information it processes, etc. - **Availability** of the computer or computer system (and information?) - ***Cybersecurity Threat:*** "an act or activity (whether known or suspected) carried out on or through a computer or computer system, that [may imminently jeopardise or affect adversely, without lawful authority, the cybersecurity of that or another computer or computer system]" - ***Cybersecurity Incident:*** "an act or activity carried out without lawful authority on or through a computer or computer system that jeopardises or adversely affects its cybersecurity or the cybersecurity of another computer or computer system" - ***Essential Service:*** "any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule" - Essential services in the First Schedule include: -- Aviation, Land Transport or Maritime -- Banking and Finance -- Energy or Water -- Info-communications or Media -- Functioning of Government -- Security and Emergency Services -- Healthcare #### Part 3: Regulation of CII / Critical Information Infrastructure ##### Designation of CII (s 7) - The Commissioner may obtain information from a person who appears to be exercising control over a computer or computer system for the purpose of ascertaining whether it fulfils the criteria of a CII (**CYSA s 8(2)**) - Failure to comply is an offence (**s 8(4))** - Same exception for legal privilege as **s 19** - The Commissioner **may designate a computer or computer system as CII** if both of the following apply **(s 7(1)):** - The computer or computer system is necessary for the continuous delivery of an essential service, and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore - The computer or computer system is located in Singapore - A designation under **s 7(1)** - Must inter alia **inform the owner of the CII of the owner's duties and responsibilities** under the CYSA that arise from the designation **(s 7(3))** - Is valid for 5 years (**s 7(3))** - See also sections 8 and 9; additional procedures are found in the Cybersecurity (Critical Information Infrastructure) Regulations 2018 \[not covered\] ##### Obtaining Information Relating to a CII (ss 10, 12 & 13) - The Commissioner may require the owner of a CII to furnish the following information (s 10(1)): - Information on the design, configuration and security of the CII or any other computer or computer system under the CII owner's control that is [interconnected or communicates with that CII ] - Information relating to the operation of that CII or other computer or computer system - Any other information in order to ascertain the level of cybersecurity of the CII - **Material changes** to the design, configuration, security or operation are to be updated **within 30 days** (s 10(5)) - Any **change in the beneficial or legal ownership** must be notified to the Commissioner **within 7 days by the former owner,** if the whole ownership is transferred, or otherwise any owner of the CII (s 13(1)) - Failure to comply with any of the above is an offence (ss 10(2), 10(7) & 13(2)) - Same exception for legal privilege, etc. as s 19 ##### Codes of Practice and Standards of Performance (s 11) - The Commissioner may issue or approve one or more codes of practice or standards of performance for the regulation of the owners of CII with respect to measures to be taken by them to ensure the cybersecurity of the CII (s 11(1)(a)) - **Every owner of a CII must comply with the codes of practice and standards of performance** that apply to their CII (following publication of a notice relating to the code or standard[) unless otherwise waived by the Commissioner] under s 11(7) (s 11(6)) - The Commissioner may amend or revoke any code of practice or standard of performance (s 11(1)(b))) - The Commissioner must publish a notice of the issuance, approval, amendment or revocation of a code of practice or standard of performance (s 11(3)) failing which it does not take effect (s 11(4)) - A code of practice or standard of performance **does not have legislative effect** (s 11(5)) and **any of its provisions that is inconsistent with the CYSA does not have effect** (to the extent of the inconsistency) (s 11(2)) - The Commissioner for Cybersecurity / CSA issued the Cybersecurity Code of Practice for Critical Information Infrastructure on 4 July 2022, last updated 12 Dec 2022 ( ##### Directions to Ensure Cybersecurity of a CII (s 12) - The Commissioner may issue a direction to the owner(s) of a CII in order to ensure the cybersecurity of the CII or it is necessary or expedient for the administration of the CYSA (s 12(1)) - **Without limitation**, a **direction** may include the following (s 12(2)): - The **action to be taken by the owner(s)** in relation to a cybersecurity threat - **Compliance** with any code of practice or standard of performance applicable to the owner(s) - **Appointment of an auditor** approved by the Commissioner to audit the owner(s) on their compliance with the CYSA or any code of practice or standard of performance applicable to the owner(s) - Process for issuance of a direction includes giving the owner an opportunity to make representations (s 12(4) & (5)) - Failure to comply is an offence (s 12(6)) ##### Duty to Report Cybersecurity Incident in respect of CII (s 14) - The owner of a CII must notify the Commissioner upon the occurrence of any of the following (s 14(1)): - A **prescribed cybersecurity incident** in respect of the CII or any other computer or computer system under the CII owner's control that is interconnected with or that communicates with the CII - Any other type of cybersecurity incident in respect of the CII that the Commissioner has specified by written direction to the owner - The owner of a CII must establish such mechanisms and processes for the purposes of detecting cybersecurity threats and incidents in respect of the CII, as set out in any applicable code of practice (s 14(2)) - failure to comply is an offence (s 14(3)) ##### Cybersecurity Audits and Risk Assessments (s 15) - The **owner of a CII must comply** with the following (s 15(1)): - At **least once every 2 years**, **cause an audit to be carried out of the compliance of the CII** with the CYSA and the applicable codes of practice and standards of performance (to be done by an auditor approved or appointed by the Commissioner) - At least once a year, conduct a cybersecurity risk assessment of the CII - The owner of a CII must furnish a copy of the audit report or risk assessment to the Commissioner within 30 days of completion (s 15(2)) - See the rest of the section for further details - Failure to comply is an offence (s 15(7) & (8)) ##### Cybersecurity Exercises (s 16) - The Commissioner **may conduct cybersecurity exercises for the purpose of testing the state of readiness** of owners of different CII in responding to significant cybersecurity incidents. - An owner of a CII must participate in a cybersecurity exercise if directed in writing to do so by the Commissioner - Failure to comply is an offence (s 15(7) & (8)) #### Part 4: Response to Cybersecurity Threats and Incidents ##### Investigation (s 19) - The Commissioner may **investigate any cybersecurity threat or incident** for the following purposes **(s 19(1)):** - **Assessing the impact or potential impact** of the cybersecurity threat or incident - **Preventing harm** arising from the cybersecurity incident - **Preventing a further cybersecurity incident** from arising from that cybersecurity threat or incident - The Commissioner's **powers of investigation** **(s 19(2))** **may be applied as against any person** (e.g. to compel attendance and obtain information) and **failure to comply is an offence (s 19(8))** - **Legal Privilege**, etc.: Disclosure of information that is subject to any right, privilege or immunity conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information is not required, except that the performance of a contractual obligation is not an excuse for not disclosing the information **(s 19(6))** ##### Elimination of Serious Threats and Incidents (s 20) - The Commissioner has additional powers in relation to any cybersecurity threat or incident that meets any of the following criteria (s. 20(3)): - It creates a risk of significant harm being caused to a CII - It creates a risk of disruption to the provision of an essential service - It creates a threat to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore - It is of a severe nature, in terms of the severity of the harm that may be caused to persons in Singapore or the number of computers or value of the information put at risk, [whether or not the computers or computer systems put at risk are themselves CII] - The Commissioner **may investigate** any such serious cybersecurity threat or incident for the following purposes (s 20(1)): - **Assessing** the impact or potential impact of the cybersecurity threat or incident - **Eliminating** the threat or preventing harm arising from the cybersecurity incident - **Preventing** a further cybersecurity incident - For such serious cybersecurity threats and incidents, the Commissioner may: - In addition to the powers under s 19(1) -- **direct, (by written notice) any person to carry out remedial measures, or to cease carrying on certain activities** in relation to a computer or computer system that \[...\] is or was affected by the cybersecurity incident, in order to minimise cybersecurity vulnerabilities in the computer or computer system - Require the owner of a computer or computer system to take any action to assist with the investigation (examples in the Act) - Enter premises, perform scans, obtain records, etc. - Examples of **remedial measures** (under s 20(2)) include the following: - Removal of malicious software from the computer; - Installation of software updates to address cybersecurity vulnerabilities; - Temporarily disconnecting infected computers from a computer network until the above is carried out - Redirection of malicious data traffic towards a designated computer or computer system #### Part 4: Cybersecurity Code of Practice Governance of Cybersecurity - Key requirements in the Cybersecurity Code of Practice for CII, Section 3: - Leadership and oversight - Adequate resources to cybersecurity strategy and application to CII - Effective leadership from the board and senior management - Risk management - Risk management framework to identify, analyse, evaluate and address (respond to) cybersecurity risks in a cost-effective manner - Maintain a risk register for each CII - Policies, Standards, Guidelines and Procedures - Policies and standards for (internal) compliance - Guidelines on best practices - Procedures with specific actions to be taken - Security-by-Design, Cybersecurity Design Principles and Change Management are not covered - Use of Cloud - Organisation remains responsible for maintaining oversight of cybersecurity and managing cybersecurity risks to CII even if CII is wholly or partly implemented using cloud computing systems - Outsourcing and vendor management - Organisation remains responsible for cybersecurity even if it engages an external party to perform any functions with respect to the CII - Controls must be implemented to minimise cybersecurity risks ### PDPA 2012 #### Part 1: Protection of Personal Data ##### Protection of Personal Data (s 24) - Although data protection laws predated the advent of the Internet and the wide-spread use of computing devices we have today, they typically included a [specific obligation to protect personal data] - Under the PDPA, all organisations are required to protect personal data by making reasonable security arrangements to prevent the following (s 24): - **Unauthorised access,** collection, use, disclosure, copying, modification, disposal or similar risks - Loss of any storage medium or device on which personal data is stored - In a modern context, as most data is stored in electronic form in computers, computer systems and other electronic / digital devices and systems, **this translates to requirements to ensure cybersecurity of systems and databases containing personal data** - Requirements: - Covers personal data in the possession or under the control of the organisation - **"Reasonable security arrangements" -- not defined** (Side note: This kind of wording is found in many other countries law including, e.g. EU and US) - Measured objectively - Put in place arrangements that match risk to data - Two key elements, measures are to prevent: - Unauthorised access, etc. to personal data - Loss of storage media / devices containing personal data - PDPC's Advisory Guidelines on Key Concepts in the PDPA, para 17 - "There is **no 'one size fits all'** solution for organisations to comply with the Protection Obligation. Each organisation should consider adopting security arrangements that are reasonable and appropriate in the circumstances..." - Factors to take into consideration: - **Nature** of the personal data - **Form** in which the personal data was collected (e.g. electronic or physical) - **Possible impact** to the individual concerned if an unauthorised person obtains, modifies or disposes of the personal data - In practice, an organisation should: - Design and organise its security arrangements to fit the nature of the personal data held by the organisation and the possible harm that may result from a security breach - [Identify reliable and well-trained personnel] responsible for ensuring information security - [Implement robust policies and procedures] for ensuring appropriate levels of security for personal data of varying levels of sensitivity - Be prepared and able to respond to information security breaches promptly and effectively - Security arrangements include: - Administrative measures (e.g. confidentiality obligations, robust policies, staff training) - Technical measures (e.g. network security measures, access control, use of encryption) - Physical measures (e.g. physical locks, privacy filters, proper disposal of physical documents) - In relation to data intermediaries and the organisations that engage them (data controllers), note that [section 24 applies to both] (per S. 4(2) & (3)) - Scope of responsibility depends on **extent of tasks to be done by each**: - **Processing** by the **data intermediary** (implement necessary technical, physical and administrative measures) - **Governance** by the **data controller** (implement, typically via contract, measures to govern the data intermediary's protection of personal data) #### Part 2: Data Breach Notification Scope - Definition/Concepts (Ss 26A & 26B): - **Data Breach**: (a) unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data, or (b) loss of any storage medium or device on which personal data is stored in **circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur** - Cf. s 24 -- no bold part Different definition of data breach - Notifiable Data Breach: A data breach that (a) results in, or is likely to result in, significant harm to an affected individual or (b) is, or is likely to be, of a significant scale - A data breach is deemed to result in significant harm and is deemed to be of significant scale in **prescribed circumstances** (s 26B(2) & (3)) - Significant harm: see Personal Data Protection (Notification of Data Breaches) Regulations 2021 ("DBN Regulations"), reg. 3 and Schedule (see next slide) - Significant scale: 500 (see DBN Regulations, reg. 4) - Notwithstanding the above, a data breach within an organisation is not notifiable (s 26B(4)) ##### Conduct an Assessment of a Data Breach ###### By data intermediary: - Where an organisation has reason to believe that a data breach has occurred affecting personal data in its possession or under its control: - Data Intermediary (DI): If the organisation is a data intermediary and the affected data is data it is processing for the data controller, the organisation (DI) **must notify the data controller (DC) of the data breach without undue delay** (**PDPA s 26C(3)**) - Regardless of whether data breach was discovered by DC or DI, DC would have to do a reasonable and expeditious assessment - Steps: - Is there data breach / reason to believe that a data breach has occurred? (if yes proceed) - DI must notify DC without undue delay (typically 24h) → notwithstanding whether this is a notifiable breach (to PDPC) - DC must assess in reasonable + expeditious manner (up to 30days) whether it is notifiable breach to PDPC - Yes: if the breach poses a risk of significant harm to affected individuals → notify → 3 calendar days to notify - Notify affected individuals: no prescribed timeframe ("on or after notifying PDPC) ###### By data controller: - Where an organisation has reason to believe that a data breach has occurred affecting personal data in its possession or under its control: - Data Controller (DC): If the organisation is a data controller, it must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach (**PDPA s 26C(2))** - Regardless of whether data breach was discovered by DC or DI, DC would have to do a reasonable and expeditious assessment - Steps: - Did this alert come from DI? If yes see [By data intermediary:](#by-data-intermediary) to address DI's obligations - DC must assess in reasonable + expeditious manner (up to 30days) whether it is notifiable breach to PDPC - Yes: if the breach poses a risk of significant harm to affected individuals → notify PDPC → 3 calendar days to notify - notify the affected without undue delay: no prescribed timeframe ("on or after notifying PDPC") - Timeframe: Without undue delay (Likely 1-2 days, fairly quickly) = Expeditious - take reasonable and expeditious steps to assess the breach and decide on necessary actions to mitigate any potential harm. Delays in this assessment can lead to enforcement actions by the Commission. - implementation of Policies: The data controller should have policies and procedures in place to manage data breaches effectively, ensuring compliance with the Data Breach Notification Obligation. - Also note obligation of a data intermediary of a public agency (s 26E) ##### Notification to PDPC -- within 3 calendar days - Where an organisation assess that a data breach is notifiable, it must notify PDPC as soon as practicable and, in any case, within 3 calendar days (s 26D(1)) - Notification to PDPC is to be made **via the PDPC website** (www.pdpc.gov.sg) - The notification must contain the prescribed information, to the best of the knowledge and belief of the organisation when the notification is made (s 26D(3)) - The specific information required is set out in the DBN Regulations (reg. 5) and the relevant webform on the PDPC website - Notification to PDPC (and affected individuals -- see next slide) **apply concurrently with any other obligation of the organisation to notify any other person** (e.g. CSA) of the occurrence of a data breach ##### Notification to Affected Individuals - Where an organisation assess that a data breach is notifiable and it results, or is likely to result, in significant harm to the affected individuals, it must also notify the affected individuals on or after notifying PDPC (s 26D(2)) - Notification to the affected individuals is to be **made in any manner that is reasonable in the circumstances** (s 26D(2)) - The notification must contain the prescribed information, to the best of the knowledge and belief of the organisation when the notification is made (s 26D(3)) - The specific information required is set out in the DBN Regulations (reg. 6) - **Exceptions** to this requirement: - If the organisation, on or after assessing that the data breach is a notifiable data breach, takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual (s 26D(5)(a)) - If the organisation had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual (s 26D(5)(b)) - If a prescribed law enforcement agency so instructs or PDPC so directs (s 26D(6)) - PDPC, on application by the organisation, waives this requirements (s 26D(7)) PREVENTION OF ONLINE THREATS AND FALSEHOODS (POHA) -------------------------------------------------- ### POHA #### Part 1: Scope and Offences Scope of POHA - Definitions: - Entity: any **company** or **association** or **body of persons** (whether corporate or unincorporate), but **excludes any public agency**; ##### Criminal Offences under POHA Section 3: Intentionally causing harassment, alarm or distress - An **individual or entity** **must not with intent to cause any person harassment, alarm or distress** by engaging in any of the **following conduct** with the intent of causing, harassment, alarm or distress to another person: - **Use any threatening, abusive or insulting words or behaviour** -- make any threatening, abusive or insulting communication - Publish any identity information of the target person or a related person of the target person - Contravention is an offence which may lead to a fine not exceeding \$5,000, imprisonment for up to 6 months or both - It is a **defence** for the accused individual or entity to **prove that their conduct was reasonable** - Illustrations: - \(c) X and Y were formerly in a relationship which has since ended. X writes a post on a social media platform making abusive and insulting remarks about Y's alleged sexual promiscuity. In a subsequent post, X [includes Y's photographs and personal mobile number, intending to cause Y harassment by facilitating the identification or contacting of Y by others]. Y did not see the posts, but receives and is harassed by telephone calls and SMS messages from strangers (who have read the posts) propositioning Y for sex. X is guilty of an offence under section 3(2) in relation to each post. - \(d) X records a video of Y driving recklessly in a car on the road. X posts the video on an online forum, where people share snippets of dangerous acts of driving on the road. X posts the video with the intent to warn people to drive defensively. X has not committed an offence under this section Section 4: Harassment, alarm or distress - An individual **must not engage in any of the following conduct** which is likely to be heard, seen or otherwise perceived by any person and is likely to cause harassment, alarm or distress: - Use any threatening, abusive or insulting words or behaviour - Make any threatening, abusive or insulting communication - Contravention is an offence which may lead to a fine not exceeding \$5,000 - It is a **defence** for the accused individual or entity to prove that: - The accused had no reason to believe that the words or behaviour used or communication made would be heard, seen or otherwise perceived by the person in question; or - Their conduct was reasonable Illustration: (a) X and Y are classmates. X posts a vulgar tirade against Y on a website accessible to all of their classmates. One of Y's classmates shows the message on the website to Y, and Y is distressed. X is guilty of an offence under this section Section 5: Fear, provocation or facilitation of violence -- Doxing - Note elements of the offence(s), penalties and defences - \(1) An individual or entity must not by any means use towards another person (called in this section, except subsection (1A), the victim) any threatening, abusive or insulting words or behaviour, or make any threatening, abusive or insulting communication to another person (also called in this section, except subsection (1A), the victim), either --- - \(a) with the **intent** --- - \(i) to cause the victim to believe that unlawful violence will be used by any person against the victim or any other person; or - \(ii) to provoke the use of unlawful violence by the victim or another person against any other person; or - \(b) whereby --- - \(i) the victim is likely to believe that such violence mentioned in paragraph (a)(i) will be used; or - \(ii) it is likely that such violence mentioned in paragraph (a)(ii) will be provoked. - (1A) An individual or entity **must not by any means publish any identity information** of [another person (called in this subsection the victim) or a related person of the victim], either --- - \(a) with the intent --- - \(i) to cause the victim to believe that unlawful violence will be used against the victim or any other person; or - \(ii) to facilitate the use of unlawful violence against the victim or any other person; or - \(b) knowing or having reasonable cause to believe that it is likely --- - \(i) to cause the victim to believe that unlawful violence will be used against the victim or any other person; or - \(ii) to facilitate the use of unlawful violence against the victim or any other person. - Contravene: Fine not exceeding **\$5,000** or to imprisonment for a term not **exceeding 12 months** or to both. - In any proceedings for an offence under subsection (2), it is a **defence** for the accused individual or accused entity (called in this section the accused) to prove --- - \(a) in respect of a contravention of subsection (1)(b), that the accused had no reason to believe that the words or behaviour used, or the communication made, by the accused would be heard, seen or otherwise perceived by the victim; or - \(b) that the accused's conduct was reasonable. - Illustrations: - \(a) X and Y are classmates. X writes a post with threatening and abusive remarks against Y on a website accessible to all their classmates. X writes a subsequent post on the same website, stating Y's identity information and stating "Everyone, let's beat Y up!". X is guilty of an offence under this section in respect of the subsequent post. - \(b) X writes a public post on a social media platform containing threats against Y. X publishes a subsequent public post stating A's home address and a message "I know where you live". X is guilty of an offence under this section relating to conduct mentioned in section 5(1A)(a)(i) if X intends the subsequent post to cause Y to believe that violence will be used against A, or an offence under this section relating to conduct mentioned in section 5(1A)(b)(i) if X knows that it is likely that Y will believe that violence will be used against A as a result of X's subsequent post. \(c) X writes a post (on a social media platform to which Y does not have access) containing threats of violence against Y and calling others to "hunt him down and teach him a lesson". B posts Y's home address in reply to X's post. B is guilty of an offence under this section Section 6: Offences in relation to public servant or public service worker - Note elements of the offence(s), penalties and defences - \(1) An individual or entity that by any means --- - \(a) uses any indecent, threatening, abusive or insulting words or behaviour; or - \(b) makes any indecent, threatening, abusive or insulting communication, - towards or to a **public servant or public service worker** (called in this section, except subsection (1A), the victim) in [relation to the execution of the duty of the public servant or public service worker, shall be guilty of an offence]. - (1A) An individual or entity that contravenes section 3(1)(c) (in relation to a target person under section 3(1)(c) who is a public servant or public service worker) --- - \(a) with the intent to prevent or deter that public servant or public service worker from discharging the duty of that public servant or public service worker; or - \(b) in consequence of anything done or attempted to be done by that public servant or public service worker in the lawful discharge of the duty of that public servant or public service worker, - shall be guilty of an offence. - \(2) No offence is committed under this section unless the accused individual or accused entity (called in this section the accused) knows or ought reasonably to know that the victim was acting in the victim's capacity as a public servant or public service worker, as the case may be. - \(3) Subject to section 8, an individual or entity shall be liable, on conviction for an offence under subsection (1) or (1A), to a fine not exceeding **\$5,000** or to imprisonment for a term not exceeding **12 months or to both.** - \(4) It is a **defence** for the accused to prove --- - \(a) in any proceedings for an offence under subsection (1), that the accused had no reason to believe that the words or behaviour used, or the communication made, by the accused would be heard, seen or otherwise perceived by the victim; or - \(b) in any proceedings for an offence under subsection (1) or (1A), that the accused's conduct was reasonable. - Illustration: X is unhappy that a public servant, Y, refused to waive a late payment charge. X writes several posts on an open social media platform with abusive comments about Y in relation to the incident. In a subsequent post, X posts Y's name, home address and photograph on the same open social media platform in order to cause Y distress. Y is distressed by the subsequent post. X is guilty of an offence under this section. #### Part 2: Civil Remedies Section 11: Action for Statutory Tort - **Victim** under sections 3, 4, 5 or 7 may **bring civil proceedings** against the individual or entity alleged to have contravened one of those sections (the "respondent") - In such proceedings, the court may award damages to the victim if satisfied on a balance of probabilities that the respondent had contravened one of those sections Section 12: Protection Order - Victim under sections 3 to 7 may make an application to court for a protection order - In such proceedings, the court may make a protection order if satisfied on a balance of probabilities that the respondent had contravened one of those sections + likely to continue contravening - Deeming provision if the respondent had been convicted of an offence under the relevant section #### Part 3: Orders relating to False Statements General - Types of orders: - Stop publication order - Correction order - Disabling order - Targeted correction order - Targeted correction order is against an internet intermediary, tells them the same thing as correction order - In addition, TCO can go further and say that organization has to inform end users in sg who have accessed the material about the correction order (what has been corrected) - General correction order - Note **procedural requirements** in sections 15, 15A to 15E - An order may be made even if the statement has been amended or has ceased to be published - An order may be made against a party in or outside Singapore - An order may require the relevant party to do or refrain from doing an act in or outside Singapore ##### Section 15A: Stop Publication Order - Court **may make** a stop publication order (SPO) against any individual or entity (the respondent) if: - Satisfied on a balance of probabilities that the respondent published the relevant statement; - Satisfied on a balance of probabilities that the relevant statement is a false statement of fact; and - It is just and equitable to do so. - SPO may be made even if the respondent does not know or have reason to believe that the relevant statement is false - SPO may require the respondent or any other individual or entity to stop publishing the relevant statement, or a similar statement, by a specified time ##### Section 15B: Correction Order - Court may make a correction order (SPO) against any individual or entity (the respondent) if: - Satisfied on a balance of probabilities that the **respondent published the relevant statement**; - Satisfied on a balance of probabilities that the **relevant statement is a false statement of fact**; and - It is just and equitable to do so. - CO may be made even if the respondent does not know or have reason to believe that the relevant statement is false - CO may require the respondent to publish in Singapore a correction notice (see Act for details) ##### Section 15C: Disabling Order - Court may make a disabling order (DO) against an internet intermediary (the respondent) if: - Satisfied on a balance of probabilities any material consisting of or containing the relevant statement has been or is being published by means of an internet intermediary service provided by the respondent; - Satisfied on a balance of probabilities that the **relevant statement is a false statement of fact**; and - It is just and equitable to do so. - DO may require the respondent to disable access by end-users of the internet intermediary service provided by the respondent in Singapore (see Act for details) - See also Targeted Correction Order under section 15D and general correction order under section 15E #### Part 4: Subsidiary Legislation Protection from Harassment (Exempt Class of Persons) Order 2014 - Refer to Order for list of persons against whom no protection order may be made Protection from Harassment (Prescribed Internet Intermediaries and Others) Regulations 2020 - Refer to Regulations for list of persons against whom a disabling order, targeted correction order or general correction order may be made (Some of the big internet Cos -- e.g. Facebook) ### POFMA (not tested) +-----------------------------------------------------------------------+ | - Note similarities with POHA: | | | | - Offence for communication of false statements of fact in | | Singapore | | | | - Directions including: | | | | - Correction direction | | | | - Stop communication direction | | | | - Access blocking order | | | | - Directions to internet intermediaries (targeted | | correction direction, disabling direction, general | | correction direction, access blocking order) | | | | - Prescribed internet intermediaries (under the POHA | | Regulations) | | | | - Declaration of online locations | | | | - Directions to counteract inauthentic online accounts and | | coordinated inauthentic behaviour | +-----------------------------------------------------------------------+ LAW AND TECHNOLOGY ================== Learning objectives 1. Provide candidates with a structural framework for appreciating, approaching, and understanding law and technology as a field of law on its own 2. Give candidates an overview of practice-relevant technologies, being technologies that they are likely to either be asked to advise clients on or use themselves in legal practice 3. Equip candidates with the knowhow to identify law and technology issues in their practice, and to identify when they may need to seek expert technical advice INTRODUCTION TO THE FIELD ------------------------- What is Law and Technology? - Law + Tech Tech = (the study and knowledge of) the **practical**, especially industrial, use of scientific discoveries; the methods for using scientific discoveries for **practical** purposes, esp. in industry -- practical = people involved - Economic view of technology Essentially, anything which (a) increases production but (b) not itself a factor of production \[I.e., **shifts** the entire production possibility plane\] - Ultimately, it depends on what we mean by 'law' and what we mean by 'technology' - ![A diagram of a diagram Description automatically generated](media/image4.png) +-----------------------------------------------------------------------+ | ### General Framework for Approaching the Field | +-----------------------------------------------------------------------+ - The Big Question: Is the issue with law, with technology, or both?\*\* - An issue with the [law] (technology) is [solved by changing or clarifying the law] (technology) which is the problem? - E.g. Law and Automated Vehicles: - Do we understand accident law enough? What are the loopholes/false assumptions it makes? - Do we understand how AVs work enough to judge the **applicability** and **application** of those laws? - What problems, if any, arise from interacting uncertainties? - 2 ways of thinking about L&T - Focus on the law? - What are the legal principles? - What are the legal gaps? - No "law of the horse" - Focus on the Tech? - What's unique/novel? - What are its implications? - What cyberlaw might teach ### (CORE) Frank Easterbrook's Law of the Horse Basically, - Utilitarian - He thinks courses in law, if taught w something, should "illuminate the entire law", instead of courses suited to dilettantes (a person who cultivates an area of interest, such as the arts, without real commitment or knowledge) - His principle conclusion: develop a sound law of intellectual property, then apply it to computer networks (but then, he goes on to say, why developing a sound law of IP is so difficult; so fact specific) He DOES NOT support viewing L&T as a field in itself; why? Analogy that L&T is like the Law of the Horse: - i.e. "property in cyberspace": He doesn't know much about cyberspace, what he knows will be outdated in five years, and his predictions about the direction of change are worthless, making any effort to tailor the law to the subject futile #### Proposition 1: Sound rules and understanding of legal principles is necessary in L&T. - Aka, focus on making sure our laws are right; "lets just study law in itself" and once we do, it will automatically apply well to technology. - What is left unsaid/unclarified: - **whether it is sufficient** in exploring this field -- is knowing law enough? View that: predictions are highly likely to be false etc...until we have answers to these questions, we cannot issue prescriptions for applications to computer networks. #### Proposition 2: Since we don't know tech, we should stick with law - If we are so far behind in matching law to a well-understood technology, what chance do we have for a technology such as computers. If you don\'t know what is best, let people make their own arrangements. Next after nothing is: keep doing what you have been doing. - **Consider:** Is something like the Law of Contracts susceptible to Easterbrook's critique? Torts? - A quick summary: Error in legislation is common, and never more so than when the technology is galloping forward. Let us not struggle to match an imperfect legal system to an evolving world that we understand poorly. Let us instead do what is essential to permit the participants in this evolving world to make their own decisions. That means three things: make rules clear; create property rights where now there are none; and facilitate the formation of bargaining institutions. Then let the world of cyberspace evolve as it will, and enjoy the benefits. - Echoes standard calls for **minimum government and free markets** that characterizes Chicago School Economics ##### Judge Easterbook: Cyberspace and The Law of the Horse +-----------------------------------------------------------------------+ | Does he support or detract from viewing L&T as a field in itself? Why | | or why not? | | | | Law and tech not as a field in itself | | | | - Dean Casper asserts that lawyers' beliefs hold about computers, | | and predictions they make about new technology, are highly likely | | to be false | | | | - 2^nd^ meaning: that the best way to learn the law applicable | | to specialized endeavours is to study general rules putting | | cases in the context of broader rules | | | | - **Law of the Horse** any effort to collect different strands | | about horses (e.g. sales of horses, people kicked by horses, | | licensing and racing of horses etc.) only by **putting the | | law of the horse in the context of broader rules about | | commercial endeavours could one really understand the *law* | | about horses** | | | | - Principal conclusion: Develop a sound law of IP law then apply it | | to computer networks | | | | - But problem -- we do not know whether many features of | | existing law are optimal | | | | - If we are so far behind in matching law to a well-understood | | technology such as photocopiers | | | | - Not managed to create well-defined property rights so that | | people can adapt their own conduct to maximize total wealth | | | | - What chance do we have for a technology such as computer that | | is mutating faster than the virus in *The Andromeda Strain?* | | [technology faster than our understanding of how to regulate | | it] | | | | - What can we do? Nothing let people make their own | | arrangements | | | | - What else is there to do? | | | | - 1\. Make rules clearer, to promote bargains | | | | - We don't know what is best, but in a Coasean world the | | affected parties will by their actions establish what is | | best | | | | - Coasean = perfect economic world | | | | - The risk of error should lead to initial assignments that | | are easy to reverse, so that people may find their own | | way with the least interference | | | | - 2\. Create property rights, where now there are none -- again | | to | | make bargains possible | | | | - But no one can regulate the whole process of information | | exchange -- international consensus will always triumph | | | | - 3\. Create bargaining institutions | | | | - Agreed language for communications rules which all follow | | | | - Summary | | | | - Error in legislation is common, and never more so than when | | the technology is galloping forward | | | | - Don't struggle to match an imperfect system -- instead do | | what is essential to permit the participants in this evolving | | world to make their own decisions: | | | | - 1\. Make rules clear | | | | - 2\. Create property rights where now there are none | | | | - 3\. Facilitate formation of bargaining institutions | +-----------------------------------------------------------------------+ ### Lessig's Counter-Response: What Cyberlaw might teach (Essentially: No, there's something *new* and *disruptive* therefore calls for new regulations) - There is something new to think about there, and that what we learn there will teach us something about what we know from here. #### Proposition 1: Cyberlaw is unique - e.g. that here is a highway and train tracks separating this neighbourhood from that is a constraint on citizens to integrate. **These constraints bind in a way that regulates behaviour. In this way, they regulate**. In all of these examples, law is functioning in two very different ways. In one way, its **operation is direct; in the other, indirect**. When it is **direct**, **it tells individuals how they ought to behave**. It [threatens a punishment if they deviate from that directed behaviour].... law also has a way of regulating that is more **indirect**. When law [regulates indirectly, it aims at changing the constraints of one of these other structures of constraint]... When we think of regulation in this more general way, we see things that a less complete account might miss. One thing that we might see is how one kind of constraint can be substituted for another. - **What is Lessig's definition of "regulation" here?** Function of the constraints of law, norms, market, "code" #### Proposition 2: Cyberlaw is different Code is not = law but is like law - Software Code are **regulations** - To the extent that code can be made to regulate directly, **because code is plastic** (plasticity = very malleable), code can regulate more. Code in cyberspace can more easily substitute for law, or norms. Code can more subtly control and discipline behaviour -- \*Code is not = law, but code is *like* law, in that it is able to restrain behaviour - There is a shift from a structure of constraint regulated by law, to a structure of constraint regulated by code - In this shift, something is lost - IP: Lost of structure of public use built into the protection of that property - Contract: Lost of public values that might check the enforcement of obligations - **Therefore:** Government can and will regulate cyberspace \[and\] that when we see the law in code, we see all the more reason why **law must regulate code, if public values, in particular constitutional values, are to be preserved.** - Key Questions: - What, ultimately, is Lessig's substantive reply to Easterbrook on the Law of the Horse? - What are the assumptions made? - What are the implications for studying L&T as a field in itself? - Answer/ Key takeaways from the Law of the Horse: - Lessig's essential answer was to suggest that cyberspace is special enough that specialised study is both useful and possible. Agree? - L&T wasn't (isn't) always seen as a field - Perennial tension between applying existing law to technology and treating technology as special - What is really new/unique about tech as to warrant dedicated law/analysis? - How do we know? - More in next segments on **when** and **why** tech can be special ##### Lawrence Lessig's response: The Law of the Horse -- What Cyberlaw Might Teach +-----------------------------------------------------------------------+ | 1.The Regulation of Real Space | | | | - Behaviour regulated by 4 constraints | | | | - Law -- orders people to behave in certain ways | | | | - Social norms -- but punishment not centralized, enforced by | | community | | | | - Markets -- regulate by price; individual and collective | | behaviour | | | | - Architecture/"Nature" | | | | - While law may regulate individuals *directly*, it also regulates | | other constraints directly, as a means to regulating individuals | | *indirectly* | | | | - Law regulates by threatening ex post sanctions | | | | - When law regulates other structures of constraint, the law | | changes their constraints, so as to change the effect that | | they might have on the behaviour being regulated | | | | - E.g. funding public education to create stigma against | | those who do not wear seatbelts | | | | - Government can act to weaken social norm constraints as well | | weakening the communities within which they have their effect | | | | - Question for the policy maker is the **net effect** -- | | whether as a whole, the policy reduces or increases social | | costs | | | | - Summary: Law is functioning in 2 very different ways. In 1 | | way, its operation is direct; in the other, indirect | | | | - Direct = tell individuals how they ought to behave | | | | - Indirect = aims at changing the constraints of 1 of these | | other structures of constraints | | | | - The question is instead to what extent is a particular | | constraint a function of the law, and to what extent can | | it be changed by the law | | | | - The efficient regulator thinks of the trade-offs for efficient | | regulation | |