CLK PAPER 1 WHACK PDF

Summary

This document is a study guide or lecture notes on data protection and cyber regulation, law and technology, comparative laws, and conflict of laws.

Full Transcript

Table of Contents
=================

[1. Table of Contents 1](#_Toc183079669)

[2. DATA PROTECTION AND CYBER REGULATION
3](#data-protection-and-cyber-regulation)

[2.1. DATA PROTECTION 3](#data-protection)

[(1) Introduction and Overview 3](#introduction-and-overview)

[(2) Purpose and Scope of the PDPA When does it apply
3](#purpose-and-scope-of-the-pdpa-when-does-it-apply)

[(3) Obligations of Organisations 5](#obligations-of-organisations)

[(4) Data Lifecycle 5](#data-lifecycle)

[(5) Rights of Individuals 7](#rights-of-individuals)

[(6) Enforcement of the PDPA 9](#enforcement-of-the-pdpa)

[(7) Specific Topics Not Tested 9](#specific-topics)

[2.2. CYBERSECURITY REGULATION UNDER PDPA AND CYBERSECURITY ACT
11](#cybersecurity-regulation-under-pdpa-and-cybersecurity-act)

[(1) Introduction 11](#introduction)

[(2) Laws that Regulate Cybersecurity
11](#laws-that-regulate-cybersecurity)

[(3) Cybersecurity Act 2018 12](#cybersecurity-act-2018)

[(4) PDPA 2012 17](#pdpa-2012)

[2.3. PREVENTION OF ONLINE THREATS AND FALSEHOODS (POHA)
19](#prevention-of-online-threats-and-falsehoods-poha)

[(1) POHA 20](#poha)

[(2) POFMA (not tested) 24](#pofma-not-tested)

[3. LAW AND TECHNOLOGY 25](#law-and-technology)

[3.1. INTRODUCTION TO THE FIELD 25](#introduction-to-the-field)

[(1) General Framework for Approaching the Field
25](#general-framework-for-approaching-the-field)

[(2) (CORE) Frank Easterbrook's Law of the Horse
25](#core-frank-easterbrooks-law-of-the-horse)

[(3) Lessig's Counter-Response: What Cyberlaw might teach
27](#lessigs-counter-response-what-cyberlaw-might-teach)

[(4) L&T Issues in Contract/Torts 30](#lt-issues-in-contracttorts)

[3.2. TECHNOLOGY REGULATION: HISTORY AND PRINCIPLES
36](#technology-regulation-history-and-principles)

[(1) Regulation 36](#regulation)

[(2) CASE STUDY 1: Automobiles 43](#case-study-1-automobiles)

[(3) Case Study 2: Regulating the Early Internet
53](#case-study-2-regulating-the-early-internet)

[(4) Electronic Transactions 55](#electronic-transactions)

[3.3. EMERGING TECHNOLOGIES AND LAW 59](#emerging-technologies-and-law)

[(1) Digital Platforms 59](#digital-platforms)

[(2) The Blockchain 69](#the-blockchain)

[(3) Artificial Intelligence 80](#artificial-intelligence)

[4. COMPARATIVE LAWS 92](#comparative-laws)

[4.1. INTRO TO CIVIL LAW TRADITION 92](#intro-to-civil-law-tradition)

[(1) General -- Features of the Civilian System
92](#general-features-of-the-civilian-system)

[(2) Civil Law as a 'mentality' 92](#_Toc183079705)

[(3) Civil Law as a methodology 92](#_Toc183079706)

[(4) Civil Law -- Substance 93](#_Toc183079707)

[(5) Key Ideas 93](#_Toc183079708)

[4.2. General Principles of Civil Law 93](#contract-law-in-civil-law)

[(1) Systematic Approach to codifying private law in Germany, Japan,
South Korea, Taiwan, and France 94](#_Toc183079710)

[(2) How to use Civil Codes for Case Analysis
95](#how-to-use-civil-codes-for-case-analysis)

[(3) The Law of Delictual Liability (Torts equiv.)
96](#the-law-of-delictual-liability-torts-equiv.)

[(4) Negotiorum gestio -- Spontaneous voluntary agency in which
intervenor (gestor) acts on behalf and for the benefit of a principal
without the principal's prior consent
98](#negotiorum-gestio-spontaneous-voluntary-agency-in-which-intervenor-gestor-acts-on-behalf-and-for-the-benefit-of-a-principal-without-the-principals-prior-consent)

[4.3. Specific Principles of Civil Law (I): Unilaterally Binding
Contracts
100](#specific-principles-of-civil-law-i-unilaterally-binding-contracts)

[(1) Mutually and Unilaterally Binding Contracts
100](#mutually-and-unilaterally-binding-contracts)

[(2) The concept of gifts (donations)
100](#the-concept-of-gifts-donations)

[(3) 101](#section)

[(4) The concept of Mandate 102](#the-concept-of-mandate)

[4.4. Specific Principles of Civil Law (II): Good Faith and absence of
Trust Law
103](#specific-principles-of-civil-law-ii-good-faith-and-absence-of-trust-law)

[(5) General Provisions on Good Faith Principle
103](#general-provisions-on-good-faith-principle)

[(6) Applying the principle of Good Faith
103](#applying-the-principle-of-good-faith)

[(7) Principles of Trust Law 104](#principles-of-trust-law)

[4.5. Specific Principles of Civil Law (III): Enforced Performance
104](#specific-principles-of-civil-law-iii-enforced-performance)

[(1) Enforced Performance 104](#enforced-performance)

[(2) Principles relating to Secondary Rights
105](#principles-relating-to-secondary-rights)

[(3) Impossibility of Performance 105](#impossibility-of-performance)

[5. CONFLICT OF LAWS 106](#conflict-of-laws)

[5.1. INTRODUCTION 106](#introduction-1)

[(1) What is the Conflict of Laws? 106](#what-is-the-conflict-of-laws)

[(2) The Conflicts Process 106](#the-conflicts-process)

[5.2. CHOICE OF LAW 106](#choice-of-law)

[(1) What are Choice of Law Rules 106](#what-are-choice-of-law-rules)

[(2) Contract Rule 106](#contract-rule)

[(3) Tort Rule 108](#tort-rule)

[(4) Limits on Choice of Law Rules 109](#limits-on-choice-of-law-rules)

[5.3. JURISDICTION 110](#jurisdiction)

[(1) Structure of Jurisdictional Rules
110](#structure-of-jurisdictional-rules)

[(2) Establishing Jurisdiction if Service in
110](#establishing-jurisdiction-if-service-in)

[(3) Establishing Jurisdiction if Service Out
112](#establishing-jurisdiction-if-service-out)

[(4) Jurisdiction Clauses 113](#jurisdiction-clauses)

[(5) Submission by Conduct 115](#submission-by-conduct)

[5.4. FOREIGN JUDGEMENTS 118](#foreign-judgements)

[(1) Why are Foreign Judgments Important?
118](#why-are-foreign-judgments-important)

[(2) Requirements for Recognition 118](#requirements-for-recognition)

[(3) Defences to Recognition 119](#defences-to-recognition)

DATA PROTECTION AND CYBER REGULATION
====================================

DATA PROTECTION
---------------

### Introduction and Overview

Not applicable to collecting personal data in personal capacity

- if youre not doing it for an organization / 3P cause. U are doing it
for urself. But if youre doing it for ur prof who is doing it as
part of their work, even if ure not an organization, you might be
regarded as an employee of the university

- If doing it in personal capacity, then not subject to pdpa

- - The PDPA, Singapore's **first general data protection law**, was
enacted in 2012 and came into force in stages up to [July
2014]

- Personal Data Protection Commission (PDPC) was established in
2013

- PDPA's Do Not Call and Data Protection Provisions came into
force in 2014

- PDPA was **significantly amended in 2020** to introduce new
obligations in line with modern data protection laws in other
jurisdictions

- New provisions on data protection obligations and rights of
individuals

- New criminal offences relating to misuse of personal data

- Enhanced enforcement powers for PDPC/Commissioner

- The following subsidiary legislation expand on the obligations of
organisations or procedurals aspects of the PDPA:

- Personal Data Protection (Appeal) Regulations 2021

- Personal Data Protection (Composition of Offences) Regulations
2021

- Personal Data Protection (Do Not Call Registry) Regulations 2013

- Personal Data Protection (Enforcement) Regulations 2021

- \*Personal Data Protection (Notification of Data Breaches)
Regulations 2021

- \*Personal Data Protection Regulations 2021 -- Rules of Court
2021, Order 57

- (\*only these are covered in this unit)

- PDPC has issued several advisory guidelines (under PDPA section 49)
and may other publications and materials to **assist organisations
in complying with the PDPA**

- Covered in this unit are:

- Key Concepts Guidelines

- Selected Topics Guidelines

- Enforcement Guidelines

- Guidelines are advisory in nature and not legal binding on the
Commission, or any other party

### Purpose and Scope of the PDPA When does it apply

#### Purpose: PDPA s 3

- Govern collection, use and disclosure of personal data by
**organisations**

- In a manner that recognises:

- [Right of individuals] to protect their personal
data

- Needs of organisations

- Does not confer proprietary rights over personal data (usual laws
apply)

- Key terms:

- Personal data, individuals (target [subject-matter])

- Organisations ([entities] required to comply)

- Collection, use, disclosure / data processing ([target
activities])

#### Substantive Scope: PDPA s 2(1) \*See exact provision

- Personal Data

- Data about an [identifiable individual] Direct
identifier (conclusive), indirect identifier (see [Specific
Topics](#specific-topics))

- 3 kinds of data: direct identifier, indirect identifier,
non-identifier

- Includes factual information and opinions

- Does not depend on truth of the data

- Note [exclusions], e.g., for business contact
information

- Individual

- Natural person, living or deceased (though limited effect on
deceased)

- Organisation

- Includes ([non-exhaustive]) any individual, company,
association or body of persons regardless of where formed,
recognised, resident or having an office / place of business

- [Excludes] individuals acting in a personal or
domestic capacity or as an employee

- [Excludes] public agencies (covered under a separate
framework / law)

- **Data intermediaries (DIs)** Don't need data for any other purposes

- Sometimes known as **data processors** in other jurisdictions'
laws

- Organisations that process personal data on behalf of another
organisation

- **Fewer obligations** under the PDPA: only sections 24, 25,
26C(3)(a) and 26E and Part 6B (Not yet in force) s 4(2)

- If qn is referring to an organization that is collecting
personal data / doing smth to the data on behalf and for the
purposes of another organization, then this organization that is
doing this is a data intermediary

- A data intermediary is a relationship and not a category of
organizations. An organization can be a DI in respect of one
relationship w an organization and a DC in respect of another
(usually wrt ur own employees' info, u r DC)

- Data controllers (DCs) Control the processing

- Not a defined term in the PDPA

- Refers to the organisation on whose behalf a DI is processing
personal data

- Controls the purposes and sometimes the manner of processing

- Responsible for personal data processed on its behalf by the DI

- All obligations apply c.f. DI

- Data controller vs Data intermediary (DC vs DI)

- Using employment agency as eg:

- - Collection, use and disclosure

- Not defined in the PDPA -- but dictionary meaning

- Overlaps with the defined term "processing"

- "processing", in relation to personal data, means the
carrying out of any operation or set of operations in
relation to the personal data, and includes any of the
following:

- \(a) recording;

- \(b) holding;

- \(c) organisation, adaptation or alteration;

- \(d) retrieval;

- \(e) combination;

- \(f) transmission;

- \(g) erasure or destruction;

#### Interaction with other laws: PDPA s 4(6)

- [Nothing] in the Data Protection Provisions [affects any
authority, right, privilege or immunity conferred], or
obligation or limitation imposed, by or under the law

- [Performance of a contractual obligation is not an
excuse] for contravening the PDPA (**Cannot contract out
of PDPA** -- where PDPA requires obligation)

- In the event of any inconsistency between the Data Protection
Provisions and provisions of another written law, the [provisions of
the other written law will prevail]

- "written law" → if another written law is inconsistent with the
pdpa, the other written law will prevail

- Written law includes general legislation, subsidiary
legislation, other instruments that qualify as written law (but
mainly parliamentary legislation)

- If the 2 written laws are consistent w each other and imposes
additional requirements, then organisations must comply with
both

### Obligations of Organisations

Overview

#### **When** are organisations permitted to collect, use and disclose personal data?

Obligations:

- Purpose Limitation Obligation (**s 18**)

- Only for appropriate, reasonable, lawful, legitimate purposes

- Consent Obligation / Legal Bases for Processing (**ss 13-14**)
Obtain consent from individual -- but not an absolute obligation

- Many scenarios where consent isn't required

- Notification Obligation (**ss 15A, 20**) Notify individuals of use
and disclosure of personal data

- \*\*Need to know relevant sections tied to obligations

#### Organisations' obligations when [processing personal data]

- Data Minimisation (part of Purpose Limitation) Ensure only
appropriate data is collected

- [Accuracy Obligation] Requires organisations to make an
effort to ensure data is accurate and complete (esp. where there is
collection from secondary source -- need to take steps to make sure
that it is accurate; also different from concept of truthfulness)

- [Protection Obligation] Requires organisations to
implement reasonable security measurements to protect data

- [Data Breach Notification Obligation] Requires
organisations to assess whether data breach is notifiable to the
PDPC/affected individuals

- Retention Limitation Obligation Requires organisations to cease
retaining documents containing personal data once they are not
required

#### Organisations' obligations when disclosing / transferring personal data to another organisation (DC or DI)?

- Obligations relating to disclosure to DIs

- Transfer Limitation Obligation

- What **governance measures** must organisations put in place?

- Accountability Obligation

### Data Lifecycle

![A diagram of a company Description automatically
generated](media/image2.png)

A diagram of a diagram Description automatically generated

#### Points to Note

- Purpose Limitation

- Key purposes / allowable purposes or reasons for collection of
data: reasonable, appropriate, lawful, legitimate, relevant

- Consent

- One of several legal bases under which organisations may
collect, use and disclose personal data

- Legal bases for processing under the PDPA include:

- Legal obligations / authority under written law

- Consent and general deemed consent

- Deemed consent by contractual necessity

- Vital interests of individuals

- Public matters

- Legitimate interests of organisations

- Business assess transactions

- Business improvement purposes and research

- Data Minimisation and Accuracy

- Data minimisation is part of [Purpose Limitation]

- Limit the collection of information to what is directly relevant
and necessary to accomplish a specified purpose

- Lay the groundwork for good data analysis and decision-making

- Ensures relevant, accurate and complete data is used by
organisations

- Disclosure to DIs

- Pursuant to **contract**

- Key Qn: What clauses / obligations must be included?

- What optional clauses / obligations may be included (depending
on the scope of services)?

- E.g., DC can include clause that DI obtains consent on
behalf of DC OR DC can find a way to obtain consent directly

- Hint: Consider each of the Data Protection Provisions

- Transfer Limitation

- Permitted modes are set out in PDPR Part 3 -- Transfer of
Personal Data outside Singapore

- Accountability

- Two key elements:

- **Responsibility** for personal data (see PDPA section
11(2)) An organisation is responsible for personal data in
its possession or under its control.

- Being able to demonstrate how the organisation has
**discharged its responsibility**

- May include:

- Measures [specified in the PDPA] (e.g., appoint
a DPO, develop data protection policies and practices)

- Measures required to comply with the Data Protection
Provisions (e.g., conduct a data inventory)

- PDPC has given guidance on developing a Data Protection
Management Programme (DPMP) and related documents and practices
(not covered in this unit)

- Do Not Call Obligations

- Not covered in detail but note the 3 main obligations (sections
43, 44 and 45)

- S 43: Duty to check register (Valid confirmation that the SG
telephone number is not listed in the relevant register)

- S 44: Contact information (Must not send specific message
addressed to a SG telephone number unless specified message
includes clear and accurate information of identification)

- S 45: Calling line identity not to be concealed

- Note that telemarketing is also covered by the Data Protection
Provisions

### Rights of Individuals

Overview

- Organisations must give effect to rights on individuals under the
PDPA

- Depends on exercise of the right by the individual concerned

- Main Rights:

- Right to Withdraw Consent

- Right of Access (PDPC's Access and Correction Obligation)

- Right of Correction (PDPC's Data Portability Obligation)

- Right to Data Portability \*Not tested

- Right of Private Action

Rights of Individuals: Highlights (??)

#### Right to Withdraw Consent

- PDPA section 16

- \(1) On giving reasonable notice to the organisation, [an individual may
**at any time withdraw** any consent given], or deemed to
have been given under this Act, in respect of the collection, use or
disclosure by that organisation of personal data about the individual
for any purpose.

- \(2) On receipt of the notice mentioned in subsection (1), the
organisation concerned must [inform the individual of the likely
consequences of withdrawing his or her consent].

- Organisations **must give effect to the withdrawal of consent** (and
not prohibit individual from withdrawing his or her consent),
although [this does not affect the legal consequences which may
arise] (e.g. them terminating the contract)

- Organisations [may continue to collect, use and disclose personal
data] if doing so without consent is authorised under
written law

#### Rights of Access and Correction

- PDPA sections 21 and 22 and PDPR Part 2

#### Right to Data Portability

- Not yet in force (not covered in this unit) Not tested

#### Right of Private Action

- **PDPA section [48O]** Person who suffers loss or damage
directly as a result of a contravention under specified provisions
has a [right of action for relief in civil proceedings in
court]. Court may grant to claimant: (a) relief by way
of injunction or declaration; (b) damages; (c) any other relief as
the court thinks fit

- See *Reed, Michael v Bellingham, Alex (Attorney-General,
intervener)* \[2022\] SGCA 60 (Note: This case relates to the former
PDPA section on right of private action which was repealed and
replaced by section 48O)

- **Facts:** R contacted A (investor) in the Edinburgh Fund. A
found it unacceptable that R knew his name, personal e-mail
address and investment activity in the Edinburgh Fund. HC held
that R had contravened ss 13 and 18 of PDPA by collecting and
using the Personal Data to market QIP's services. However, HC
held that the appellant had suffered no "loss or damage" under s
32(1) PDPA. To commence a private action under s 32(1) ("s 32
action"), "loss or damage" had to have resulted directly from
the breach of Pts IV--VI of the PDPA. HC rejected the A's
argument that his emotional distress and the loss of control
over his Personal Data fell within the meaning of "loss or
damage"

- **Held:** Allowing the appeal

- **"Loss or damage" included emotional distress** -- based on
statutory interpretation, statute expressly created the
right of private action

- Step (a): Possible interpretations Noting in text and
context of statue justified narrowing the meaning of
"loss or damage"

- Step (b): General and specific purpose

- Regarding the general purpose of the PDPA,
Parliament intended a degree of robustness in the
protection afforded to individuals' personal data

- As for the specific purpose of the "loss or damage"
requirement in s 32(1), its scope should not be read
down just to prevent frivolous lawsuits. This
concern was addressed by the strict causal link
requirement in s 32(1) and the principle that there
was no legal recourse for minimal loss

- Step (c): Ascertaining which interpretation furthered
the purpose of the PDPA and s 32(1)

- The [Wide Interpretation better promoted the general
purpose] of the PDPA and the specific
purpose of s 32(1) 1. Parliament intended to provide
robust protection for individuals' personal data; 2.
Availability of injunctive and declaratory relief
under s 32(3)(a) signalled Parliament's recognition
that the loss or damage caused by breaches of the
PDPA might not be adequately compensated by damages
or susceptible to easy quantification

- "Loss or damage" [excluded mere loss of control]
over personal data

- Appellant suffered emotional distress Multi-factorial
approach: Relevant factors included the [nature of the
personal data] involved in the breach, the
[nature of the breach], the [nature of the
defendant's conduct], the [risk of future PDPA
breaches] causing emotional distress to the
claimant and the [actual impact of the breach]
on the claimant. Negative emotions that formed part of the
ordinary vicissitudes of life did not amount to emotional
distress

- 1\. R had refused to undertake not to use the Personal Data in the
future, rendering A vulnerable to misuse

- 2\. The Personal Data included information about the appellant's personal
investments. Such information fell within the category of financial data
that was sensitive

- 3\. A reasonably perceived a real prospect of future misuse of the
Personal Data given the respondent's refusal to offer an undertaking

- 4\. R was evasive when confronted and dismissive of the appellant's
concerns about the Personal Data

### Enforcement of the PDPA

PDPC's Investigative and Enforcement Powers

- PDPC exercises powers of investigation under PDPA section 50 and
various powers of enforcement under PDPA Part 9C

- PDPC's powers of enforcement include:

- Power to refer a complaint to mediation or other modes of
alternative dispute resolution

- Power to [review an organisations response] to a
request for access to, or correction or porting of, personal
data

- Power to [issue a direction for non-compliance]
(Remedial direction -- e.g. may ask Co to destroy data)

- Power to require [payment of a financial penalty] of
up to 10% of the annual turnover of the organisation in
Singapore or \$1 million, whichever is higher (for breaches of
the Data Protection Provisions) High penalty compared globally

- Power to accept a voluntary undertaking (usually where
organisation has contravened and offers a voluntary undertaking
in lieu of investigation)

- PDPA includes provisions for [reconsideration of, and appeal
against, PDPC's decision] (**s 48N** and **Part 9C**)

- Legal effect of advisory guidelines issued by **PDPC** under
**PDPA**:

- Although advisory guidelines are not legally binding, (bc its
not legislation, not subsidiary legislation), but the PDPA
advisory guidelines say that it is the guidelines issued by the
PDPC on how they are gg to interpret + apply PDPA.

- ∴ although not legally binding, they are a v strong indication
of how PDPC is going to apply it.

- From compliance pov, you would want to comply w the advisory
guidelines

- Pretty much binding on companies, if not directly in law, at
least through their processes

### Specific Topics

Consider how the PDPA applies to the following (see Selected Topics
Guidelines):

- Analytics and research

- If personal data is used, individuals have to be informed of and
consent to the purposes for which their personal data are
collected, used, and disclosed by organisations, unless any
exception under the PDPA applies "The Consent Obligation"; "The
Notification Obligation"

- Exceptions: Collection and use without consent

- Part 5 of First Schedule and Division 2 under Part 2 of the
Second Schedule ("Business improvement exception")

- Division 3 under Part 2 of the Second Schedule to the PDPA
("Research exception")

- Anonymisation

- Tested: Retention limitation: if organization anonymizes data, you
have met retention limitation

- Will not test HOW to anonymise data

- The term 'anonymisation' refers to the process of converting
personal data into data that cannot identify any particular
individual and, depending on the specific process used, can be
reversible or irreversible. The reversibility of the specific
process used would be a relevant consideration for organisations
when managing the risk of re-identification

- Anonymisation involves a set of risk management controls. Data
would not be considered anonymised if there is a serious
possibility that an individual could be re-identified

- For data to be considered **anonymised**, the following criteria
should be met:

- \(a) All **direct identifiers** should be removed

- Full name, NRIC no.

- By definition these are personal data; even if it is a
common name

- \(b) All **indirect identifiers** that can be used to re-identify
individuals when matched with publicly available or proprietary
information that the organisation knows the data recipient has access to
should be altered or removed to prevent re-identification from the data.

- Gender, nationality, age, blood group

- With these data, you might be able to identify someone
even without an identifier

- For example, if there is only one female,
40-year-old Swedish national with AB+ blood type in
a particular group, she could be identified with
just these details.

- Gender + nationality + occupation = Likely to narrow
down an individual in a small company or community.

- Age + postal code + health condition = May link to a
person in a hospital or census data.

- Risk of identification = higher risk = higher chance of
it being labelled as personal data

- \(c) Additional **safeguards** may be implemented by the data recipient
to restrict access and use of the **anonymised data** to reduce the
risks of disclosure and thus risks of re-identification, depending on
the extent of anonymisation performed and assessed re-identification
risks, such as

- \(i) limiting the number of data recipients to whom the information is
disclosed and the number of persons that can access the information;

- \(ii) imposing restrictions on the data recipient(s) on the use and
subsequent disclosure of the data;

- \(iii) requiring the data recipient(s) to implement processes to govern
the proper use and disclosure of the anonymised data in line with the
imposed restrictions; and/or

- \(iv) requiring the data recipient(s) to implement processes and measures
for the destruction of data as soon as the data no longer serves any
business or legal purpose

- \(d) **Stringent internal safeguards** should be implemented on the **set
of information** (e.g., identity mapping tables or other datasets
containing linkable information) that can be used to re-identify
individuals from the anonymised data, such as --

- \(i) organisational structures;

- \(ii) policies, administrative rules or processes;

- \(iii) technical measures (e.g. using encryption to restrict access to
the information, limiting access to only authorised users, and
controlling access through passwords); and/or

- \(iv) physical measures (e.g. restricted access to information storage
areas).

- \(e) **Periodic reviews** should be conducted, particularly where
anonymised data is disclosed over a period of time in an ongoing
relationship, to ensure that the risk of re-identification from the
anonymised data is minimised and acceptable. The review should assess

- \(i) the adequacy of anonymisation techniques and risk management
controls in relation to the current state of technology; and

- \(ii) the robustness of organisational, legal, processes and other
nontechnical measures to manage the risks of re-identification,
considering technological developments over time

- Online activities

- Data generated include identifiers provided by user or
organisations, identifiers that are programmatically generated
and assigned (e.g. IP addresses)

- Collection of data by organisations from and about customers,
when inked to an identifier, will form art of the personal data
that the organisation is collecting about individuals)

- Consent not required for cookies that: (1) Do not collect
personal data; or (2) For internet activities that the user has
clearly requested (e.g., streaming content, where activity
cannot take place without cookies that collect, use or disclose
personal data)

- Cloud services

- Where the cloud service provider (CSP) is **processing personal
data** on behalf and for the purposes of another organisation
pursuant to a contract which is evidenced or made in writing,
the CSP is considered a **data intermediary** and subject to the
Protection, Retention Limitation and Data Breach Notification
Obligations under the PDPA.

- Its Protection, Retention Limitation and Data Breach
Notification Obligations extend to personal data that it
processes or hosts for the organisation in data centres outside
Singapore.

- The CSP, as an organisation in its own right, remains
responsible for complying with all Data Protection Provisions in
respect of its own activities which do not constitute processing
of personal data under the contract.

- Data intermediary

-

CYBERSECURITY REGULATION UNDER PDPA AND CYBERSECURITY ACT
---------------------------------------------------------

### Introduction

- What is cybersecurity?

- "Cybersecurity is the practice of defending computers, servers,
mobile devices, electronic systems, networks and data from
malicious attacks" (Source: Kaspersky website)

- Protecting confidentiality, integrity and availability of
systems and data (the "CIA" of cybersecurity)

- Resilience of systems

- What is cybersecurity law?

- Laws that regulate how businesses and other organisations:

- Protect their computer systems and data from cyber-attacks

- Respond to cyber-attacks and data breaches

### Laws that Regulate Cybersecurity

- \*CYSA: CII and other systems

- \*PDPA: Protection of Personal Data

- Sectoral Laws: Financial information

- Sectoral Laws: Healthcare Information

- Sectoral Laws: Telecom Systems

- Others (e.g. national security laws)

#### Why Regulate Cybersecurity?

- Significant increase in number of cyberattacks in recent years

- Some motivations of cyber-criminals:

- Organised crime - To make a profit from their criminal
activities

- Corporate cyber-espionage

- State actors

- Individual reputation

- Cyber-activism (Hacktivism)

- Numerous types of malware:

- Ransomware - Hit 65% of organisations in Singapore in 2021
(source: Sophos) -- Trojans -- Viruses -- Spyware -- Worms --
Adware

- Phishing

- Hacking

- Botnets & DDoS attacks

- Identity Theft

- Website Spoofing

#### How does a cyber-attack take place?

Singapore Health Services & Integrated Health Information Systems
\[2019\] SGPDPC 3

- What were the facts of this case (in brief)?

- Cyberattack resulting in personal data of some 1.5m patients and
outpatient prescription records of nearly 160k patients
exfiltrated

- What was the relationship between SingHealth and IHiS?

- SingHealth = Group of public healthcare institutions for the
provision of healthcare services

- IHiS = Central National IT agency for the public healthcare
sector in SG -- Centralises all IT functions and capabilities of
PHIs. But IHiS designates some IT personnel to be redeployed to
the Clusters to be responsible for providing leadership and
direction for the IT security program as well as executive
management oversight of the local Cluster IT systems

- SCM used by SingHealth for patient care and management IT tea,
at SingHealth manages it

- What were the steps / actions taken by the hacker to gain access to
the system and data?

- Attacker gained initial access to SCM network by infecting a
user's workstation -- likely through a phishing attack, which
led to malware and hacking tools subsequently being installed
and executed on the user's workstation

- Once the attacker established an initial foothold through the
affected workstation, the attacker used customised malware to
infect and subsequently gain remote access to and control of
other workstations

- From these compromised workstations, the attacker was able to
gain access to and control of two user accounts: (i) a local
administrator account, and (ii) another service account (a
special user account that applications or services use to
interact with the operating system)

- Through these Compromised Accounts, the attacker was able to
gain access to and control of the Citrix servers located at SGH
("SGH Citrix Servers") thereafter managed to get login
credentials for the SCM database from H-Cloud Citrix server

- Between 27 June and 4 July 2018, the attacker used the stolen
SCM database login credentials to access and run numerous bulk
queries from one of the compromised SGH Citrix Servers on the
SCM database. Data that was illegally accessed and copied
through such queries was then exfiltrated by the attacker
through the initial compromised workstations to the attacker's
overseas Command and Control ("C2") servers

- How did SingHealth and IHiS staff respond in the course of the
incident?

- Suspicious circumstances were raised, alerted but no formal
action was taken Waited passively for updates

- After discovery -- Remedial actions: PW changes; Monitoring of
administrator accounts; Tightened firewall rules; Reset system
etc.

- What were the specific security shortcoming identified by the
Personal Data Protection Commission in its decision?

- Failed to comply with various incident response policies and
SOPs

- IHiS had not taken sufficient security steps or arrangements to
protect personal data Weaknesses, lapses and failures on part of
IHiS personnel

### Cybersecurity Act 2018

#### Part 1 and Part 2: Introduction (Preliminary and Administration)

Purpose and Overview

- Cybersecurity Act 2018, Long title:

- An Act to:

- require or authorise the taking of measures to prevent,
manage and respond to cybersecurity threats and incidents

- regulate owners of critical information infrastructure

- regulate cybersecurity service providers

- Provisions:

- Part 1 -- Preliminary

- Part 2 -- Administration (appointment of Commissioner of
Cybersecurity, etc.)

- Part 3 & First Schedule -- Critical Information Infrastructure
("CII")

- Part 4 -- Responses to Cybersecurity Threats and Incidents

- Part 5 & Second Schedule -- Regulation of Cybersecurity Service
Providers \[not covered in this unit\]

Scope

- Part 3 applies to:

- Any CII wholly or partly in Singapore (per s 3(1))

- Any computer or computer system wholly or partly in Singapore
(per s 3(2))

- Part 4 applies to activities and service providers in Singapore
generally

#### Key Definitions (Section 3)

- ***CII:*** a computer or a computer system designated under s 7(1)

--------------------------------------------------------
**Designation of critical information infrastructure**
--------------------------------------------------------

-

+-----------------------------------------------------------------------+
| **7.**---(1)  The Commissioner may, by written notice to the owner of |
| a computer or computer system, designate the computer or computer |
| system as a critical information infrastructure for the purposes of |
| this Act, if the Commissioner is satisfied that --- |
| |
| the computer or computer system is necessary for the continuous |
| delivery of an essential service, and the loss or compromise of the c |
| omputer or computer system will have a debilitating effect on the ava |
| ilability of the essential service in Singapore; and |
| -- ---------------------------------------------------------------- |
| --------------------------------------------------------------------- |
| --------------------------------------------------------------------- |
| ------------------------------------------------------ |
| the computer or computer system is located wholly or partly in S |
| ingapore. |
| |
| - |
+-----------------------------------------------------------------------+

-

- ***Computer:*** "an electronic, magnetic, optical, electrochemical,
or other data processing device performing logical, arithmetic, or
storage functions, and includes any data storage facility or
communications facility directly related to or operating in
conjunction with such device..."

- Excludes prescribed devices (none at present)

- ***Computer System:*** an arrangement of interconnected computers
and includes:

- "An information technology system"

- "An operational technology system such as an industrial control
system, a programmable logic controller, a supervisory control
and data acquisition system, or a distributed control system"

- ***Cybersecurity:*** The state in which a computer or computer
system is protected from unauthorised access or attach such that the
following is maintained (note: the "CIA" of cybersecurity):

- **Confidentiality** of information processed, etc. by the
computer or computer system (what about the computer / system
itself?)

- **Integrity** of the computer or computer system or the
information it processes, etc.

- **Availability** of the computer or computer system (and
information?)

- ***Cybersecurity Threat:*** "an act or activity (whether known or
suspected) carried out on or through a computer or computer system,
that [may imminently jeopardise or affect adversely, without lawful
authority, the cybersecurity of that or another computer or computer
system]"

- ***Cybersecurity Incident:*** "an act or activity carried out
without lawful authority on or through a computer or computer system
that jeopardises or adversely affects its cybersecurity or the
cybersecurity of another computer or computer system"

- ***Essential Service:*** "any service essential to the national
security, defence, foreign relations, economy, public health, public
safety or public order of Singapore, and specified in the First
Schedule"

- Essential services in the First Schedule include: -- Aviation,
Land Transport or Maritime -- Banking and Finance -- Energy or
Water -- Info-communications or Media -- Functioning of
Government -- Security and Emergency Services -- Healthcare

#### Part 3: Regulation of CII / Critical Information Infrastructure

##### Designation of CII (s 7)

- The Commissioner may obtain information from a person who appears to
be exercising control over a computer or computer system for the
purpose of ascertaining whether it fulfils the criteria of a CII
(**CYSA s 8(2)**)

- Failure to comply is an offence (**s 8(4))**

- Same exception for legal privilege as **s 19**

- The Commissioner **may designate a computer or computer system as
CII** if both of the following apply **(s 7(1)):**

- The computer or computer system is necessary for the continuous
delivery of an essential service, and the loss or compromise of
the computer or computer system will have a debilitating effect
on the availability of the essential service in Singapore

- The computer or computer system is located in Singapore

- A designation under **s 7(1)**

- Must inter alia **inform the owner of the CII of the owner's
duties and responsibilities** under the CYSA that arise from the
designation **(s 7(3))**

- Is valid for 5 years (**s 7(3))**

- See also sections 8 and 9; additional procedures are found in the
Cybersecurity (Critical Information Infrastructure) Regulations 2018
\[not covered\]

##### Obtaining Information Relating to a CII (ss 10, 12 & 13)

- The Commissioner may require the owner of a CII to furnish the
following information (s 10(1)):

- Information on the design, configuration and security of the CII
or any other computer or computer system under the CII owner's
control that is [interconnected or communicates with that CII
]

- Information relating to the operation of that CII or other
computer or computer system

- Any other information in order to ascertain the level of
cybersecurity of the CII

- **Material changes** to the design, configuration, security or
operation are to be updated **within 30 days** (s 10(5))

- Any **change in the beneficial or legal ownership** must be notified
to the Commissioner **within 7 days by the former owner,** if the
whole ownership is transferred, or otherwise any owner of the CII (s
13(1))

- Failure to comply with any of the above is an offence (ss 10(2),
10(7) & 13(2))

- Same exception for legal privilege, etc. as s 19

##### Codes of Practice and Standards of Performance (s 11)

- The Commissioner may issue or approve one or more codes of practice
or standards of performance for the regulation of the owners of CII
with respect to measures to be taken by them to ensure the
cybersecurity of the CII (s 11(1)(a))

- **Every owner of a CII must comply with the codes of practice and
standards of performance** that apply to their CII (following
publication of a notice relating to the code or standard[) unless
otherwise waived by the Commissioner] under s 11(7) (s
11(6))

- The Commissioner may amend or revoke any code of practice or
standard of performance (s 11(1)(b)))

- The Commissioner must publish a notice of the issuance, approval,
amendment or revocation of a code of practice or standard of
performance (s 11(3)) failing which it does not take effect (s
11(4))

- A code of practice or standard of performance **does not have
legislative effect** (s 11(5)) and **any of its provisions that is
inconsistent with the CYSA does not have effect** (to the extent of
the inconsistency) (s 11(2))

- The Commissioner for Cybersecurity / CSA issued the Cybersecurity
Code of Practice for Critical Information Infrastructure on 4 July
2022, last updated 12 Dec 2022
(

##### Directions to Ensure Cybersecurity of a CII (s 12)

- The Commissioner may issue a direction to the owner(s) of a CII in
order to ensure the cybersecurity of the CII or it is necessary or
expedient for the administration of the CYSA (s 12(1))

- **Without limitation**, a **direction** may include the following (s
12(2)):

- The **action to be taken by the owner(s)** in relation to a
cybersecurity threat

- **Compliance** with any code of practice or standard of
performance applicable to the owner(s)

- **Appointment of an auditor** approved by the Commissioner to
audit the owner(s) on their compliance with the CYSA or any code
of practice or standard of performance applicable to the
owner(s)

- Process for issuance of a direction includes giving the owner an
opportunity to make representations (s 12(4) & (5))

- Failure to comply is an offence (s 12(6))

##### Duty to Report Cybersecurity Incident in respect of CII (s 14)

- The owner of a CII must notify the Commissioner upon the occurrence
of any of the following (s 14(1)):

- A **prescribed cybersecurity incident** in respect of the CII or
any other computer or computer system under the CII owner's
control that is interconnected with or that communicates with
the CII

- Any other type of cybersecurity incident in respect of the CII
that the Commissioner has specified by written direction to the
owner

- The owner of a CII must establish such mechanisms and processes for
the purposes of detecting cybersecurity threats and incidents in
respect of the CII, as set out in any applicable code of practice (s
14(2))

- failure to comply is an offence (s 14(3))

##### Cybersecurity Audits and Risk Assessments (s 15)

- The **owner of a CII must comply** with the following (s 15(1)):

- At **least once every 2 years**, **cause an audit to be carried
out of the compliance of the CII** with the CYSA and the
applicable codes of practice and standards of performance (to be
done by an auditor approved or appointed by the Commissioner)

- At least once a year, conduct a cybersecurity risk assessment of
the CII

- The owner of a CII must furnish a copy of the audit report or risk
assessment to the Commissioner within 30 days of completion (s
15(2))

- See the rest of the section for further details

- Failure to comply is an offence (s 15(7) & (8))

##### Cybersecurity Exercises (s 16)

- The Commissioner **may conduct cybersecurity exercises for the
purpose of testing the state of readiness** of owners of different
CII in responding to significant cybersecurity incidents.

- An owner of a CII must participate in a cybersecurity exercise if
directed in writing to do so by the Commissioner

- Failure to comply is an offence (s 15(7) & (8))

#### Part 4: Response to Cybersecurity Threats and Incidents

##### Investigation (s 19)

- The Commissioner may **investigate any cybersecurity threat or
incident** for the following purposes **(s 19(1)):**

- **Assessing the impact or potential impact** of the
cybersecurity threat or incident

- **Preventing harm** arising from the cybersecurity incident

- **Preventing a further cybersecurity incident** from arising
from that cybersecurity threat or incident

- The Commissioner's **powers of investigation** **(s 19(2))** **may
be applied as against any person** (e.g. to compel attendance and
obtain information) and **failure to comply is an offence (s
19(8))**

- **Legal Privilege**, etc.: Disclosure of information that is subject
to any right, privilege or immunity conferred, or obligation or
limitation imposed, by or under any law or rules of professional
conduct in relation to the disclosure of such information is not
required, except that the performance of a contractual obligation is
not an excuse for not disclosing the information **(s 19(6))**

##### Elimination of Serious Threats and Incidents (s 20)

- The Commissioner has additional powers in relation to any
cybersecurity threat or incident that meets any of the following
criteria (s. 20(3)):

- It creates a risk of significant harm being caused to a CII

- It creates a risk of disruption to the provision of an essential
service

- It creates a threat to the national security, defence, foreign
relations, economy, public health, public safety or public order
of Singapore

- It is of a severe nature, in terms of the severity of the harm
that may be caused to persons in Singapore or the number of
computers or value of the information put at risk, [whether or
not the computers or computer systems put at risk are themselves
CII]

- The Commissioner **may investigate** any such serious cybersecurity
threat or incident for the following purposes (s 20(1)):

- **Assessing** the impact or potential impact of the
cybersecurity threat or incident

- **Eliminating** the threat or preventing harm arising from the
cybersecurity incident

- **Preventing** a further cybersecurity incident

- For such serious cybersecurity threats and incidents, the
Commissioner may:

- In addition to the powers under s 19(1) -- **direct, (by written
notice) any person to carry out remedial measures, or to cease
carrying on certain activities** in relation to a computer or
computer system that \[...\] is or was affected by the
cybersecurity incident, in order to minimise cybersecurity
vulnerabilities in the computer or computer system

- Require the owner of a computer or computer system to take any
action to assist with the investigation (examples in the Act)

- Enter premises, perform scans, obtain records, etc.

- Examples of **remedial measures** (under s 20(2)) include the
following:

- Removal of malicious software from the computer;

- Installation of software updates to address cybersecurity
vulnerabilities;

- Temporarily disconnecting infected computers from a computer
network until the above is carried out

- Redirection of malicious data traffic towards a designated
computer or computer system

#### Part 4: Cybersecurity Code of Practice

Governance of Cybersecurity

- Key requirements in the Cybersecurity Code of Practice for CII,
Section 3:

- Leadership and oversight

- Adequate resources to cybersecurity strategy and application
to CII

- Effective leadership from the board and senior management

- Risk management

- Risk management framework to identify, analyse, evaluate and
address (respond to) cybersecurity risks in a cost-effective
manner

- Maintain a risk register for each CII

- Policies, Standards, Guidelines and Procedures

- Policies and standards for (internal) compliance

- Guidelines on best practices

- Procedures with specific actions to be taken

- Security-by-Design, Cybersecurity Design Principles and Change
Management are not covered

- Use of Cloud

- Organisation remains responsible for maintaining oversight
of cybersecurity and managing cybersecurity risks to CII
even if CII is wholly or partly implemented using cloud
computing systems

- Outsourcing and vendor management

- Organisation remains responsible for cybersecurity even if
it engages an external party to perform any functions with
respect to the CII

- Controls must be implemented to minimise cybersecurity risks

### PDPA 2012

#### Part 1: Protection of Personal Data

##### Protection of Personal Data (s 24)

- Although data protection laws predated the advent of the Internet
and the wide-spread use of computing devices we have today, they
typically included a [specific obligation to protect personal
data]

- Under the PDPA, all organisations are required to protect personal
data by making reasonable security arrangements to prevent the
following (s 24):

- **Unauthorised access,** collection, use, disclosure, copying,
modification, disposal or similar risks

- Loss of any storage medium or device on which personal data is
stored

- In a modern context, as most data is stored in electronic form in
computers, computer systems and other electronic / digital devices
and systems, **this translates to requirements to ensure
cybersecurity of systems and databases containing personal data**

- Requirements:

- Covers personal data in the possession or under the control of
the organisation

- **"Reasonable security arrangements" -- not defined** (Side
note: This kind of wording is found in many other countries law
including, e.g. EU and US)

- Measured objectively

- Put in place arrangements that match risk to data

- Two key elements, measures are to prevent:

- Unauthorised access, etc. to personal data

- Loss of storage media / devices containing personal data

- PDPC's Advisory Guidelines on Key Concepts in the PDPA, para 17

- "There is **no 'one size fits all'** solution for organisations
to comply with the Protection Obligation. Each organisation
should consider adopting security arrangements that are
reasonable and appropriate in the circumstances..."

- Factors to take into consideration:

- **Nature** of the personal data

- **Form** in which the personal data was collected (e.g.
electronic or physical)

- **Possible impact** to the individual concerned if an
unauthorised person obtains, modifies or disposes of the
personal data

- In practice, an organisation should:

- Design and organise its security arrangements to fit the
nature of the personal data held by the organisation and the
possible harm that may result from a security breach

- [Identify reliable and well-trained personnel]
responsible for ensuring information security

- [Implement robust policies and procedures] for
ensuring appropriate levels of security for personal data of
varying levels of sensitivity

- Be prepared and able to respond to information security
breaches promptly and effectively

- Security arrangements include:

- Administrative measures (e.g. confidentiality obligations,
robust policies, staff training)

- Technical measures (e.g. network security measures, access
control, use of encryption)

- Physical measures (e.g. physical locks, privacy filters,
proper disposal of physical documents)

- In relation to data intermediaries and the organisations that engage
them (data controllers), note that [section 24 applies to
both] (per S. 4(2) & (3))

- Scope of responsibility depends on **extent of tasks to be done by
each**:

- **Processing** by the **data intermediary** (implement necessary
technical, physical and administrative measures)

- **Governance** by the **data controller** (implement, typically
via contract, measures to govern the data intermediary's
protection of personal data)

#### Part 2: Data Breach Notification

Scope

- Definition/Concepts (Ss 26A & 26B):

- **Data Breach**: (a) unauthorised access, collection, use,
disclosure, copying, modification or disposal of personal data,
or (b) loss of any storage medium or device on which personal
data is stored in **circumstances where the unauthorised access,
collection, use, disclosure, copying, modification or disposal
of the personal data is likely to occur**

- Cf. s 24 -- no bold part Different definition of data breach

- Notifiable Data Breach: A data breach that (a) results in, or is
likely to result in, significant harm to an affected individual
or (b) is, or is likely to be, of a significant scale

- A data breach is deemed to result in significant harm and is
deemed to be of significant scale in **prescribed
circumstances** (s 26B(2) & (3))

- Significant harm: see Personal Data Protection (Notification
of Data Breaches) Regulations 2021 ("DBN Regulations"), reg.
3 and Schedule (see next slide)

- Significant scale: 500 (see DBN Regulations, reg. 4)

- Notwithstanding the above, a data breach within an
organisation is not notifiable (s 26B(4))

##### Conduct an Assessment of a Data Breach

###### By data intermediary:

- Where an organisation has reason to believe that a data breach has
occurred affecting personal data in its possession or under its
control:

- Data Intermediary (DI): If the organisation is a data
intermediary and the affected data is data it is processing for
the data controller, the organisation (DI) **must notify the
data controller (DC) of the data breach without undue delay**
(**PDPA s 26C(3)**)

- Regardless of whether data breach was discovered by DC or
DI, DC would have to do a reasonable and expeditious
assessment

- Steps:

- Is there data breach / reason to believe that a data breach has
occurred? (if yes proceed)

- DI must notify DC without undue delay (typically 24h) →
notwithstanding whether this is a notifiable breach (to PDPC)

- DC must assess in reasonable + expeditious manner (up to 30days)
whether it is notifiable breach to PDPC

- Yes: if the breach poses a risk of significant harm to
affected individuals → notify → 3 calendar days to notify

- Notify affected individuals: no prescribed timeframe ("on or
after notifying PDPC)

###### By data controller:

- Where an organisation has reason to believe that a data breach has
occurred affecting personal data in its possession or under its
control:

- Data Controller (DC): If the organisation is a data controller,
it must conduct, in a reasonable and expeditious manner, an
assessment of whether the data breach is a notifiable data
breach (**PDPA s 26C(2))**

- Regardless of whether data breach was discovered by DC or DI, DC
would have to do a reasonable and expeditious assessment

- Steps:

- Did this alert come from DI? If yes see [By data
intermediary:](#by-data-intermediary) to address DI's
obligations

- DC must assess in reasonable + expeditious manner (up to 30days)
whether it is notifiable breach to PDPC

- Yes: if the breach poses a risk of significant harm to
affected individuals → notify PDPC → 3 calendar days to
notify

- notify the affected without undue delay: no prescribed timeframe
("on or after notifying PDPC")

- Timeframe: Without undue delay (Likely 1-2 days, fairly
quickly) = Expeditious

- take reasonable and expeditious steps to assess the breach and
decide on necessary actions to mitigate any potential harm.
Delays in this assessment can lead to enforcement actions by the
Commission.

- implementation of Policies: The data controller should have
policies and procedures in place to manage data breaches
effectively, ensuring compliance with the Data Breach
Notification Obligation.

- Also note obligation of a data intermediary of a public agency (s
26E)

##### Notification to PDPC -- within 3 calendar days

- Where an organisation assess that a data breach is notifiable, it
must notify PDPC as soon as practicable and, in any case, within 3
calendar days (s 26D(1))

- Notification to PDPC is to be made **via the PDPC website**
(www.pdpc.gov.sg)

- The notification must contain the prescribed information, to the
best of the knowledge and belief of the organisation when the
notification is made (s 26D(3))

- The specific information required is set out in the DBN
Regulations (reg. 5) and the relevant webform on the PDPC
website

- Notification to PDPC (and affected individuals -- see next slide)
**apply concurrently with any other obligation of the organisation
to notify any other person** (e.g. CSA) of the occurrence of a data
breach

##### Notification to Affected Individuals

- Where an organisation assess that a data breach is notifiable and it
results, or is likely to result, in significant harm to the affected
individuals, it must also notify the affected individuals on or
after notifying PDPC (s 26D(2))

- Notification to the affected individuals is to be **made in any
manner that is reasonable in the circumstances** (s 26D(2))

- The notification must contain the prescribed information, to the
best of the knowledge and belief of the organisation when the
notification is made (s 26D(3))

- The specific information required is set out in the DBN
Regulations (reg. 6)

- **Exceptions** to this requirement:

- If the organisation, on or after assessing that the data breach
is a notifiable data breach, takes any action, in accordance
with any prescribed requirements, that renders it unlikely that
the notifiable data breach will result in significant harm to
the affected individual (s 26D(5)(a))

- If the organisation had implemented, prior to the occurrence of
the notifiable data breach, any technological measure that
renders it unlikely that the notifiable data breach will result
in significant harm to the affected individual (s 26D(5)(b))

- If a prescribed law enforcement agency so instructs or PDPC so
directs (s 26D(6))

- PDPC, on application by the organisation, waives this
requirements (s 26D(7))

PREVENTION OF ONLINE THREATS AND FALSEHOODS (POHA)
--------------------------------------------------

### POHA

#### Part 1: Scope and Offences

Scope of POHA

- Definitions:

- Entity: any **company** or **association** or **body of
persons** (whether corporate or unincorporate), but **excludes
any public agency**;

##### Criminal Offences under POHA

Section 3: Intentionally causing harassment, alarm or distress

- An **individual or entity** **must not with intent to cause any
person harassment, alarm or distress** by engaging in any of the
**following conduct** with the intent of causing, harassment, alarm
or distress to another person:

- **Use any threatening, abusive or insulting words or behaviour**
-- make any threatening, abusive or insulting communication

- Publish any identity information of the target person or a
related person of the target person

- Contravention is an offence which may lead to a fine not exceeding
\$5,000, imprisonment for up to 6 months or both

- It is a **defence** for the accused individual or entity to **prove
that their conduct was reasonable**

- Illustrations:

- \(c) X and Y were formerly in a relationship which has since ended. X
writes a post on a social media platform making abusive and insulting
remarks about Y's alleged sexual promiscuity. In a subsequent post, X
[includes Y's photographs and personal mobile number, intending to cause
Y harassment by facilitating the identification or contacting of Y by
others]. Y did not see the posts, but receives and is
harassed by telephone calls and SMS messages from strangers (who have
read the posts) propositioning Y for sex. X is guilty of an offence
under section 3(2) in relation to each post.

- \(d) X records a video of Y driving recklessly in a car on the road. X
posts the video on an online forum, where people share snippets of
dangerous acts of driving on the road. X posts the video with the intent
to warn people to drive defensively. X has not committed an offence
under this section

Section 4: Harassment, alarm or distress

- An individual **must not engage in any of the following conduct**
which is likely to be heard, seen or otherwise perceived by any
person and is likely to cause harassment, alarm or distress:

- Use any threatening, abusive or insulting words or behaviour

- Make any threatening, abusive or insulting communication

- Contravention is an offence which may lead to a fine not exceeding
\$5,000

- It is a **defence** for the accused individual or entity to prove
that:

- The accused had no reason to believe that the words or behaviour
used or communication made would be heard, seen or otherwise
perceived by the person in question; or

- Their conduct was reasonable

Illustration: (a) X and Y are classmates. X posts a vulgar tirade
against Y on a website accessible to all of their classmates. One of Y's
classmates shows the message on the website to Y, and Y is distressed. X
is guilty of an offence under this section

Section 5: Fear, provocation or facilitation of violence -- Doxing

- Note elements of the offence(s), penalties and defences

- \(1) An individual or entity must not by any means use towards another
person (called in this section, except subsection (1A), the victim) any
threatening, abusive or insulting words or behaviour, or make any
threatening, abusive or insulting communication to another person (also
called in this section, except subsection (1A), the victim), either ---

- \(a) with the **intent** ---

- \(i) to cause the victim to believe that unlawful violence will be used
by any person against the victim or any other person; or

- \(ii) to provoke the use of unlawful violence by the victim or another
person against any other person; or

- \(b) whereby ---

- \(i) the victim is likely to believe that such violence mentioned in
paragraph (a)(i) will be used; or

- \(ii) it is likely that such violence mentioned in paragraph (a)(ii) will
be provoked.

- (1A) An individual or entity **must not by any means publish any
identity information** of [another person (called in this subsection
the victim) or a related person of the victim], either
---

- \(a) with the intent ---

- \(i) to cause the victim to believe that unlawful violence will be used
against the victim or any other person; or

- \(ii) to facilitate the use of unlawful violence against the victim or
any other person; or

- \(b) knowing or having reasonable cause to believe that it is likely ---

- \(i) to cause the victim to believe that unlawful violence will be used
against the victim or any other person; or

- \(ii) to facilitate the use of unlawful violence against the victim or
any other person.

- Contravene: Fine not exceeding **\$5,000** or to imprisonment for a
term not **exceeding 12 months** or to both.

- In any proceedings for an offence under subsection (2), it is a
**defence** for the accused individual or accused entity (called in
this section the accused) to prove ---

- \(a) in respect of a contravention of subsection (1)(b), that the accused
had no reason to believe that the words or behaviour used, or the
communication made, by the accused would be heard, seen or otherwise
perceived by the victim; or

- \(b) that the accused's conduct was reasonable.

- Illustrations:

- \(a) X and Y are classmates. X writes a post with threatening and abusive
remarks against Y on a website accessible to all their classmates. X
writes a subsequent post on the same website, stating Y's identity
information and stating "Everyone, let's beat Y up!". X is guilty of an
offence under this section in respect of the subsequent post.

- \(b) X writes a public post on a social media platform containing threats
against Y. X publishes a subsequent public post stating A's home address
and a message "I know where you live". X is guilty of an offence under
this section relating to conduct mentioned in section 5(1A)(a)(i) if X
intends the subsequent post to cause Y to believe that violence will be
used against A, or an offence under this section relating to conduct
mentioned in section 5(1A)(b)(i) if X knows that it is likely that Y
will believe that violence will be used against A as a result of X's
subsequent post.

\(c) X writes a post (on a social media platform to which Y does not have
access) containing threats of violence against Y and calling others to
"hunt him down and teach him a lesson". B posts Y's home address in
reply to X's post. B is guilty of an offence under this section

Section 6: Offences in relation to public servant or public service
worker

- Note elements of the offence(s), penalties and defences

- \(1) An individual or entity that by any means ---

- \(a) uses any indecent, threatening, abusive or insulting words or
behaviour; or

- \(b) makes any indecent, threatening, abusive or insulting communication,

- towards or to a **public servant or public service worker**
(called in this section, except subsection (1A), the victim) in
[relation to the execution of the duty of the public servant or
public service worker, shall be guilty of an
offence].

- (1A) An individual or entity that contravenes section 3(1)(c) (in
relation to a target person under section 3(1)(c) who is a public
servant or public service worker) ---

- \(a) with the intent to prevent or deter that public servant or public
service worker from discharging the duty of that public servant or
public service worker; or

- \(b) in consequence of anything done or attempted to be done by that
public servant or public service worker in the lawful discharge of the
duty of that public servant or public service worker,

- shall be guilty of an offence.

- \(2) No offence is committed under this section unless the accused
individual or accused entity (called in this section the accused) knows
or ought reasonably to know that the victim was acting in the victim's
capacity as a public servant or public service worker, as the case may
be.

- \(3) Subject to section 8, an individual or entity shall be liable, on
conviction for an offence under subsection (1) or (1A), to a fine not
exceeding **\$5,000** or to imprisonment for a term not exceeding **12
months or to both.**

- \(4) It is a **defence** for the accused to prove ---

- \(a) in any proceedings for an offence under subsection (1), that the
accused had no reason to believe that the words or behaviour used, or
the communication made, by the accused would be heard, seen or otherwise
perceived by the victim; or

- \(b) in any proceedings for an offence under subsection (1) or (1A), that
the accused's conduct was reasonable.

- Illustration: X is unhappy that a public servant, Y, refused to
waive a late payment charge. X writes several posts on an open
social media platform with abusive comments about Y in relation
to the incident. In a subsequent post, X posts Y's name, home
address and photograph on the same open social media platform in
order to cause Y distress. Y is distressed by the subsequent
post. X is guilty of an offence under this section.

#### Part 2: Civil Remedies

Section 11: Action for Statutory Tort

- **Victim** under sections 3, 4, 5 or 7 may **bring civil
proceedings** against the individual or entity alleged to have
contravened one of those sections (the "respondent")

- In such proceedings, the court may award damages to the victim if
satisfied on a balance of probabilities that the respondent had
contravened one of those sections

Section 12: Protection Order

- Victim under sections 3 to 7 may make an application to court for a
protection order

- In such proceedings, the court may make a protection order if
satisfied on a balance of probabilities that the respondent had
contravened one of those sections + likely to continue contravening

- Deeming provision if the respondent had been convicted of an offence
under the relevant section

#### Part 3: Orders relating to False Statements

General

- Types of orders:

- Stop publication order

- Correction order

- Disabling order

- Targeted correction order

- Targeted correction order is against an internet
intermediary, tells them the same thing as correction order

- In addition, TCO can go further and say that organization
has to inform end users in sg who have accessed the material
about the correction order (what has been corrected)

- General correction order

- Note **procedural requirements** in sections 15, 15A to 15E

- An order may be made even if the statement has been amended or has
ceased to be published

- An order may be made against a party in or outside Singapore

- An order may require the relevant party to do or refrain from doing
an act in or outside Singapore

##### Section 15A: Stop Publication Order

- Court **may make** a stop publication order (SPO) against any
individual or entity (the respondent) if:

- Satisfied on a balance of probabilities that the respondent
published the relevant statement;

- Satisfied on a balance of probabilities that the relevant
statement is a false statement of fact; and

- It is just and equitable to do so.

- SPO may be made even if the respondent does not know or have reason
to believe that the relevant statement is false

- SPO may require the respondent or any other individual or entity to
stop publishing the relevant statement, or a similar statement, by a
specified time

##### Section 15B: Correction Order

- Court may make a correction order (SPO) against any individual or
entity (the respondent) if:

- Satisfied on a balance of probabilities that the **respondent
published the relevant statement**;

- Satisfied on a balance of probabilities that the **relevant
statement is a false statement of fact**; and

- It is just and equitable to do so.

- CO may be made even if the respondent does not know or have reason
to believe that the relevant statement is false

- CO may require the respondent to publish in Singapore a correction
notice (see Act for details)

##### Section 15C: Disabling Order

- Court may make a disabling order (DO) against an internet
intermediary (the respondent) if:

- Satisfied on a balance of probabilities any material consisting
of or containing the relevant statement has been or is being
published by means of an internet intermediary service provided
by the respondent;

- Satisfied on a balance of probabilities that the **relevant
statement is a false statement of fact**; and

- It is just and equitable to do so.

- DO may require the respondent to disable access by end-users of the
internet intermediary service provided by the respondent in
Singapore (see Act for details)

- See also Targeted Correction Order under section 15D and general
correction order under section 15E

#### Part 4: Subsidiary Legislation

Protection from Harassment (Exempt Class of Persons) Order 2014

- Refer to Order for list of persons against whom no protection order
may be made

Protection from Harassment (Prescribed Internet Intermediaries and
Others) Regulations 2020

- Refer to Regulations for list of persons against whom a disabling
order, targeted correction order or general correction order may be
made (Some of the big internet Cos -- e.g. Facebook)

### POFMA (not tested)

+-----------------------------------------------------------------------+
| - Note similarities with POHA: |
| |
| - Offence for communication of false statements of fact in |
| Singapore |
| |
| - Directions including: |
| |
| - Correction direction |
| |
| - Stop communication direction |
| |
| - Access blocking order |
| |
| - Directions to internet intermediaries (targeted |
| correction direction, disabling direction, general |
| correction direction, access blocking order) |
| |
| - Prescribed internet intermediaries (under the POHA |
| Regulations) |
| |
| - Declaration of online locations |
| |
| - Directions to counteract inauthentic online accounts and |
| coordinated inauthentic behaviour |
+-----------------------------------------------------------------------+

LAW AND TECHNOLOGY
==================

Learning objectives

1. Provide candidates with a structural framework for appreciating,
approaching, and understanding law and technology as a field of law
on its own

2. Give candidates an overview of practice-relevant technologies, being
technologies that they are likely to either be asked to advise
clients on or use themselves in legal practice

3. Equip candidates with the knowhow to identify law and technology
issues in their practice, and to identify when they may need to seek
expert technical advice

INTRODUCTION TO THE FIELD
-------------------------

What is Law and Technology?

- Law + Tech Tech = (the study and knowledge of) the **practical**,
especially industrial, use of scientific discoveries; the methods
for using scientific discoveries for **practical** purposes, esp. in
industry -- practical = people involved

- Economic view of technology Essentially, anything which (a)
increases production but (b) not itself a factor of production
\[I.e., **shifts** the entire production possibility plane\]

- Ultimately, it depends on what we mean by 'law' and what we mean by
'technology'

- ![A diagram of a diagram Description automatically
generated](media/image4.png)

+-----------------------------------------------------------------------+
| ### General Framework for Approaching the Field |
+-----------------------------------------------------------------------+

- The Big Question: Is the issue with law, with technology, or
both?\*\*

- An issue with the [law] (technology) is [solved by
changing or clarifying the law] (technology) which
is the problem?

- E.g. Law and Automated Vehicles:

- Do we understand accident law enough? What are the
loopholes/false assumptions it makes?

- Do we understand how AVs work enough to judge the
**applicability** and **application** of those laws?

- What problems, if any, arise from interacting uncertainties?

- 2 ways of thinking about L&T

- Focus on the law?

- What are the legal principles?

- What are the legal gaps?

- No "law of the horse"

- Focus on the Tech?

- What's unique/novel?

- What are its implications?

- What cyberlaw might teach

### (CORE) Frank Easterbrook's Law of the Horse

Basically,

- Utilitarian

- He thinks courses in law, if taught w something, should "illuminate
the entire law", instead of courses suited to dilettantes (a person
who cultivates an area of interest, such as the arts, without real
commitment or knowledge)

- His principle conclusion: develop a sound law of intellectual
property, then apply it to computer networks (but then, he goes on
to say, why developing a sound law of IP is so difficult; so fact
specific)

He DOES NOT support viewing L&T as a field in itself; why?

Analogy that L&T is like the Law of the Horse:

- i.e. "property in cyberspace": He doesn't know much about
cyberspace, what he knows will be outdated in five years, and his
predictions about the direction of change are worthless, making any
effort to tailor the law to the subject futile

#### Proposition 1: Sound rules and understanding of legal principles is necessary in L&T.

- Aka, focus on making sure our laws are right; "lets just study law
in itself" and once we do, it will automatically apply well to
technology.

- What is left unsaid/unclarified:

- **whether it is sufficient** in exploring this field -- is
knowing law enough? View that: predictions are highly likely to
be false etc...until we have answers to these questions, we
cannot issue prescriptions for applications to computer
networks.

#### Proposition 2: Since we don't know tech, we should stick with law

- If we are so far behind in matching law to a well-understood
technology, what chance do we have for a technology such as
computers. If you don\'t know what is best, let people make their
own arrangements. Next after nothing is: keep doing what you have
been doing.

- **Consider:** Is something like the Law of Contracts susceptible
to Easterbrook's critique? Torts?

- A quick summary: Error in legislation is common, and never more so
than when the technology is galloping forward. Let us not struggle
to match an imperfect legal system to an evolving world that we
understand poorly. Let us instead do what is essential to permit the
participants in this evolving world to make their own decisions.
That means three things: make rules clear; create property rights
where now there are none; and facilitate the formation of bargaining
institutions. Then let the world of cyberspace evolve as it will,
and enjoy the benefits.

- Echoes standard calls for **minimum government and free
markets** that characterizes Chicago School Economics

##### Judge Easterbook: Cyberspace and The Law of the Horse

+-----------------------------------------------------------------------+
| Does he support or detract from viewing L&T as a field in itself? Why |
| or why not? |
| |
| Law and tech not as a field in itself |
| |
| - Dean Casper asserts that lawyers' beliefs hold about computers, |
| and predictions they make about new technology, are highly likely |
| to be false |
| |
| - 2^nd^ meaning: that the best way to learn the law applicable |
| to specialized endeavours is to study general rules putting |
| cases in the context of broader rules |
| |
| - **Law of the Horse** any effort to collect different strands |
| about horses (e.g. sales of horses, people kicked by horses, |
| licensing and racing of horses etc.) only by **putting the |
| law of the horse in the context of broader rules about |
| commercial endeavours could one really understand the *law* |
| about horses** |
| |
| - Principal conclusion: Develop a sound law of IP law then apply it |
| to computer networks |
| |
| - But problem -- we do not know whether many features of |
| existing law are optimal |
| |
| - If we are so far behind in matching law to a well-understood |
| technology such as photocopiers |
| |
| - Not managed to create well-defined property rights so that |
| people can adapt their own conduct to maximize total wealth |
| |
| - What chance do we have for a technology such as computer that |
| is mutating faster than the virus in *The Andromeda Strain?* |
| [technology faster than our understanding of how to regulate |
| it] |
| |
| - What can we do? Nothing let people make their own |
| arrangements |
| |
| - What else is there to do? |
| |
| - 1\. Make rules clearer, to promote bargains |
| |
| - We don't know what is best, but in a Coasean world the |
| affected parties will by their actions establish what is |
| best |
| |
| - Coasean = perfect economic world |
| |
| - The risk of error should lead to initial assignments that |
| are easy to reverse, so that people may find their own |
| way with the least interference |
| |
| - 2\. Create property rights, where now there are none -- again |
| to |
| make bargains possible |
| |
| - But no one can regulate the whole process of information |
| exchange -- international consensus will always triumph |
| |
| - 3\. Create bargaining institutions |
| |
| - Agreed language for communications rules which all follow |
| |
| - Summary |
| |
| - Error in legislation is common, and never more so than when |
| the technology is galloping forward |
| |
| - Don't struggle to match an imperfect system -- instead do |
| what is essential to permit the participants in this evolving |
| world to make their own decisions: |
| |
| - 1\. Make rules clear |
| |
| - 2\. Create property rights where now there are none |
| |
| - 3\. Facilitate formation of bargaining institutions |
+-----------------------------------------------------------------------+

### Lessig's Counter-Response: What Cyberlaw might teach

(Essentially: No, there's something *new* and *disruptive* therefore
calls for new regulations)

- There is something new to think about there, and that what we learn
there will teach us something about what we know from here.

#### Proposition 1: Cyberlaw is unique

- e.g. that here is a highway and train tracks separating this
neighbourhood from that is a constraint on citizens to integrate.
**These constraints bind in a way that regulates behaviour. In this
way, they regulate**. In all of these examples, law is functioning
in two very different ways. In one way, its **operation is direct;
in the other, indirect**. When it is **direct**, **it tells
individuals how they ought to behave**. It [threatens a punishment
if they deviate from that directed behaviour].... law
also has a way of regulating that is more **indirect**. When law
[regulates indirectly, it aims at changing the constraints of one of
these other structures of constraint]... When we think
of regulation in this more general way, we see things that a less
complete account might miss. One thing that we might see is how one
kind of constraint can be substituted for another.

- **What is Lessig's definition of "regulation" here?** Function of
the constraints of law, norms, market, "code"

#### Proposition 2: Cyberlaw is different Code is not = law but is like law

- Software Code are **regulations** - To the extent that code can be
made to regulate directly, **because code is plastic** (plasticity =
very malleable), code can regulate more. Code in cyberspace can more
easily substitute for law, or norms. Code can more subtly control
and discipline behaviour -- \*Code is not = law, but code is *like*
law, in that it is able to restrain behaviour

- There is a shift from a structure of constraint regulated by law, to
a structure of constraint regulated by code

- In this shift, something is lost

- IP: Lost of structure of public use built into the
protection of that property

- Contract: Lost of public values that might check the
enforcement of obligations

- **Therefore:** Government can and will regulate cyberspace \[and\]
that when we see the law in code, we see all the more reason why
**law must regulate code, if public values, in particular
constitutional values, are to be preserved.**

- Key Questions:

- What, ultimately, is Lessig's substantive reply to Easterbrook
on the Law of the Horse?

- What are the assumptions made?

- What are the implications for studying L&T as a field in itself?

- Answer/ Key takeaways from the Law of the Horse:

- Lessig's essential answer was to suggest that cyberspace is
special enough that specialised study is both useful and
possible. Agree?

- L&T wasn't (isn't) always seen as a field

- Perennial tension between applying existing law to technology
and treating technology as special

- What is really new/unique about tech as to warrant dedicated
law/analysis?

- How do we know?

- More in next segments on **when** and **why** tech can be
special

##### Lawrence Lessig's response: The Law of the Horse -- What Cyberlaw Might Teach

+-----------------------------------------------------------------------+
| 1.The Regulation of Real Space |
| |
| - Behaviour regulated by 4 constraints |
| |
| - Law -- orders people to behave in certain ways |
| |
| - Social norms -- but punishment not centralized, enforced by |
| community |
| |
| - Markets -- regulate by price; individual and collective |
| behaviour |
| |
| - Architecture/"Nature" |
| |
| - While law may regulate individuals *directly*, it also regulates |
| other constraints directly, as a means to regulating individuals |
| *indirectly* |
| |
| - Law regulates by threatening ex post sanctions |
| |
| - When law regulates other structures of constraint, the law |
| changes their constraints, so as to change the effect that |
| they might have on the behaviour being regulated |
| |
| - E.g. funding public education to create stigma against |
| those who do not wear seatbelts |
| |
| - Government can act to weaken social norm constraints as well |
| weakening the communities within which they have their effect |
| |
| - Question for the policy maker is the **net effect** -- |
| whether as a whole, the policy reduces or increases social |
| costs |
| |
| - Summary: Law is functioning in 2 very different ways. In 1 |
| way, its operation is direct; in the other, indirect |
| |
| - Direct = tell individuals how they ought to behave |
| |
| - Indirect = aims at changing the constraints of 1 of these |
| other structures of constraints |
| |
| - The question is instead to what extent is a particular |
| constraint a function of the law, and to what extent can |
| it be changed by the law |
| |
| - The efficient regulator thinks of the trade-offs for efficient |
| regulation |
|