On 27 October 2023, Thailand’s Personal Data Protection Committee published for public consultation two new draft rules regarding cross-border transfer of personal data. These two draft rules, namely: (1) Draft Whitelist Notification and (2) Draft Binding Corporate Rules and Appropriate Safeguards Notification, upon becoming effective as binding laws, will serve to expand the available options for making a lawful transfer of personal data outside Thailand in compliance with the Personal Data Protection Act B.E. 2562.

Artificial Intelligence is a leading technology that is advancing rapidly. Many industries are anticipated to benefit from AI assistance, which may also affect human workforce in certain industries in the near future. Currently, two draft legislations have been introduced in Thailand: (i) The Draft Royal Decree on Business Operations that Use Artificial Intelligence System; and (ii) The Draft Act on the Promotion and Support of AI Innovations in Thailand.

As part of an ongoing approach to combat scams, the Infocomm Media Development Authority (IMDA) has proposed new measures to reduce the ability of scammers to spoof their identity by using the same alphanumeric sender identification (“SMS Sender ID”) used by bona fide businesses. To further enhance consumer protection, the IMDA intends to make Singapore SMS Sender ID Registry (SSIR) registration mandatory for organisations who wish to use SMS Sender IDs.
Organisations using SMS Sender IDs must register with the SSIR using their Unique Entity Number (UEN) and aggregators handling SMS with Sender IDs must also participate in the SSIR and verify organisations via their UENs.

The Singapore Court of Appeal, in its recent decision of Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60, provides clarity on two provisions under the Personal Data Protection Act (PDPA). The first is section 4(1)(b), which states that the PDPA does not impose any obligation on any employee acting in the course of their employment with an organization. The second is the then section 32 (now section 48O), which allows individuals who suffer loss or damage as a result of an organization’s contravention of the PDPA, the right to commence private action against the organization.

In July 2022, the Singapore Personal Data Protection Commission published a guide to help organisations comply with the Personal Data Protection Act when deploying blockchain applications that process personal data. As such, this Guide provides a broad set of principles and considerations for organisations to design their blockchain applications to be PDPA-compliant, thus ensuring more accountable management of customers’ personal data.

The Ministry of Communications and Information has released, in its Public Consultation published on 13 July 2022, more information on two proposed complementary codes to protect Singapore-based users against harmful and high-risk online content.
Social media platforms with significant reach or impact that are designated social media services will be in-scope for the new compliance obligations proposed by the MCI under the Code of Practice for Online Safety and all social media services are intended to be subject to the Content Code for Social Media Services.

In May 2022, the Singapore Personal Data Protection Commission published a guide to help organisations collect, use or disclose individuals’ biometric data in a responsible manner. With security applications like security cameras and Closed-Circuit Television Cameras becoming increasingly commonplace, there have been more cases of organisations mishandling individuals’ biometric data. The release of this guide serves as a timely reminder for organisations to review their existing measures or implement new measures to ensure that they are dealing with individuals’ biometric data in a responsible manner.

The Infocomm Media Development Authority and the Economic Development Board will pilot a Call for Application to construct three new data centres, after lifting a moratorium on new data centre projects in place since 2019. In line with Singapore’s climate change commitments, permits will only be granted for proposed data centres that meet a stringent set of energy efficiency criteria.

On 4 February 2022, the Dubai International Financial Centre Office of the Commissioner of Data Protection announced that the commissioner issued an adequacy decision recognising, among others, Singapore’s Personal Data Protection Act for safe data transfers from the DIFC. This is a welcome development as it facilitates cross-border personal data transfers from the DIFC to Singapore, which can in turn strengthen business ties between the two territories.

On 25 November 2021, the United Nations announced that all 193 member states of the United Nations Educational, Scientific and Cultural Organization, including Singapore, adopted a first-of-its-kind global agreement on the ethics of artificial intelligence. The agreement focuses on the broader ethical implications of AI systems in relation to education, science, culture, communication and information; and articulates common values and principles to assist in the creation of legal infrastructure for the healthy development of AI.