Data Protection In The Context Of Competition Law Investigations.
Legal News & Analysis – Asia Pacific - Singapore – Competition & Antitrust
29 May, 2015
2014 saw the Competition Commission of Singapore (“CCS”) stepping up on its enforcement of the Competition Act (Cap. 50B) (“Competition Act”) against international cartels, with the issuance of its first two infringement decisions against international cartels following significant whistle-blowing activity to CCS under its leniency programme.
As part of the enforcement and investigative process, CCS avails itself of a range of information-gathering tools, which commonly includes information requests, dawn raids, and its leniency programme. In today’s data-intensive age, such investigation process by CCS undoubtedly entails the processing of voluminous amounts of data (including company documents, and employees’ emails and records), especially where large multi-national corporations are involved.
By the same token, companies which conduct internal investigations for the purposes of submitting a leniency application to CCS, to uncover potential competition law infringements, or simply to ensure compliance with competition law, would also be required to access and review, and potentially disclose to CCS, such data.
Against this backdrop, the recent introduction of the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”) brings to light a number of interesting issues in relation to the interaction between data protection law and competition rules, which forms the subject of our discussion here.
We first outline the relevant legal frameworks under the Competition Act and the PDPA respectively, before proceeding to consider the potential issues and challenges arising from an application of the data protection principles in the context of competition law investigations. In view of the nascent enforcement of the PDPA, this article does not purport to provide definitive solutions or to resolve these issues with finality, but rather, attempts to offer a practical approach and perspectives which may be borne in mind when seeking to address the management of these concerns.
The Competition Act
The Competition Act was enacted in 2004 to protect consumers and businesses from anti-competitive practices perpetrated by private sector undertakings, and to promote effective competition in the Singapore economy. To these ends, three main forms of anti-competitive conduct are prohibited under the Competition Act, namely:
(a) agreements, decisions and practices which have the object or effect of preventing, restricting or distorting competition (the “section 34 prohibition”);
(b) abuses of a dominant position (the “section 47 prohibition”); and
(c) mergers and acquisitions that substantially lessen competition (the “section 54 prohibition”).
For the purposes of enforcing the Competition Act, CCS is accorded with wide powers of investigation. In particular, CCS may conduct an investigation insofar as there are “reasonable grounds for suspecting” that any of the three main prohibitions above has been infringed (section 62 of the Competition Act).
Moreover, where CCS has reasonable grounds for suspecting that any feature of a market in Singapore for goods or services prevents, restricts or distorts competition in connection with the supply and acquisition of any goods or services in Singapore, CCS may, in conducting a study of the market, require any person to produce specified documents and/or information to it (section 61A of the Competition Act).
Broadly, CCS has the power to:
(a) require the production of specified documents or specified information (sections 61A and 63 of the Competition Act);
(b) enter premises without a warrant (section 64 of the Competition Act); and
(c) enter and search premises with a warrant (section 65 of the Competition Act).
The Persona Data Protection Act 2012
The PDPA, which came into full force on 2 July 2014, establishes a general data protection regime in Singapore to govern the treatment and processing (in particular, the “collection, use and disclosure”) of individuals’ personal data by organisations. In addition, the PDPA recognises the rights of individuals to access and correct their personal data.
“Personal data” is defined under the PDPA as “data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organisation has or is likely to have access”, while “individual” refers to natural persons.
Generally, this would encompass all types of data from which an individual can be identified, whether in electronic or physical form.
Key Data Protection Obligations
Broadly, the key data protection obligations of organisations under the PDPA have been summarised by the Personal Data Protection Commission (“PDPC”) in its Advisory Guidelines on Key Concepts in the PDPA, as follows:
(a) Consent Obligation (sections 13 to 17 of the PDPA): An organisation must obtain an individual’s informed consent before collecting, using or disclosing his personal data for a purpose;
(b) Purpose Limitation Obligation (section 18 of the PDPA): An organisation may only collect, use or disclose personal data for reasonable purposes;
(c) Notification Obligation (section 20 of the PDPA): An organisation must notify the individual of the purpose(s) for which it intends to collect, use or disclose his personal data on or before such collection, use or disclosure;
(d) Access and Correction Obligation (sections 21 and 22 of the PDPA): An organisation must allow an individual to access and correct his personal data in its possession or under its control upon request. In addition, the organisation is also obliged to provide the individual with information about the ways in which his personal data may have been used or disclosed during the past year;
(e) Accuracy Obligation (section 23 of the PDPA): An organisation must make a reasonable effort to ensure that personal data collected by it is accurate and complete, if it is likely to use such personal data to make a decision that affects the individual concerned, or disclose such personal data to another organisation;
(f) Protection Obligation (section 24 of the PDPA): An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks;
(g) Retention Limitation Obligation (section 25 of the PDPA): An organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the retention of such personal data no longer serves the purpose for which it was collected, and is no longer necessary for legal or business purposes;
(h) Transfer Limitation Obligation (section 26 of the PDPA): An organisation must not transfer personal data to a country or territory outside Singapore except in accordance with requirements prescribed under the PDPA to ensure that the transferred personal data will be accorded a standard of protection that is comparable to that under the PDPA; and
(i) Openness Obligation (sections 11 and 12 of the PDPA): An organisation must develop and implement policies and practices that are necessary for them to meet its key obligations under the PDPA, and make information about such policies and practices publicly available.
Key Parties In The Data Protection Framework
An “organisation” is ultimately responsible for complying with the data protection obligations under the PDPA, and is defined to include “any individual, company, association or body of persons, corporate or unincorporated, whether or not – (a) formed or recognised under the law of Singapore; or (b) resident, or having an office or a place of business, in Singapore.” Such a definition encompasses the undertakings subject to the application of the Competition Act, which defines “undertaking” as “any person, being an individual, a body corporate, an unincorporated body of persons or any other entity, capable of carrying on commercial or economic activities relating to goods or services.”
By contrast, an “individual” – defined to mean “a natural person, whether living or deceased” – enjoys data protection rights which are enforceable under the PDPA.
In the course of gathering and subsequently processing relevant information for competition law investigations – which may be an external investigation by CCS, or an internal investigation in response to CCS’s request for information, or pursuant to a whistle-blowing report –CCS and the company under investigation will invariably collect, use and disclose the personal data of employees or officers of the company itself, or of third parties, thereby triggering the application of the PDPA.
Accordingly, subject to any applicable exceptions (which will be discussed below), organisations will be required to comply with the data protection obligations listed above in respect of any personal data collected, used or disclosed in the context of a competition law investigation. For example, the company may be required to obtain consent for gathering and reviewing personal data for such purposes, and ensure that such personal data is accurate and complete, where it is likely to be used to make decisions that would affect the individual(s) to whom the personal data relates. Failure to comply with the PDPA may expose the company to complaints and potentially civil action by affected individuals. In addition, the PDPC may investigate any non-compliance with the PDPA and issue directions to an offending organisation to stop collecting, using or disclosing personal data, or to destroy personal data collected in breach of the PDPA, and may also impose financial penalties of up to SGD 1m.
Importantly, CCS, as a public agency, is exempt from the application of the above data protection obligations. In this regard, the Minister for Communications and Information has, during the PDPA’s Second Reading in Parliament, stated that the public sector has its own set of data protection rules that are based broadly on the same data protection principles as the PDPA, and that these rules are, in certain cases, stricter than those under the PDPA.
Furthermore, it should also be noted that CCS or the company under investigation may also request for information or documents from third party organisations (ie parties other than the company under investigation). These organisations would also be subject to the data protection obligations under the PDPA, in respect of any collection, use or disclosure of personal data in this regard.
However, in situations where such third parties process personal data on behalf and for the purposes of the company under investigation, the organisation processing such personal data will be considered to be a “data intermediary” for the purposes of the PDPA.
“Processing” is defined in the PDPA as “the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:
(c) organisation, adaptation or alteration;
(g) erasure or destruction.”
For instance, where a company stores its databases on a server hosted by an external service provider, the external service provider would be considered a data intermediary. Where a company that is part of a larger corporate group undertakes the centralised human resources functions for the group and holds and organises records of the group companies’ employees, it may also be considered a data intermediary in relation to the other companies within the group. In respect of the personal data that it processes on behalf of other organisations, data intermediaries are only subject to the Protection Obligation and the Retention Limitation Obligation under the PDPA. Notwithstanding, organisations using data intermediaries remain subject to all the data protection obligations in respect of such personal data.
Therefore, where a data intermediary receives requests for information or documents from CCS or a company under investigation, it is unlikely that it will be held liable under the PDPA for not obtaining consent in respect of any disclosures of personal data which it processes on behalf of another organisation. However, this is subject to any contractual obligations as between the data intermediary and the organisation itself. For example, an organisation may require its data intermediaries to notify it of legally binding requests from any law enforcement agency for the disclosure of the personal data processed on its behalf.
Data Protection Issues In The Context Of Competition Law Investigations
Information gathering in competition law investigations Generally, there are two main ways in which CCS may investigate suspected competition law violations or conduct market studies to determine whether any feature in the market(s) may prevent, restrict or distort competition in connection with the supply and acquisition of any goods or services in Singapore.
Firstly, CCS may, pursuant to section 61A or 63 of the Competition Act (as the case may be), issue a formal notice requiring the production of documents and information that it considers to be related to any matter relevant to the investigation. Such notices may be addressed to undertakings suspected of infringement, as well as to third parties, including complainants, suppliers, customers and competitors.
Alternatively, CCS is empowered, under section 65 of the Competition Act, to conduct dawn raids (ie unannounced searches) of any premises for the purposes of searching and seizing any document, equipment or article which has a bearing on the investigation. While CCS may also enter premises without a warrant pursuant to section 64 of the Competition Act, in such cases CCS is required to first give written notice of at least two working days of its intended entry, and it will generally not have the ability to actively search the premises.
It is not uncommon for multiple formal notices (for the provision of information and/or documents) to be issued by CCS to either the infringing parties or any other parties that might have information relevant to the investigation. In requesting for such information under section 63(3) of the Competition Act, CCS may also require parties to attend formal interviews to provide the information or explain documents.
In the context of a competition law investigation, examples of documents which CCS may look at include, amongst others, electronically stored documents and emails, business cards, telephone records, correspondences on instant messaging services, management meeting minutes, and even handwritten notes. In dawn raids, CCS may also seize items such as hard disks and mobile phones. These documents and items will often contain personal data relating to employees of the company under investigation or of third parties, including suppliers, customers and competitors.
In addition, CCS may enter into agreements with other sectoral regulators to cooperate in crosssectoral competition cases.1 Such cooperation may include information sharing between regulators. In particular, section 87(3) of the Competition Act provides that such co-operation agreements may include “a provision enabling each party to furnish to another party information in its possession if the information is required by that other party for the purpose of the performance by it of any of its functions”. In such cases, documents or information (which may include personal data) collected by CCS pursuant to an information request or dawn raid may be disclosed to other sector regulators, or vice versa.
Internally, companies may also collect and review information to assess their compliance with competition rules. Such internal investigations may be undertaken on the company’s own accord, or pursuant to whistle-blowing reports submitted by officers or employees of the company, or by external parties.
In all of the above situations, personal data is likely to be collected, used or disclosed between parties, leading to a dovetailing of the PDPA and competition law in Singapore. As such, the operation of data protection requirements in the context of such investigations is due to be considered.
The Public Agency Exemption
As mentioned above, a key feature of Singapore’s data protection regime is the exclusion of public agencies (and organisations acting on behalf of public agencies) from the application of the PDPA.
The PDPA defines a “public agency” to include:
(a) the Government, including any ministry, department, agency, or organ of State;
(b) any tribunal appointed under any written law; or
(c) any statutory body specified by the Minister by notification in the Gazette.
In this regard, the Personal Data Protection (Statutory Bodies) Notification 2013 specifies a list of statutory bodies, which includes CCS as public agencies for the purposes of the PDPA. As such, CCS is not subject to the data protection obligations in respect of its collection, use or disclosure of personal data.
However, in a joint letter to the Straits Times published on 31 March 2015, the Ministry of Education, the Ministry of Communications and Information, and the Ministry of Finance stated that officers who violate government policies and regulations on data protection may be subject to disciplinary proceedings.
Nonetheless, as the public sector’s data protection rules are not made available to the public, this obscures the rights individuals may have against public agencies in relation to any wrongful collection, use or disclosure of personal data, or any breaches of data security.
In contrast, private organisations will remain subject to the full force of the data protection rules. In particular, companies are required to notify and obtain consent for the purposes for which it intends to collect, use or disclose personal data, unless there is an applicable exception to the Consent Obligation under the Second, Third or Fourth Schedule to the PDPA respectively.
That said, there are certain sector-specific statutes that contain provisions regulating the collection, use and disclosure of information by the public sector. In particular, section 89 of the Competition Act provides for restrictions on the disclosure of certain commercially sensitive information and details of an individual’s private affairs.2 However, the application of this provision is subject to a number of broad exceptions under which disclosure is authorised, including where the disclosure of such information is for the purposes of investigating a suspected offence, or enforcing a provision under the Competition Act.3
Therefore, in the context of competition law investigations initiated by CCS, such an asymmetry between private organisations and public agencies in relation to data protection compliance could potentially disadvantage the company under investigation in the collection, review, and disclosure of relevant information in the course of proceedings.
A pertinent question which arises is whether (and to what extent) a company under investigation is obligated to ascertain whether CCS is acting validly within its statutory powers before disclosing documents and/or information containing personal data pursuant to section 63 or 65 of the Competition Act. A formal notice issued by CCS pursuant to section 63 of the Competition Act will generally set out the subject-matter and purpose of the investigation, and specify or describe the documents or information, or categories of documents or information, required by CCS. Similarly, CCS’s power to take possession of any document (or copies or extracts thereof), equipment or article pursuant to section 65 of the Competition Act applies only to documents, equipment or articles which are relevant to the investigation.
In this regard, if the company collects, uses or discloses personal data to CCS without verifying whether such collection, use or disclosure was necessary or reasonable in the circumstances, would it potentially be liable to a complaint under the PDPA?
Notwithstanding, we note that paragraph 1(g) of the Fourth Schedule to the PDPA allows an organisation to disclose personal data without the consent of the individual where “the disclosure is to a public agency and such disclosure is necessary in the public interest.”
However, the scope of the exception appears to be limited to disclosures of personal data to public agencies. Accordingly, any collection or use of personal data for the purposes of disclosure to a public agency would not fall within the exception. Furthermore, given that the exception specifically requires that such disclosure be “necessary in the public interest”, it is not clear whether all disclosures of personal data to CCS in the context of a competition law investigation would be exempted from the consent requirement, or whether (and if so how) the organisation would be required to ascertain whether or not such disclosures are in the public interest.
In light of these uncertainties, we would generally recommend that companies, as far as possible, obtain prior consent from all individuals concerned for the collection, use and disclosure of personal data for the purposes of (internal and external) competition law investigations. Companies are advised to seek the assistance of in-house or external counsel when in doubt as to the categories of information which may or may not be collected, used and/or disclosed, especially in responding to time-sensitive information requests or dawn raids by CCS.
An Exception For “Investigation Or Proceedings”
Importantly, the Second, Third, and Fourth Schedules to the PDPA provide for an exception to the Consent Obligation in respect of the collection, use, and disclosure of personal data for the purpose of investigations. However, in the absence of any guidance from the PDPC as to the precise scope of the exception, it is unclear as to when the collection, use or disclosure of personal data will be considered “necessary” for investigations or proceedings. Furthermore, it is not certain whether the application of the exception extends to audits or internal investigations undertaken or commissioned by an organisation.
Beyond that, it is notable that the exception distinguishes between the use and/or disclosure of personal data necessary for investigations and the collection of such personal data. In respect of the latter, there is an additional condition to be satisfied before the exception can apply.
Under paragraph 1(e) of the Third Schedule and paragraph 1(f) of the Fourth Schedule to the PDPA respectively, an organisation may use and disclose an individual’s personal data without his consent where such use and/or disclosure “is necessary for any investigation or proceedings”.
By comparison, paragraph 1(e) of the Second Schedule to the PDPA provides that an organisation may collect personal data about an individual without his consent where such collection “is necessary for any investigation or proceedings, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data” [emphasis added].
As such, an organisation need not obtain consent for its use or disclosure of personal data for the purpose of investigations or proceedings, where such personal data is already in its possession or under its control. However, where the personal data required for an investigation or a proceeding has yet to come under the organisation’s possession or control, the organisation may only collect such personal data without the individual’s consent where it is reasonable to expect that doing so would compromise the availability or accuracy of the personal data.
Information Sharing Between CCS And Foreign Competition Authorities
As CCS turns its attention to multi-national corporations and complex international cartels operating across multiple jurisdictions, cross-border competition law enforcement will soon become a common occurrence. Notably, both global cartel cases in 2014 were commenced following the submission of cross-border leniency applications.
In addition, CCS may engage in both regional and international cooperation with other competition authorities in its investigation of international cartels with cross-jurisdictional elements (with the approval of the Minister of Trade and Industry) under section 88 of the Competition Act, such as by sharing information to coordinate dawn raids in respect of multi-national companies. As discussed above, CCS is exempt from the requirements of the PDPA in respect of any personal data it discloses in this regard.
For completeness, we would note that section 88 of the Competition Act further empowers CCS to “furnish to the other party information in its possession if the information is required by that other party for the purpose of performance by it of any of its functions”. In this regard, section 88 provides that CCS will only furnish such information if the foreign competition body gives an undertaking in writing to comply with specified terms, which include terms that correspond to the provisions of any other written law concerning the disclosure of that information by CCS. Such terms may require the confidentiality of information provided, or may limit the use or disclosure of the information to a particular purpose.
Cross-Border Data Transfers Between Private Organisations
In any case, companies have to be attuned to the data protection implications in respect of the data flows involved in such cross-border competition law investigations. In responding to a formal request for information or documents from competition authorities (be it CCS or foreign competition authorities), or in conducting internal investigations or audits, it is not uncommon for multi-national companies to request their overseas offices to provide the necessary information or documents. Similarly, companies may also be required to retrieve personal data from data centres located overseas. Further complications arise for companies which utilise cloud computing services, such as where a company uses a cloud service provider to store or process data, or an email service based on cloud computing. Cloud computing typically involves a multiplicity of service providers and sub-contractors, creating difficulties in determining where data is located at any time and by whom and how it is being processed.
In this regard, companies should be mindful that the Transfer Limitation Obligation, which mirrors restrictions on cross-border transfers of personal data in other jurisdictions (the most prominent being the European Union), applies in situations where personal data is transferred outside of Singapore.
The Transfer Limitation Obligation requires the transferring organisation to ensure that the recipient of the personal data “is bound by legally enforceable obligations… to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the Act”. 4 Such “legally enforceable obligations” include obligations imposed on the recipient under any law, contract, and binding corporate rules.
As it remains to be seen as to how this “comparable” standard will be interpreted in relation to the data protection laws of other countries, the PDPC has expressed its preference for organisations to fulfil the Transfer Limitation Obligation by way of adopting contractual clauses (for inter-corporate transfers) or binding corporate rules (for intra-corporate transfers).
In the converse case where personal data is transferred into Singapore, the data protection obligations under the PDPA will apply in respect of the activities involving the personal data in Singapore. Importantly, in the absence of an applicable exception, the recipient organisation in Singapore would generally be required to obtain consent in respect of the purposes for its collection, use and disclosure of such personal data. In addition, companies should also seek advice in respect of the data protection laws of the country or territory in which such personal data was collected.
Managing Data Protection Challenges In Competition Law Investigations
In light of the uncertainties posed by the dovetailing of both legal frameworks, companies are advised to pre-empt and address the potential data protection issues that could arise in the course of competition law investigations, as well as in the implementation of compliance programmes and whistleblowing schemes.
In this regard, comprehensive and well drafted data protection policies and notices will facilitate the collection, use, and disclosure of information necessary for internal monitoring and audits, and cooperating with external investigations by CCS and/or other relevant authorities.
In addition, we would urge companies to develop and implement competition law compliance and audit structures which incorporate data protection considerations, or to include such considerations within existing compliance and/or whistleblowing policies. Companies should also give their employees clear instructions for dealing with CCS investigations, such as steps to take in the event of a dawn raid, or procedures for handling information and/or document requests. For example, companies may consider providing their employees with handbooks that set out such guidance, or conducting dawn raid training programmes for key personnel. Importantly, companies should ensure that CCS is not given access to any documents or information outside the scope of the investigation.
In the event of a dawn raid, external counsel, inhouse legal and compliance representatives, as well as senior management, should be contacted immediately.
Further, companies which collect large quantities of personal data – such as Internet service operators, social network platforms, healthcare institutions and financial service providers which utilise service and business models that revolve around the management and acquisition of personal data – may wish to consider developing systems to facilitate the differentiation of personal data which may be disclosed in competition law investigations from that which may not.
Such preparations will allow companies to avoid being caught off-guard by issues of data protection compliance when conducting internal investigations or when facing investigations by external authorities, which may hamper pro-active detection of competition law infringements and the timely collection of information or evidence where necessary. Such delay may ultimately result in companies being significantly disadvantaged when responding to requests for information, or in the race to present a leniency application to CCS.
With the introduction of the new data protection legislation, there appears to be heightened sensitivity of individuals with respect to their personal data. Coupled with the active stance adopted by the PDPC in relation to the enforcement of the PDPA, data protection compliance is set to gain increasing importance for companies in Singapore.
At the same time, endeavours in this regard will only prove to become more challenging, in light of the sheer volume of data involved in the operations of most companies today. Difficulties in data protection compliance may also arise by virtue of the multiplicity of locations, devices, and formats in which data belonging to an organisation may be stored and processed. In the context of multi-national companies, or companies which outsource the storage and/or processing of their data overseas, data protection compliance is complicated further by the diverse data protection regimes proliferated worldwide.
These challenges are equally present in the particular setting of competition law investigations, in light of the shift towards regional and global enforcement of competition law. However, these challenges may be mitigated with the implementation of adequate safeguards to address data protection requirements, such as those suggested in the preceding section.
In addition, further transparency on CCS’s use and disclosure of personal data in the context of such competition law investigations would give companies under investigation increased clarity on the ways in which CCS processes personal data, which may thereby facilitate their compliance with the data protection obligations under the PDPA, specifically in obtaining consent in respect of disclosures of personal data to CCS. In this regard, we note that the European Commission Directorate-General for Competition has issued privacy statements in respect of its processing of personal data in various contexts, including that of anti-trust investigations.
1 This is subject to paragraph 5 of the Third Schedule to the Competition Act, which provides that the section 47 prohibition does not apply where goods and services are subject to any written law or code of practice relating to competition that gives another regulatory authority jurisdiction in the matter. Examples include the electricity, gas, newspapers and broadcasting, telecommunications, and postal sectors, which are governed by sector-specific legislation that contain abuse of dominance provisions, and are enforced separately by their respective regulators.
2 Specifically, section 89 of the Competition Act provides that all matters: (a) relating to the business, commercial or official affairs of any person; (b) which have been identified as confidential; or (c) relating to the identity of persons furnishing information to CCS, coming to the knowledge of CCS in the course of performance of its functions and duties shall not be disclosed, unless disclosure is necessary for the performance of the function or duty or is lawfully required by the Competition Appeal Board or the courts, or unless disclosure is lawfully required or permitted under the Competition Act or any written law.
3 Section 89(5)(b)(iii) of the Competition Act.
4 Regulation 9, Personal Data Protection Regulations 2014
For further information, please contact: