Reply to Parliamentary Question on Data Security When Singapore Companies List Overseas
QUESTION NO 927
NOTICE PAPER 552 OF 2021
FOR WRITTEN ANSWER
Date: For Parliament Sitting on 27 July 2021
Name and Constituency of Member of Parliament
Dr Lim Wee Kiak, MP, Sembawang GRC
To ask the Prime Minister (a) how does the Ministry ensure that there is data security when Singapore companies go for listings on overseas stock exchanges; (b) whether the Ministry will review the data security risk for all Singapore companies currently listed abroad; and (c) whether Singapore-based companies need prior approval before listing overseas.
Answer by Mr Tharman Shanmugaratnam, Senior Minister and Minister in charge of MAS:
1 The decision on where to list is a commercial one that rests with individual companies. Companies do not need to seek prior approval to list overseas.
2 Companies that choose to list overseas decide on the data to transfer overseas to meet listing and ongoing disclosure requirements in the foreign jurisdiction. In general, stock exchanges’ listing rules focus on the disclosure of material information that is needed for investors to make informed investment decisions, for example, material events that affect a company’s financial and business performance.
3 Companies that transfer personal data overseas must comply with Singapore’ data protection laws. For instance, Singapore companies are subject to the Personal Data Protection Act (PDPA), which governs the collection, use and disclosure of personal data.
4 The PDPA requires that companies ensure that the standard of protection at the receiving destination is comparable to the protections under the PDPA. To do so, companies can use legally enforceable mechanisms, such as binding corporate rules or contractual clauses. In addition, personal data should only be used for legitimate purposes recognised by the PDPA or with the consent of the individual. The PDPA complements other sector-specific legislative and regulatory frameworks which require regulated entities to maintain confidentiality of customer information. Firm action will be taken against entities or persons who breach the relevant laws and regulations.