This is partly motivated by the conclusion of my previous article (which just got published on IAPP!). I wrote:
The PDPA is not staying put. One interesting amendment being considered in the review of the PDPA is the provision of ‘Legal or Business Purpose’ approach as an alternative basis of processing. Following one round of public consultation, the PDPC intends to revise that approach from ‘Legal or Business Purpose’ to ‘Legitimate Interests.’ Now, doesn’t that sound familiar!
The conclusion I was trying to suggest is that the Singapore PDPA would converge on the “Legitimate Interests” basis already found in the GDPR. That is great with respect of the problem of the _limits _of the consent-based architecture of the PDPA with its several loopholes and black holes of uncertainty.
However, you can also read the conclusion that the Singapore PDPA is going to be more protective of privacy. I am not really on board with that conclusion.
Dressing this up as the GDPR-sounding “Legitimate Interests” does not change anything.
I guess a good next opinion piece would be to argue that the devil is in the details and the echoes of the GDPR does not necessarily mean that privacy standards are increasing all over the world. Or that DPOs will be needed everywhere. If the PDPA increases the number of loopholes and excuses for non-compliance, you don’t need a DPO; you need a pretty good lawyer.