This is partly motivated by the conclusion of my previous article (which just got published on IAPP!). I wrote:

The PDPA is not staying put. One interesting amendment being considered in the review of the PDPA is the provision of ‘Legal or Business Purpose’ approach as an alternative basis of processing. Following one round of public consultation, the PDPC intends to revise that approach from ‘Legal or Business Purpose’ to ‘Legitimate Interests.’ Now, doesn’t that sound familiar!

The conclusion I was trying to suggest is that the Singapore PDPA would converge on the “Legitimate Interests” basis already found in the GDPR. That is great with respect of the problem of the _limits _of the consent-based architecture of the PDPA with its several loopholes and black holes of uncertainty.

However, you can also read the conclusion that the Singapore PDPA is going to be more protective of privacy. I am not really on board with that conclusion.

When I first read that there is going to be a “Legal or Business Purpose” in the Consultation, my first conclusion is “Oh great, here comes another loophole.” According to the consultation document (and this is true to a _certain _extent in GDPR), there’s no need to inform data subjects directly when collecting for this purpose. In accordance with the practice in Singapore, this likely means putting it in some privacy policy somewhere and “Don’t ask, Don’t tell”.

Dressing this up as the GDPR-sounding “Legitimate Interests” does not change anything.

I guess a good next opinion piece would be to argue that the devil is in the details and the echoes of the GDPR does not necessarily mean that privacy standards are increasing all over the world. Or that DPOs will be needed everywhere. If the PDPA increases the number of loopholes and excuses for non-compliance, you don’t need a DPO; you need a pretty good lawyer.