Data Security for Singapore Companies Listed on Overseas Stock Exchanges

2 Dr Lim Wee Kiak asked the Prime Minister (a) how does the Government ensure that there is data security when Singapore companies go for listings on overseas stock exchanges; (b) whether the Government will review the data security risk for all Singapore companies currently listed abroad; and (c) whether Singapore-based companies need prior approval before listing overseas.

Mr Tharman Shanmugaratnam (for the Prime Minister): The decision on where to list is a commercial one that rests with individual companies. Companies do not need to seek prior approval to list overseas.

Companies that choose to list overseas decide on the data to transfer overseas to meet listing and ongoing disclosure requirements in the foreign jurisdiction. In general, stock exchanges’ listing rules focus on the disclosure of material information that is needed for investors to make informed investment decisions, for example, material events that affect a company’s financial and business performance.

Companies that transfer personal data overseas must comply with Singapore’s data protection laws. For instance, Singapore companies are subject to the Personal Data Protection Act (PDPA), which governs the collection, use and disclosure of personal data.

The PDPA requires that companies ensure that the standard of protection at the receiving destination is comparable to the protections under the PDPA. To do so, companies can use legally enforceable mechanisms, such as binding corporate rules or contractual clauses. In addition, personal data should only be used for legitimate purposes recognised by the PDPA or with the consent of the individual. The PDPA complements other sector-specific legislative and regulatory frameworks which require regulated entities to maintain confidentiality of customer information. Firm action will be taken against entities or persons who breach the relevant laws and regulations.