Love.Law.Robots. by Ang Hou Fu

singapore

Feature image

📣

Trigger Warning: Abuse

It’s no secret that I don’t like local reporting on criminal cases and legal news. They tend to focus on being sensational without adding value to the nuances of the cases, let alone its legal issues. It’s New Paper reporting, done on the paper of record of Singapore. I have turned in my newspaper subscription for over a decade and don’t ever see myself as a subscriber ever again.

Readers will now be treated to a headscratcher. The background is a maid abuse case. The facts are shocking and hard to read. Of course, you can read more about them in our newspapers. Ordinary people, i.e. people who would probably not feel the full weight against them in their lives, would feel confused about why these things can happen in our society.

Helpfully, our law minister, Mr K Shanmugam, treats us to an explanation of evil which was given prominence in our newspapers:

If you go back to history, the history of people, history of countries – ordinary people are capable of extreme evil, and evil lurks in people who seem ordinary. It doesn’t occur only in faraway places, and people don’t walk around with clear indicators that show this person is evil. The point I will make is that people who seem ordinary are capable of extraordinary evil, and there are two pillars in any society to keep evil in check. One, is education. Two, we need rule of law to keep such evil in check. The law has to come down with full force when the rules are broken.

It thus follows that our horrific maid abuser must be punished with the full force of law – the death penalty for murder. So, now the prosecution seeks… a reduced charge of life imprisonment under culpable homicide rather than murder.

If you have never been through law school, you wouldn’t grasp the difference between Sections 300 and 304A of the Penal Code. Obscured by the technical terms used by lawyers when discussing criminal charges, the reason why the maid abuser couldn’t face murder is that she was sick (in the mind) and that sickness reduced her responsibilities for her actions. In other words, she wasn’t evil, she was depressed.

So all this discussion of education and increased penalties are really moot. Under our laws, a person who isn’t evil because of her sickness should not face the “full force” of our laws. Needless to say, public education is not going to save someone who is not thinking straight.

The real problem seems to be that as a society, we don’t really seem to recognise when things are not going right. The maid’s doctor didn’t seem to find anything to worry about during her routine checkups. So did the maid’s employment agency when they went to interview her. Without the benefit of hindsight, all this seems so mundane.

More pertinently, the maid abuser’s family members didn’t find that starving and assaulting a human being was not right. Or that a woman who was suffering from post-partum depression and underwent an abortion might need more support before she does something worse. This is all very tragic, really.

So maybe before suggesting that the rest of us are in fact actually evil people deep inside who are capable of heinous acts, one should try to tackle the lack of mental support that particular sections of society face and how the inequalities in our society contribute to that?

(When I first read the comments, I felt that the leaning on Nazi tropes was not being fair. In hindsight, I doubt whether there was any such intention. Anyway, you can read more about the inspiration for the title here.)

#Singapore #Law

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater , was at stake. Several companies scrambled to get their houses in order. For the most part, the authorities have followed through. We are expecting more too. Is this the same with the Personal Data Protection Act in Singapore too?

Penalties will increase under the latest PDPA amendments.

The financial penalties under Singapore’s Personal Data Protection Act probably garner the most attention. They are still newsworthy even though they have been issued regularly since 2016. The most famous data breach concerning SingHealth resulted in a total penalty of S$1 million. The maximum penalty of $1 million is not negligible. It’s not hypothetical either.

The newest PDPA amendments will now increase the maximum penalty to up to 10% of an organisation’s annual gross turnover in Singapore. To help imagine what this means: According to Singtel’s Annual Report in 2020, operating revenues for Singapore consumers was S$2.11b. The maximum penalty would be at least S$200m.

Is this the harbinger of doom and gloom for local companies? Will local companies scramble to hire personal data specialists like for the GDPR? Will an army of lawyers be groomed to fine-comb previous PDPC decisions to distinguish their clients' cases? Is my CIPP/A finally worth something?

Penalties imposed under the PDPA appear limited.

Before trying to spend on compliance, savvier companies would want to find out more about how the Personal Data Protection Commission enforces the PDPA. This makes sense. The costs of compliance have to be rational in light of the risks. If the dangers of being susceptible to a financial penalty are valued at $5,000, it makes no sense to hire a professional at $80,000 a year. If liability for data breaches is a unique and rare event, hiring a firm of lawyers to defend you in that event is better than hiring a professional every day to prevent it.

So here is the big question: What’s the risk of being penalised $1 million or gasp(!) at least $200 million?

Unfortunately, one does not need a big data science chart to realise that being penalised $1 million is a rare event. Being penalised $100,000 is also a rare event. Using the filters from the PDPC’s decisions database reveals a total of 2 cases with financial penalties greater than $75,000 since 2016.

Screen capture of filters of PDPC decisions with financial penalties of more than $75000. (As of October 2020)

However, if you insist on having a “big data science chart”, here’s one I created anyway:

Histogram of the number of cases binned on enforcement value.

Notes :

  • I excluded the Singhealth penalties ($750K and $250K) because they were outliers.
  • It’s named “enforcement value” and not “penalty sum” because I considered warnings and directions to have $0 as a financial penalty.

The “big data science chart” tells the same story as the PDPC’s website. Most financial penalties fall within the $0 to $35,000 range, with the mean penalty being less than $10,000. While the PDPC certainly has the power to impose a $1 million penalty, it appears to flex around 1% of its capabilities most of the time.

Past performance does not represent future returns. However, the amendments to the PDPA were not supposed to represent a change to the PDPC’s practices. They are for “flexibility” and to match other areas like the Competition Act. There is very little indication that an increase in the financial cap now means that companies will be liable for more.

Why are the penalties so low?

The decisions cite several factors in determining the amount of penalty – the number of individuals affected, the significance of the data lost and even whether the respondent cooperated with the PDPC.

In Horizon Fast Ferry, the PDPC cited the “ICO Guidance on Monetary Penalties” as a principle in determining monetary penalties:

The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the DPA or with PECR. The penalty must be sufficiently meaningful to act both as a sanction and also as a deterrent to prevent non-compliance of similar seriousness in the future by the contravening person and by others.

The key phrase in the quote is “sufficiently meaningful”. Given the PDPC’s desire to promote businesses, the PDPC would not like to kill off a company by imposing a crippling penalty. The penalties serve a signalling purpose. As they continue to attract public attention and encourage companies to comply, penalties are the most effective tool in the PDPC’s arsenal.

However, even if the penalties are “sufficiently meaningful” in an objective sense, they may still be meaningless subjectively. $5,000 might be peanuts to a large business. Some businesses may even treat it as a cost of “innovation”. PDPC decisions are replete with “repeat” offenders. Breaking the PDPA, for example, seems to be a habit for Grab.

While doling out “meaningful” penalties strikes a balance between compliance with the law and business interests, there are limits to this approach. As mentioned above, dealing with a risk of $5,000 fines may not be sufficient for a company to hire a team of specialists or even a professional Data Protection Officer. If a company’s best strategy is not to get caught for a penalty, this does not promote compliance with the law at all.

Moving beyond penalties

I am not a fan of financial penalties. I have always viewed them as a “transaction”, so they never really comply with the spirit of compliance.

Asking companies to comply with directions may be far more punishing than doling out a fine. A law firm might help you negotiate the best directions you can get, but the company has to implement them through its employees. The company will need data protection specialists. This approach is more effective than just essentially issuing a company a ticket.

For this reason, I was pretty excited about the PDPC’s Active Enforcement guidelines. Here’s something to watch out for: a new section on undertakings appeared last month.

Conclusion

Still, I am probably an outlier in this regard. The increased penalty cap has repeatedly featured as one of the most critical changes in the PDPA. Experience does not suggest that a higher cap will change much. Nevertheless, as a signal, the news would probably make management sit up and review their data protection policies. Data Protection Officers should take advantage of the new attention to polish up their data protection policies and practices.

This post is part of a series on my Data Science journey with PDPC Decisions. Check it out for more posts on visualisations, natural languge processing, data extraction and processing!

#Privacy #Singapore ##PDPAAmendment2020 #Compliance #DataBreach #DataProtectionOfficer #Decisions #GDPR #Enforcement #Penalties #PersonalDataProtectionAct #PersonalDataProtectionCommission #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

It must be hard to be an NUS student these days. One of the top universities in Singapore (and Asia) keeps appearing in the news for naughty transgressions, and getting allegedly easy treatment from the courts. Arguing whether NUS students get preferential treatment touches on the fairness of the courts as well as whether those in the higher echelon of society get to enjoy privilege. Can exhortations on how the Court works overcome people’s innate fears and prejudices of those in power? I doubt it. More data is needed.

A strong desire to show that justice is done

An NUS student was initially sentenced to probation for molesting a woman in a train station. Probation is a process where once you complete its requirements without incident, ends in a clean record. Amidst a public outcry and the intervention of the law minister, the prosecution appealed. The High Court, presided by the Chief Justice, increased his sentence to two weeks of jail.

The judgements in this case are among the most fascinating.

The State Court isn’t wrong

The lower court (State Court) judgement is no longer available because LawNet only provides the latest three months for the public, so you would have to contend with my memory and a Mothership report.

The State Court judge wrote this during the public furore for the case. It contained a gem which rarely appears in judgements from the State Court: “ The order of probation should not be seen as a soft option. ” Sure, the State Court needs to justify its decision for scrutiny on appeal. However, claiming that probation is not a soft option appears to be a direct appeal to the public.

(By the way, when a State Court decision is appealed, the Court must write a judgement. Public attention and “pressure” as alleged by Mothership does not figure in this practice.)

The State Court’s reasoning appeared reasonable and in line with the sentencing practices of the Court. An appeal court can’t possibly substitute its decision for the State Court without explaining why the State Court is wrong. Will the appeal fail? Will the public see that justice is not “served”?

The Chief Justice cries foul

Key to justifying its decision to allow the appeal, the Chief Justice called for a psychiatric report of the accused. The report provided crucial pieces of information which the State Court did not have. The accused remained “in denial” of the offence. He was still doing pornography. He was able to “compartmentalise” his behaviour. As such, he failed to show an extremely strong propensity for reform. All this explained the State Court’s failure to reach the same decision as he did.

The Chief Justice’s conclusion: the system works.

The Chief Justice also remarked that he had on the same day, allowed another accused, who was “not a graduate”, to community-based sentencing. That case “did not attract any media or public interest”. The failure to report positive outcomes, the Chief Justice argued, creates the misconception that judges are not doing justice. These remarks were extraordinary because they usually do not appear in a court judgement.

Ironically, the media did not report the Chief Justice’s remarks. It is not surprising that the media does not report such positive outcomes and they do not figure prominently in the public’s mind. People react strongly to the oppression of the weak or when the powerful receive better treatment. That’s when they reach the conclusion that criminal justice is not working.

Another NUS student in hot soup

It has been only a few months since the Terence Siow case that another NUS student raised eyebrows again for getting probation. The new case shared many similar contours with Terence Siow’s case. They involved NUS students. The accused also perpetrated violence against females — Yin tried to strangle his girlfriend.

Would the criminal justice system now get an outcome which “aligns” with popular opinion again? If you were betting for such an outcome, the Terence Siow case actually shows that these things are by no means assured. For example, the Chief Justice can’t possibly know that Terence Siow was still watching porn when his case went up for appeal.

This may explain why, unlike Terence Siow, this case is not being appealed. The High Court recently dismissed an appeal from the prosecutor regarding an SMU student filming showers. The High Court in the latter case, stated that community-based sentencing is not a soft option.

Unable to satisfy the public through outcomes in the courts, the Ministry of Law announced a review of the penalty framework. It isn’t immediately clear (at least to me) what such a review would entail when the courts are adamant that the system is working. This is a developing issue, so more will come.

We can’t tell whether the system is working without data

Figuring out what to fix will be very difficult. We are not sure what we are trying to fix in the first place. Fundamentally, we do not know in the first place if university students receive “lighter” sentences because they are university students. It would be ironic if such a review attempts to raise the bar for probation and community sentences so high that even non-graduates cannot reach it.

There is scant public information on what goes on in the criminal justice system. We don’t know how often a graduate or a non-graduate gets away with “lighter” sentences. This provides fertile ground for suspicions, reinforcing personal experiences and even conspiracy theories. Solving this would entail analysing closely the decisions judges make with respect to each accused and the crime.

Such information might be available from appeal decisions, but they only represent a small subset of cases. In fact, such cases will probably over-represent graduates because they are more likely to appeal.

Having a data-driven approach solves two problems. The court will not be required to convince the public of esoteric legal concepts. The media will never report such complexity anyway either. We also do not have to decide whether the Chief Justice’s personal experience or the layman’s experience of the justice system is more compelling. The data can serve as a source of truth for our arguments to improve the system.

Barriers to a data-driven approach

Judges may not be comfortable having their decisions analysed in such detail. They may not like the data to show that someone is softer than the others on certain kinds of accused persons. However, if judges can remain steadfast in the face of public opinion, I am sure that a bunch of numbers are not going to overcome their desire to do right in the cases before them. Instead, such statistics may serve as another guardrail to remind judges when they are facing an outlier. This is nothing new — sentencing guidelines and appeals to higher courts already perform such checks.

I expect that the data is not going to be completely positive. The real fight in criminal matters, like most litigation, happens way before the Court hears the case. Getting referrals to a psychiatrist, writing contrite letters at the first opportunity, and testimonials from influential people can make the difference. It happens that graduates are more likely to get legal advice, know where to find a psychiatrist and have important people around them as well. It sounds unfair that well-resourced accused persons get lighter sentences, but to a judge, this is the evidence before him. If the Ministry’s review ends up increasing legal aid to many accused persons, that would be pretty great.

Of course, detailed data is not required to conclude that NUS students get off easier. However, if the ministry’s review ends up as a full-throated exhortation that the system works and it should work well for everyone, I am afraid we have learnt nothing much from this except whose opinion is stronger.

Conclusion

It’s great that young Singaporeans now care more about the criminal justice system and its outcomes. For many, this would be their first experience understanding the intricacies of this complex system. This is not the time to justify lofty concepts or point to personal experiences. It’s also great that the ability to analyse a judge’s decision-making in detail is largely available to us. Hopefully, this will spur better change to society’s benefit.

#Singapore #Law

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

There’s a new hue to the shift from openness to accountability in the PDPA. We are used to the idea of expecting more from organisations. However, individuals (who aren’t public servants or acting in a personal capacity) who mishandle personal data will be criminally liable under a new section in the upcoming PDPA.

As the PDPC and Ministry puts it, it’s an offence relating to egregious mishandling of personal data. The types of mishandling are:

  1. Knowing or reckless unauthorised disclosure of personal data
  2. Knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and
  3. Knowing or reckless unauthorised re-identification of anonymised data.

Anyone convicted of an offence is liable to a fine not exceeding $5,000 or to imprisonment for a term not exceeding two years or both.

Leveling the Public and Private sectors

One of the most controversial areas of the PDPA is the exclusion of the public sector. This can create an impression of differing standards in data protection standards in the public and private sector. In response, the Government has taken steps to level up its data protection.

One of the more aggressive moves by the Government to show its accountability was to enact the Public Sector (Governance) Act. In sections 7 and 8 of the same act, the egregious mishandling of personal data by public servants is also criminalised in very similar terms as the amendments.

As such, the PDPA amendments level the playing field. An employee who egregiously mishandles personal data will also be penalised in the same way, whether he is in the private or public sector. At least in this respect, the differences between the public and private sectors is less pronounced.

The amendments are also essential to plug a hole for companies doing work for the Government. If you mishandle government data, you are liable under the PSGA if you are a public servant. However, non-public servants, such as contractors, are not liable under the PSGA if they mishandle government data. So after the amendments are passed, no one will be left out.

Do employees have anything to fear?

From its inception, the PDPA targets organisations for compliance, not its employees. Section 4(1)(b), which do not impose obligations on the employee, and section 11(2), which states that an organisation is responsible for its personal data, confirms this.

This makes sense. Employees need their employer’s support to carry out the organisation’s data protection obligations. The decisions consistently rebuke the argument that employees did their jobs as the employer ideally expects them to. Employees need practical and relevant training, and they are best provided by the organisation.

Do the amendments mean that employees face more exposure under the revised PDPA? Realistically, the answer is no. The provisions place a very high threshold on the mens rea or mental element of the offence. The offender either did this intentionally or recklessly. Negligent acts are not enough. Furthermore, the use of the information must not be authorised by the company.

As such, the paradigm case for this section is the rogue employee who makes use of the company’s data to make a profit. An employee who ignores data protection training and then commits the mistake training was meant to prevent, may not be criminally liable under this provision. Arguing that such an employee intentionally caused a data breach will be challenging.

Interestingly, we can find this sort of employee in Hazel Florist & Gifts [2017] SGPDPC 9. Even though the employee who caused the data breach refused to attend training or follow SOP, the PDPC still blamed the organisation for failing to make her do so.

Would I use the new criminal liabilities to encourage my colleagues to take data protection seriously? Ultimately, it’s not right to scare people for something unlikely to happen. In any case, the reality is that most employees do want to comply once they have the right tools. When they fail to comply, it's generally because they are not in the right environment, and this environment is completely within the control of the organisation. The “stick” in this case is good but does not seem necessary.

Conclusion

The amendments imposing personal liability on individuals appear to be mainly an effort to align the public officers with other individuals. Like the public sector, liability is narrow and targeted at the most egregious conduct. In that light, the amendments are essential for a consistent regime in the private and public sector.

#Privacy #Singapore ##PDPAAmendment2020 #Employee #Government #PersonalDataProtectionAct

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

Introduction

The history of data protection legislation, in my view, comprises three generations:

  • The earliest generation focuses on common law and sectoral self-regulation. It’s a bit of the wild west, with various ideas and strands all over the place.
  • The EU’s Data Protection Directive, way back in 1995, represents the next generation. Its key innovation is comprehensive national legislation. Its foundations are based on OECD recommendations and revolve around consent, notification, purpose limitation, etc.
  • The third and latest generation, of course, belongs to the GDPR in 2018. Its key innovations are lawful purposes, protection of children, the right to be forgotten, the right to object to automated processing, etc.

Singapore’s PDPA was enacted in 2012. It sits between the EU’s Data Protection Directive and the GDPR. As such, it retains many well-established and familiar features but very few of the innovations used in the GDPR.

One of these artefacts concerns what the PDPA calls the “consent obligation”. The consent obligation requires the consent of a data object before an organisation can process personal data. Unfortunately, reality does not work out like that. As is consistent with experience, data subjects in Singapore don’t “consent” much substantively, and the exception swallows the rule. Other laws, the exceptions in the schedules of the PDPA and the “reasonable” requirement all qualify the consent obligation.

Instead of looking to the GDPR, the latest amendments to the PDPA “double down” on the consent obligation. Sure, the schedules will undergo some housekeeping and streamlining. Deemed consent is expanded. Two new exceptions are introduced — legitimate interests and business improvement. (Curiously “legitimate interests”; sounds like one of the legal bases in the GDPR.)

Given the Law Reform Committee’s view that the PDPA is sound, the consent obligation will be with us for a long time.

As I showed above, I am not a big fan of this convoluted consent obligation. I like the legal bases of the GDPR more. They are easier to explain, and the exceptions don’t control the rule. By conceding that consent is unable to explain user rights fully, the GDPR accords better to reality.

Nevertheless, I am going to try to explain the Consent Obligation, including the new amendments. So, we are going to play a game! Let’s play “ so you want to collect personal data in Singapore “.

So you want to process personal data Contains all the flowcharts in this post. So you want to process personal data.pdf 217 KB download-circle

Highlights of changes

As I summarized above, there are several new exceptions to the consent obligation. Here are some highlights.

Deemed consent has expanded.

Deemed consent has grown with two new situations. They are expansive and encompass many cases where it’s evident that organisations should have sought consent. The appropriate notification situation also enables organisations to use another method of obtaining consent, which may be considered less confrontational.

A new legitimate interests exception.

The PDPA will also feature a new general exception for legitimate interests. The one in the PDPA looks similar to the one in the GDPR. It also requires organisations to do a cost-benefit analysis in the form of a data protection impact analysis.

Here is another one: using personal data for business improvement. As this only applies to use, you must have collected the personal data through other means. This applies very much to data and customer analytics. You might have already collected data from your customers or operations, and this allows you to make more use of it without worrying about the PDPA.

Conclusion

The changes to the consent obligation are very business-friendly. Should an organisation be excited to employ these exceptions?

If you have been very much at the top of your privacy game, you probably would not need any of these exceptions. Your privacy policy would already have included using personal data for data analytics or business improvement. You would not be needing any “deemed consent” because, in line with best practices, you would have already been upfront and direct with your data subject.

Given the hit or miss nature of PDPC decisions when exceptions are considered, if you can plan for it, you wouldn’t rely on any of these exceptions.

So while it’s heartening to see the movement from openness to accountability, these new changes represent a step back. Hopefully, I wouldn’t need to add several more pages to the next version of my flow chart.

#Privacy #Singapore ##PDPAAmendment2020 #ConsentObligation #GDPR

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

COVID-19 brought home a few trends most would not bother with otherwise. Remote working instead of showing up at an office and passing four budgets in as many months — it’s time to question deeply-held assumptions.

One deeply-held assumption which we might not be able to shake off is the archaic and highly formal process of getting wills done. The Wills Act is considerably vintage, dating earlier than the mid-nineteenth century. As such, it contains interesting oddities such as “a blank space shall intervene between the concluding word of the will and the signature”. You can do this by simply pressing “Enter” after you finish writing your will.

What do these restrictions mean in today’s context?

The main obstacle placed by the Wills Act is that two witnesses are required to witness your signing. You can type and save your will on your computer as much as you like, but it cannot be valid until it is witnessed physically.

The physical requirement of witnessing also makes the validity of e-signatures dubious. The Electronic Transactions Act excludes the creation and execution of wills explicitly. Your will therefore must have a physical manifestation, and someone has to use a pen (or other inking devices) to sign it.

Why is there resistance to change?

It’s not as if no one is trying here. Most people would like to attribute this to “tradition”. However, I also believe that this is perhaps the area where witnesses to a signature does have an impact on disputes. Wills can be challenged for various arbitrary reasons; claiming that [the testator was not thinking straight is one of the easiest](GHOST_URL__/settling-scores-through-your-will-it-doesnt-end-well/). When done correctly, your witnesses can provide that evidence.

The remote nature of e-wills and e-signature provides new avenues for attacks on the validity of your will. Somebody else clicked to sign in your place. How do you know someone is under undue influence when you are looking at them through your webcam?

I am not saying that these problems are insurmountable, even today. However, a process that works wells already exists right now. People who care about their will are willing to go to a law firm and pay for it. If a better solution is out there, it has to be significantly better than the current one.

… But this area is certainly looking at it.

Having a process that works does not mean it is perfect. In fact, there has been much movement in this area:

It’s not clear whether the paid services are making money on their own. The “referral” aspect of the business seems obvious in cases like OCBC, so I suspect most services come together with some other (financial planning) product.

Of course, given the legal background, all these services can only draft a will. Execution is either a separate service (usually involving law firms) or DIY.

And there is room for improvement.

I tried the OCBC service and had the opportunity to view the results of WillMaker. From what I can tell, all these options employ an expert system to generate a will. The problem with the expert system is that the service is only as good as the questions asked.

I previously drafted wills as a charitable service. My primary audience then probably substantially overlaps with someone willing to use the OCBC service. If you would like to generate your own will and your assets are uncomplicated, the current services should fulfil your needs 60-80% of the time. The services are thus very substantial and useful. If you have a lot of odd requests and complicated assets, you must go to a law firm to sort out the ends.

The real problem is that most people who want to make a will don’t have any idea what they are doing. I don’t mean this in a legal sense like trying to dispose of your CPF by will. At this point, they are exploring their options or looking for an expert to challenge their conclusions. A will generator that merely does what the user wants may not be enough. The user wants to know whether the will they have in mind is the one they want.

A will that doesn’t inspire confidence in its user isn’t going to go very far. After going through the form filling exercise, users confront the formal requirements of will execution. They get worried about whether they are doing the right thing. Then they realise that they do need a law firm.

In the end, if you are going to go to some law firm anyway, the need to do an E-Will or e-signature vanishes.

Conclusion

This post might sound bleak for people looking for a change. However, look positively, and it is obvious that there is a need that hasn’t been fulfilled yet. Perhaps charging for an expert system is not likely to draw enough people to experiment with their options. The point is that there should be a system that is demonstratively better than what we have now. Only then will there be an impetus to remove the formalistic limitations of wills.

So who wants to do an E-Will?

#Law #tech #E-signature #ElectronicTransactionsAct #LegalTech #Singapore #Wills #WillsAct

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

I don’t comment on criminal cases often. Rapes get reported in the news regularly, so I do not have much to add. However PP v Wee Teong Boo struck a discordant nerve in me. Injustice senses tingling!

A summary of a difficult case

The Supreme Court does an excellent job of summarising the key points in the decision. However, for this post, I am still going to try to summarise it here.

A patient alleges that a doctor raped her in his clinic during a consultation. The doctor was a general practitioner. For most Singaporeans, a general practitioner is the first port of call when you fall sick. The case is difficult for a few reasons.

First, if it did happen, this would be very audacious and brazen. We are talking about a professional claiming that he was doing a medical procedure on a young woman, and then sticking his dick in her instead. As a community doctor, this would scare many women who would like to trust their doctors. (Although with scandals like doctors forming their own sex rings, anything is possible.)

Secondly, both parties are more than worthy of the court’s protection. The accused is a 65-year-old doctor. He would have been a general practitioner for a very long time, with reputation and standing in his community. On the other hand, we have a 23-year-old female university student. Public interest in protecting women have been very high here, and the court would be encouraged to be seen as protecting someone vulnerable.

Here comes the wedge. The victim alleges that she was raped by her doctor while he was holding his legs. She saw his penis partially inside her vagina. In response, our doctor claims he suffers from something common among men of his age — erectile dysfunction. Unlike others though, he has the medical evidence to prove it this time. Among the findings of the report, it stated that it would have been quite difficult for the doctor to penetrate a partner unaided.

What should the victim have done?

Singapore courts have come some distance dealing with the evidence of sexual assault victims. One of the most important areas of progress recognised that sexual assault victims might not act in a particular manner when faced with rape.

However, after affirming the lower court’s decision that the doctor’s erectile dysfunction created a reasonable doubt of the offence, the appeal court proceeded to perform a slam dunk on the victim’s testimony:

  • The victim should have realised right at the point where she saw the doctor’s penis that this was not a medical procedure.
  • Since the victim was a university student, she should have known that she was being raped rather than having a medical procedure performed on her. It must have displaced her trust in her GP.
  • The offence could not have taken place because it took place in a clinic, with other patients and staff outside the room. Anyway, the victim should have screamed for help.
  • When the victim talked to her mother about the incident in the morning, she could and should have told her she was raped.
  • The victim got the layout of the consultation room wrong.
  • When the victim sought an opinion from another doctor of her lump, she should have mentioned the GP’s first opinion.

I am afraid that this does sound like the Court arguing in hindsight. An outlier?

A distinction without a difference

The court rationalises the distinction between holding that a sexual assault victim should have done with what happened here like this:

The question here is not so much one that concerns a victim’s reaction to a sexual assault after the trauma of the incident; rather, it is the credibility of a victim’s claim of what she thought was happening, while it was happening. Further, this was not in terms of fine details such as what the offender was wearing or what his position was, or how long the incident lasted, but at the most basic level, of whether a sexual assault was taking place at all. – Public Prosecutor v Wee Teong Boo and other appeal and another matter [2020] SGCA 56 at [58]

With respect, this distinction is really difficult to apply. What do we expect the victim to do? Is she supposed to realise at the point where a sexual assault is taking place to act like it? Or was the victim supposed to say at the trial that she genuinely believed that there was a sexual assault? All this demands that assault victims act in a particular way for the court to believe them.

Let’s take a step back. The court had medical evidence that the accused had erectile dysfunction. It said he couldn’t maintain an erection good enough to penetrate a virgin. That raises a reasonable doubt whether the accused could have raped the victim. Shouldn’t that be enough to acquit? Why did the court see the need to assess the victim’s testimony so harshly?

I’d wager that it was because the victim’s evidence was convincing. The court below found it clear and without embellishment. How could a convincing witness tell a story so different from what the evidence establishes?

Should we believe an “unusually convincing” witness if the facts go against her?

This brings us to Rashomon.

For readers who have no idea what one of the greatest movies in the history of the world is about, Rashomon revolves around a court hearing of a murdered samurai. We hear from the stories of the bandit accused of killing him, his mistress and even the dead samurai’s ghost. While their stories agree on critical aspects, there are particular details which are so different that they completely recast the story. Are these people telling the truth? They all looked convinced that they are.

Rashomon suggests that people can convincingly tell different versions of the same event because they are motivated by self-interest. However, people may also do so because they genuinely believed that it happened to them.

Does accepting that an unusually convincing witness can be wrong mean that men can be convicted of rape by good storytellers? It’s important to note that this isn’t the case because of the reasonable doubt created by the erectile dysfunction. I have my own ideas of what can be done, but I think it would be better for the courts and opposing lawyers to figure that out.

However, dismissing an “unusually convincing” witnesses’ testimony on such dubious grounds does a disservice to other victims by creating a vector through which lower courts can be persuaded to dismiss testimony. I am afraid this is clearly a step backwards.

This decision deserves to be nominated for an Alamak award.

#Singapore #Law

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

Apparently it’s one year late, but there’s a new article on the Singapore Academy of Law Journal titled “ The Development of Singapore Law: A Bicentennial Retrospective “. It celebrates the autochthonous development of law in Singapore. I am not so interested in that — I was looking forward to the pretty data visuals which the authors used to illustrate their points.

Pretty Graphs for everyone

The article has the look and feel of a grand project. Lawyers and law academics are great at expressing themselves with words. You will find a gigantic 87-page long article with an upbeat and celebratory tone.

Thus, I was pleasantly surprised that the article contains some of the best data visualisations I have seen in an article about law. When you get to it of course. (If you are a fan of data visualisations like me, check out FiveThirtyEight’s yearly feature)

Here’s one of my favourite graphs:

Phang Goh and Soh “THE DEVELOPMENT OF SINGAPORE LAW: A BICENTENNIAL RETROSPECTIVE” at paragraph 62/page 32.

This graph shows the proportion of foreign and local cases cited in each year. As you can see from the outer rings, the proportion of local cases being cited to the Court have increased. I wished they chose a different colour combination, but it’s still gorgeous.

Here’s a list of interesting graphs you can check out in the article:

  • A stacked bar graph showing an explosion of cases cited to the supreme courts in Singapore (paragraph 56)
  • A line graph showing the increasing trend of longer reported cases in Singapore (paragraph 60).
  • A heatmap showing the increasing number of Singapore cases cited in foreign jurisdictions (Paragraph 75)

If you are aware of the Supreme Court’s work, the article’s conclusions on the development of Singapore law are not surprising. However, having these conclusions quantitatively assessed and described in graphs is a great bonus!

Data collection methodology

If you are reading the article, don’t miss Appendix A (it is right after the ‘Concluding Thoughts’). It describes the data collection methods and practices the authors used to produce the visuals in the article. Given the rarity of computational law articles in Singapore, this is probably the first time many lawyers will find out how data is collected for a project like this.

Fun fact: the article states that Python regular expressions were used to extract citations from the judgement text. I guess (and this is the one I used for extracting my projects) is:

([\d{4}])\s+((?:\d\s+)?[A-Z|()]+)\s+[?(\d+)]?

Even though the article is very long, the methodology of how the data was collected for this project is short. If you are very interested, you should refer to one of the author’s earlier work. It’s less ambitious but contains much more detail on how it was done.

Concluding thoughts

The authors state that all information for post-independent reports “were readily machine-extracted from the data structure of the HTML judgments we were authorised to download from LawNet”. Given the trouble I am having splicing PDF files now, I am pretty jealous they could just pull out the information from tags. I have never asked LawNet for permission to mass-download judgements, since I am opposed to the idea for asking for permission for data that should be in the public domain. This just goes to show how inaccessible legal data is in Singapore.

Anyway, I am going to be happy with what I can get. Here’s a previous graph I made from my data. It looks pretty to me too!

It’s pink. What more can I say?

With the publication of such articles, I hope that there is more place for computation analytics in the legal domain. What do you think?

#Singapore #Law

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

Update 31/5/2021: As of 1 February 2021, the revised (or updated as they call it) PDPA has been enacted substantially. The post has been updated to highlight areas which are still not effective as of May 2021.

I thought the break in the PDPC’s monthly release of decisions since March was due to office closure from COVID-19. Here is a new excuse. After what seems like an eternity of consultations, we have the text of the Amendment Bill. This will be the first substantial revision of Singapore’s Personal Data Protection Act.

Here is a summary of what I believe are the key points.

Mandatory Data Breach Notification is here

A vast majority of enforcement decisions from the PDPC concern data breaches. A vast majority of public reporting also concerns data breaches. Data breaches are the biggest source of liability for companies. However, enforcement action and liability depended on complaints. It is a bit like see no evil, hear no evil.

If organisations were required to report data breaches, this would greatly increase their exposure. For many organisations who merely comply with the minimum requirements of the PDPA, they will need to introduce new policies and processes to address what to do in a data breach.

Organisations working on behalf of public agencies no longer exempted

Following the data breaches in public health and questions regarding the private and public divide in the PDPA, the PDPA now covers organisations working on behalf of public agencies. More organisations will be included under the PDPA since the government is much involved in Singaporean’s lives through private companies. Together with a push from the government, this means that more organisations will be accountable under the PDPA.

Here’s another (underreported) change following from the debacles. The Amendment bill now introducesoffences for private-sector employees who mishandle information. This tracks the Public Sector Governance Act, which covered public sector employees.

The PDPA gets PersonalThoughts, stories and ideas.Love.Law.Robots.Houfu

Voluntary Undertakings now part of PDPC’s enforcement

I have always been very sceptical of the use and the focus on financial penalties. When the PDPA first came out, the headline number of $1 million was a pretty big deal. The GDPR already provides penalties that are way higher than that. Furthermore, in practice, hardly any organisation got a six-figure penalty. Singhealth remains an outlier. If your goal is to not pay a high penalty, you will hire better lawyers, not data protection officers.

Therefore I am excited about voluntary undertakings, as they are the teeth of the accountability principle. There have been very few decisions which apply this uncommon enforcement method. Hopefully, as has been the case with anti-corruption in the US, a focus on entrenching good practices is encouraged. At the very least, such enforcement will encourage the hiring and involvement of data protection officers.

Oh, and by the way, the amendment increases the penalties that the PDPC can impose. It has now increased to 10% of the organisation’s annual gross turnover or $1 million, which ever is higher. As I mentioned, all this is rather theoretical given the enforcement standards so far. [ Update: This is one of the changes which are not effective as of 1 February 2021, presumably due to COVID. Quite frankly the pudding is in the enforcement, not how high it can go.]

Will Increased Penalties Lead to Greater Compliance With the PDPA?When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, was at stake. Several companies scrambled to get their houses in order.Love.Law.Robots.Houfu

Given the “lawful purposes” approach followed by the GDPR, the increased emphasis on consent under the Amendment Bill seems quaint. “Deemed” consent will be expanded to new situations. You can argue that “deemed consent” is fictitious consent, whereby organisations just tick a few action boxes to do what they want.

Making sense of the latest PDPA amendments to the Consent ObligationI consider the new amendments to the Consent Obligation under the PDPA with a flow chart.Love.Law.Robots.Houfu

Do note that a “lawful purpose” features in the amendment bill. “Legitimate interest” is termed as an “exception” here. There is a balancing effort between what the organisation would like, and the risk and benefit to the public and individual. Is this a peek in the curtain? Will the “legitimate interest” exception swallow consent?

In any case, the PDPA still relies on consent, huge exceptions and “reasonableness”. This bill does not bring the PDPA to the 21st century. Singapore risks being left behind against other countries which adopted GDPR like laws.

Data Portability

Data portability allows individuals to request an organisation to transmit a copy of their personal data to another organisation. It now gets its own section in the PDPA.

As a bit of a geek, of course I am very excited about “data portability”. However, implementation matters, and I am not sure organisations are motivated enough to put up the structures that will make this work. My developer experience playing with bank APIs have not been positive.

[ Update: This is one of the changes which are not effective as of 1 February 2021.]

Conclusion

I don’t think I have covered all the changes in detail. Some changes need their own space, so I would be writing new posts and updating this one. Passing the act will still require some more time. Did anything else catch your eye?

[ Update : The act was passed and the provisions noted here are substantially effective]

#Privacy #Singapore #Features #ConsentObligation #DataBreach #DataPortability #Enforcement #Government #LegitimateExpectations #Notification #OpennessObligation #Penalties #PersonalDataProtectionAct #PersonalDataProtectionCommission #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

I have written a fair number of wills and been involved in a little bit of litigation in my past life. I think I met with all sorts of strange requests, and seen how they can end.

This is a common request I used to receive. There’s usually a long story to do this (but honestly I don’t care). In the end, the person says she is well justified to cut Mr ABC out of his estate. Since it is your estate, you are of course free to do what you want with it. If you want to settle scores, be my guest.

However, as a learned human being, I would discourage using a will for such purposes. When people do things out of spite, they often regret it on further reconsideration.

VFD and another v VFF and others

Here is a much better reason and a stark warning: In VFD and another v VFF and others [2020] SGFC 10 (a PDF copy is available for personal use only since the link is ephemeral):

  • A family quarrel gets so bad that one sibling sends a lawyer’s letter to her other siblings. After this, the family hardly speaks to each other.
  • In the trenches of family warfare, two siblings find themselves on the same side when they were not close before.
  • One of the siblings realises she is dying of cancer. The Testatrix decides to reward the Beneficiary by giving all she can to them in a will. The Testatrix instructs the Beneficiary not to inform the rest of the family of her impending death.
  • The Beneficiary follows her instructions and effects her wishes in her will. The other family members find out of the death of their sister through third parties.
  • The other family members now claim that the surviving sibling took advantage of the testator. It’s an ugly trial. The court dismissed the other family members’ claim for a lack of evidence. As described by the court, “their conclusions were based not so much on evidence, but on hearsay, opinion, imagination, as well as their own sense of morality and justice over how the estate of the Testatrix should be distributed, to perhaps balance their unwritten “messy family” ledger.”

It’s fascinating how threadbare the case brought by the other family members. This kind of cases aren’t cheap. When litigation is driven by hatred like this, they can’t be mediated or resolved rationally. Hell, I am not even sure this is the last shot.

It doesn’t end well…

Wills serve several purposes. Financial provision for minors and dependents. Peace of mind for the end of life. It also affects the relationships of the survivors, especially your family members.

I cannot imagine that the Testatrix in VFD planned for her siblings to fight tooth and nail against each other over her will. However, by favoring one sibling over all others, it became a slight or a testament of their failed relationship to the others.

In conclusion, it’s of course your money and you can do what you want with it. However, please spare a thought for the living who have to live through what you wrote in your will.

#Law #Singapore #Wills

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu