Key amendments to the Singapore Personal Data Protection Act would take into account technological advances, new business models, and global developments in data protection legislation.
Following a public consultation conducted by the Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) on the draft Personal Data Protection (Amendment) Bill from 14 to 28 May 2020, the proposed amendments to the Singapore Personal Data Protection Act (PDPA) were introduced in the Singapore Parliament by the Minister for Communications and Information on 5 October 2020.
Key Proposed Amendments
The proposed amendments seek to take into account technological advances, new business models, and global developments in data protection legislation. There are four key areas of amendments:
- Strengthen the accountability of organisations by including a mandatory data breach notification requirement
- Enable meaningful consent for the collection, use, and disclosure of personal data
- Provide greater consumer autonomy over personal data by introducing a new data portability obligation and increasing protection from unsolicited messages
- Strengthen the effectiveness of the enforcement efforts of the PDPC by providing for an increase in the cap on financial penalties
Mandatory Data Breach Notification
Currently, the PDPC encourages organisations to make voluntary notifications on the occurrence of a data breach. However, there is no express requirement in the PDPA requiring organisations to do so.
The bill proposes to make it mandatory for organisations to report notifiable data breaches.
- Organisations are required notify the PDPC and affected individuals if the data breach results in, or is likely to result in, significant harm to the affected individuals (e.g., compromised credit card numbers, drivers’ license numbers, and NRIC numbers).
- Organisations are required to notify the PDPC if there is a data breach of a significant scale (which has been proposed to be data breaches affecting 500 or more individuals) with some exceptions (e.g., where the organisation has taken remedial action or where the compromised personal data is subject to technological protection such that the breach is unlikely to result in significant harm to the affected individuals, or if the organisation is instructed by law enforcement agencies or the PDPC not to notify individuals).
Where an organisation has reason to believe that a data breach has occurred, it must conduct, in a reasonable and expeditious manner, an assessment as to whether it is a notifiable data breach.
If the notification criteria is met, the organisation must notify the PDPC as soon as practicable but no later than 72 hours after the organisation has made an assessment that a notifiable data breach has occurred, and must notify the affected individuals as soon as practicable.
Expanded Scope of Deemed Consent
To facilitate the collection, use, or disclosure of personal data for legitimate interests and business purposes, in particular where there are wider public or systemic benefits, the bill seeks to expand the scope of “deemed consent” under the PDPA and introduce new exceptions to the requirement to obtain consent from individuals before collecting, using, or disclosing their personal data.
The bill seeks to widen the scope of “deemed consent” under the PDPA to cover these circumstances:
- Where the collection, use, or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction.
- Where individuals have been notified of the purpose of the intended collection, use, or disclosure of his or her personal data and are given a reasonable opportunity to opt out (and have not opted out).
The bill also seeks to allow organisations to collect, use, or disclose personal data without having to obtain consent from the individuals in two additional circumstances:
- Where it is in the legitimate interests of the organisation and the benefit to the public is greater than any adverse effect on the individual.
- Where it is for business improvement purposes (e.g., for operational efficiency and service improvements, developing or enhancing products or services, knowing the organisation’s customers). It is also intended that this exception will apply to the collection, use, and disclosure of personal data by related corporations within a group, with additional safeguards and conditions to be satisfied.
The bill proposes to introduce a new data portability obligation to provide consumers with greater autonomy over their personal data, enable consumers to switch to new service providers more easily, and also support the development of new and innovative services or applications as organisations will have more access to data.
Under the new data portability obligation, an organisation must, at the request of an individual, transmit his or her personal data that is in the organisation’s possession or under its control to another organisation in a commonly used machine-readable format.
There will, however, be exceptions to the data portability obligation. For example, the obligation only applies to data which is provided by the individual or is data about the individual created in the course of the individual’s use of the relevant product or service. Data which is derived by the organisation in the course of business from other personal data will not be covered. The individual exercising the right must also have an existing, direct relationship with the organisation, the data must be in electronic form, and the receiving organisation must generally have a presence in Singapore.
Expanded Protection from Unsolicited Messages
The sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address harvesting software will be prohibited under the Do Not Call provisions of the PDPA.
The Spam Control Act will also be amended to cover commercial text messages sent to instant messaging accounts and in bulk.
Increase in Financial Penalty Cap
Currently, the maximum financial penalty for a breach of the provisions of the PDPA is S$1 million. To serve as a stronger deterrent, the bill seeks to increase the financial penalty to (1) up to 10% of an organisation’s annual turnover in Singapore; or (2) S$1 million, whichever is higher. For breach of the Do Not Call provisions of the PDPA, the MCI and PDPC intend to introduce tiered financial penalty caps, aligned with the egregiousness of the breach.
Currently, in determining the financial penalty quantum, PDPC considers factors such as whether the organisation took any action to mitigate the effects of the data breach and the type and nature of the personal data affected. Some of these factors are listed in the Guide on Active Enforcement issued by the PDPC. To provide additional clarity and regulatory certainty, the MCI and PDPC intend to set out in the PDPA a nonexhaustive list of factors that the PDPC would consider and give weight to as appropriate when determining the quantum of financial penalty to impose.
The bill will be debated at the next parliamentary sitting. If passed, it will be the first amendment to the PDPA since it was enacted in 2012. Organisations should do the following:
- Review existing data protection policies and procedures to ensure compliance with the upcoming changes to the PDPA
- Ensure that the relevant agreements entered into with external vendors or data intermediates contain the necessary undertakings and indemnities to protect the organisation’s interests in the event of a data breach
- Implement the necessary procedures and technical arrangements that will be needed to comply with the new data portability obligation