The Singapore Personal Data Protection Act (PDPA) was recently amended, with the latest amendments taking effect on 1 February 2021. This article examines some of these changes and their potential impact.

Amongst other changes, the amendments introduced a mandatory data breach notification, criminal offences, changes concerning consent and data portability, and higher penalties for contravening the PDPA. Here we take a more detailed look at the changes and the most frequently asked questions they raise.

Introducing a mandatory data breach notification obligation

What constitutes a notifiable data breach?

A data breach that:

  • results in or is likely to result in significant harm to an affected individual; or
  • is or likely to be of a significant scale.

Generally, data breaches involving prescribed personal data are deemed to result in significant harm to an individual, so they are notifiable. Prescribed personal data includes individuals’ full name or full national identification number, together with details of their wages, income, bank account numbers, net worth and financial transactions.

A data breach is deemed to be of a significant scale (and therefore notifiable) if the data breach affects 500 or more individuals.

Who must be notified?

When an organisation assesses that a data breach is notifiable, the Personal Data Protection Commission (PDPC) must be notified as soon as is practicable, and in any event within three calendar days of the organisation’s assessment.

Affected individuals must also be notified if the data breach is likely to cause them significant harm.

Introduction of criminal offences

What are the offences?

Knowingly or recklessly committing any unauthorised:

  • disclosure of personal data
  • use of personal data for wrongful gain or causing a wrongful loss to any person
  • re-identification of anonymised data.

What are the penalties?

A maximum fine of SGD 5,000 or a maximum two years imprisonment or both.

Expanding the deemed consent framework

What are the new ways that consent can be deemed as given?

(i) Contractual Necessity

There is where an organisation has a reasonable need to disclose to other organisations the personal data originally disclosed to it by an individual, to perform a transaction between the individual and the original organisation.

(ii) Notification

An individual’s consent can be deemed as given, if they have been adequately notified by an organisation and given a reasonable opt-out period, but has not taken any action to opt out of the collection, use or disclosure of their personal data.

Deemed consent by notification cannot be used for sending direct marketing messages.

Expanding the exceptions to consent requirement

What are the new exceptions that remove the need for consent?

(i) Legitimate Interests

These are the lawful interests of an organisation or another person, which the organisation has assessed to clearly outweigh any likely adverse effect to the individual. Examples of such legitimate interests include for evaluations, investigations or proceedings, or for recovering debts.

(ii) Business Improvement

This exception includes:

  • Helping the organisation improve, develop or enhance its products and services or to help it better understand existing or prospective customers, so it can offer more personalised products and services.
  • This exception can be used by entities in a group of companies who intend to share customer data within the group. However, it cannot be used for sending direct marketing messages, and organisations must obtain individuals’ express consent.

(iii) Research purposes

To enable organisations (e.g. commercial laboratories, institutes of higher learning, and market research companies) to conduct broader research and development that may not have any immediate application to their products, services, business operations or market.

The other notable upcoming changes

These cover increased financial penalties and the right to data portability. Although Parliament has passed these changes, they are currently not in force. However, as we expect them to take effect within the upcoming months, it would be useful to take note of them.

What are the increased financial penalties?

The maximum financial penalty for contravening the PDPA will increase to up to 10% of an organisation’s annual turnover in Singapore, or SGD 1 million, whichever is higher.

What is the right to data portability?

If an individual requests it, an organisation that possesses or controls that individual’s personal data must send it to another organisation in a common machine-readable format.