The Personal Data Protection (Amendment) Act 2020 ("Amendment Act"), which was passed in Parliament on 2 November 2020, is set to take effect in phases. On 1 February 2021, the implementation of the amendments entered its first phase, with the first batch of amendments coming into operation.
The Amendment Act marks the culmination of a series of reviews and public consultations, and introduces a raft of changes to the Personal Data Protection Act 2012 ("PDPA"). The amendments seek to enhance the PDPA and strengthen organisational accountability and consumer protection, while giving organisations the confidence to harness personal data for innovation. This would be the first comprehensive review of the PDPA since its enactment.
In this Update, we highlight the changes in the Amendment Act which have taken effect in this first phase of implementation, and summarise the changes which have yet to come into operation.
For more information on the scope of the changes in the Amendment Act and the Advisory Guidelines on the amendments, please see our earlier Client Updates on "Amendments to the Personal Data Protection Act – Key Implications for Organisations in Singapore", available here, and "Draft Advisory Guidelines on the Key Amendments to the Personal Data Protection Act" available here.
The Amendment Act aims to:
- Strengthen organisational accountability;
- Enhance consumer autonomy;
- Enhance effective enforcement; and
- Enable data use and innovation by organisations.
The first set of amendments have come into operation via the Personal Data Protection (Amendment) Act 2020 (Commencement) Notification 2021, which was gazetted on 29 January 2021. Accompanying regulations have also been introduced to support these amendments, including the following:
- Personal Data Protection Regulations 2021
- Personal Data Protection (Enforcement) Regulations 2021
- Personal Data Protection (Notification of Data Breaches) Regulations 2021
- Personal Data Protection (Appeal) Regulations 2021
- Personal Data Protection (Composition of Offences) Regulations 2021
To help organisations with compliance, the Personal Data Protection Commission ("PDPC") has updated the following resources:
- Advisory Guidelines on Key Concepts in the Personal Data Protection Act
- Advisory Guidelines on the Do Not Call Provisions
- Advisory Guidelines on Enforcement of Data Protection Provisions
First Phase of Changes
In this section, we highlight the amendments which have come into effect from 1 February 2021.
- Organisational accountability
Mandatory breach notification
Under the new mandatory data breach notification system, once an organisation has credible grounds to believe that a data breach has occurred, it must take reasonable and expeditious steps to assess whether a data breach meets the criteria for notification.
Organisations which discover a data breach must notify the PDPC if the breach:
- is likely to result in significant harm to the individuals whose personal data is affected by the breach; or
- is of a significant scale (not fewer than 500 individuals).
Organisations must also notify the affected individuals once they have assessed that the breach is one that is likely to result in significant harm to said affected individuals.
The amendments insert an explicit reference to accountability in Part III of the PDPA. This emphasises that organisations are accountable for personal data in their possession or under their control.
Mishandling of personal data
Organisations acting on behalf of public agencies are no longer excluded from the ambit of the Data Protection Provisions in relation to the collection, use and disclosure of personal data. New offences have also been introduced to hold individuals (including employees and service providers) liable for the knowing or reckless unauthorised handling of personal data, subject to certain defences and safeguards.
- Consumer autonomy
The system of control over unsolicited commercial messages under the PDPA and the Spam Control Act ("SCA") has been enhanced. The sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address harvesting software will be prohibited under the PDPA's Do Not Call Provisions. The SCA has also been amended to cover commercial text messages sent in bulk and to Instant Messaging accounts (such as WhatsApp, WeChat and Telegram).
The PDPC has been empowered to accept and enforce voluntary undertakings from organisations in lieu of a full investigation. Organisations which are in breach of the Data Protection Provisions may voluntarily commit to take specified action or refrain from taking specified action in relation to the requirements, as well as to publicise the voluntary undertaking.
Alternative dispute resolution
The amendments establish a system of alternative dispute resolution to manage data protection complaints. The PDPC is empowered to direct complainants to resolve disputes via mediation, without the need to secure consent of both parties to the dispute, and to establish dispute resolution schemes for such purpose. Furthermore, the PDPC may compel the attendance of witnesses and the provision of documents and information, with non-compliance constituting an offence under the amended PDPA.
Do Not Call breaches
The amended PDPA will place Do Not Call breaches under a civil administrative regime, similar to that of data protection breaches. Egregious conduct such as the use of "robocalls" will be subject to higher financial penalties.
- Data use and innovation
Business improvement exception
Subject to certain conditions, organisations may use personal data without consent for relevant purposes, including the improvement or enhancement of any goods or services, or methods or processes for operations, and for learning about and understanding customers' behaviour and preferences.
Research & development exception
The requirements for using personal data for research and development without consent will be eased, subject to certain conditions. Such conditions include requiring the use of personal data to have a clear public benefit, and that the results of the research will not be published in a form which identifies any individuals and will not be used to make any decision that affects the individual.
Legitimate interests exception
Organisations may collect, use or disclose personal data without consent where it is in the legitimate interests of the organisation or another person, and the legitimate interests outweigh any adverse effect on the individual. The organisation must, before relying on this exception, conduct an assessment to determine whether the specified requirements are satisfied. However, this exception does not apply to sending direct marketing messages to individuals.
Where personal data is provided to an organisation by a customer or potential customer, the organisation may rely on their deemed consent to disclose the personal data to its partners or contractors where reasonably necessary for the performance or conclusion of the contract with the customer (or potential customer). This recognises the multiple layers of outsourcing that is common today.
Changes Not Yet in Force
Some of the impending changes contained in the Amendment Act have not been included in this first phase of implementation. In this section, we highlight a couple of the notable changes which have yet to come into force.
- Data portability
The Amendment Act contains a set of Data Portability provisions which provide an avenue for individuals with an ongoing relationship with an organisation to request for their personal data to be transmitted in accordance with prescribed requirements to a receiving organisation. The receiving organisation must be formed or recognised under the law of Singapore or a prescribed foreign country, or be resident or have a place of business in Singapore or a prescribed foreign country. The Data Portability obligation applies only to user data held in electronic form.
An organisation would not be required to transmit the personal data if it would be contrary to national interest, or would cause grave/immediate harm to or threaten the safety or physical/mental health of the requesting individual or any other individual. An organisation would also not be required to transmit the personal data if the request is frivolous or vexatious, if it would unreasonably interfere with their operations because of the repetitious or systematic nature of the request, or if the burden or expense of transmitting the data is unreasonable or disproportionate to the individual’s interests.
- Enhanced penalties
The Amendment Act provides for the increase of the maximum financial penalty for breaches of the PDPA Data Protection obligations, which is currently capped at S$1 million. When the enhanced penalty provisions come into effect, the maximum financial penalty will be increased to either (a) for organisations with annual turnover in Singapore of more than S$10 million - 10% of such turnover or (b) in any other case - S$1 million.
Currently, for a breach of the prohibition against the use of dictionary attacks and address-harvesting software, the maximum penalty is S$200,000 for individuals and S$1 million in any other case. When the enhanced penalty provisions come into effect, the maximum penalty for a person whose annual turnover in Singapore exceeds S$20 million will be increased to 5% of such turnover.
The amendments to the PDPA demonstrate the PDPC's ability to recognise and account for advancements in technology and the proliferation of digital tools in the course of business and commerce. The PDPA is expected to continue to develop to keep pace with industry norms and practical realities.
Organisations should take note of the amendments that have come into force and ensure that their internal data protection and cybersecurity policies, training materials and the Data Protection Officers' roles and responsibilities guidelines are updated to be compliant with the amended PDPA.