On July 27, 2017, the Personal Data Protection Commission (PDPC) initiated a public consultation to consider several significant proposed changes to Singapore’s Personal Data Protection Act 2012 (PDPA). Citing technological advances and global developments, the PDPC proposed changes that would have the effect of (1) broadening the circumstances under which organizations could collect, use and disclose personal data without consent and (2) imposing a mandatory data breach notification requirement in certain situations.
Changes to Consent Requirement
- The current PDPA requires organizations to obtain consent from individuals for the collection, use and disclosure of their personal information. However, given the volume of data being collected and the potential benefits from analyzing these data, the PDPC proposes not requiring consent in certain circumstances.
- First, if it is impractical for the organization to obtain consent and the collection, use and disclosure of personal data is not expected in any way to have an adverse effect on the individual, the PDPC proposes allowing organizations to provide appropriate notification (Notification of Purpose) in lieu of consent. Prior to relying on this approach, the organizations must conduct a risk and impact assessment and implement measures to mitigate such risks.
- Second, the PDPC proposes broadening the existing limited, express exceptions where organizations can collect, use or disclose personal data without consent. The PDPC proposes creating a catch-all “Legal or Business Purpose” exception to consent where (1) it is not desirable or appropriate to obtain the individual’s consent and (2) the benefits to the public generally or to a subset of the public “clearly outweigh” any adverse effect or risks to the individual. For example, this exception may apply if organizations would like to share personal data in order to detect and prevent fraudulent activity. As with the “Notification of Purpose” exception, organizations must conduct a risk assessment.
Mandatory Data Breach Notification
- The PDPC proposes modifying the existing voluntary approach to data breach notification. Consistent with international best practices, the PDPC proposes requiring mandatory data breach notification as follows.
- If there is any risk of impact or harm to the affected individuals, organizations must notify them and the PDPC.
- Even if the breach does not pose any risk of impact or harm to the affected individuals, organizations must still notify the PDPC where the scale of the data breach is significant (i.e., involving 500 or more individuals).
- If required to notify, organizations must notify the PDPC within 72 hours and affected individuals as soon as practicable.
- Data intermediaries must notify their client organizations of a breach immediately, regardless of the risk of harm or scale of the breach.
- The proposed changes would operate concurrently with any breach notification requirements under existing laws or regulations.
The public comment period ended on October 5. More details can be found at the website of the PDPC (https://www.pdpc.gov.sg/).