Proposed Amendments to the Personal Data Protection Act (PDPA) in 2020

The Public Consultation has concluded and pending introduction of the Bill to Parliament, the Personal Data Protection (Amendment) Bill (“the Bill”) proposes significant changes to the PDPA in 4 key areas:

1. Strengthening accountability;
2. Enabling meaningful consent;
3. Increasing consumer autonomy; and
4. Increasing deterrence and strengthening enforcement powers.

(a) Strengthening Accountability

The Bill will introduce accountability as a key principle of the PDPA. This reflects the increased emphasis on accountability globally. Organisations must be accountable for personal data in their possession or under their control, and are expected to be able to demonstrate compliance.

(i) Mandatory Data Breach Notification

At present, there is no express requirement in the PDPA for organisations to notify the PDPC or any other party when a data breach has occurred and the PDPC encourages organisations to make voluntary notifications. The Bill will introduce a mandatory data breach notification obligation. This will cover data breaches which result in, or are likely to result in, significant harm to an affected individual, or which is of a significant scale. Where the organisation has assessed that the data breach is a notifiable one, it must notify the PDPC within 3 calendar days of that assessment and, if necessary, the affected individual(s). Exceptions include scenarios where sufficient remedial action has been taken by the organisation, or where the data was sufficiently encrypted.

Data breaches that constitute significant harm will likely include those which compromise sensitive categories of personal data, such as NRIC/FIN numbers, passport numbers, credit/debit card numbers, health insurance information, and medical history information.

Where the breach does not pose any risk of impact or harm to affected individuals but is of a significant scale (e.g. 500 or more affected individuals), organisations are only required to notify the PDPC of the breach.

Data intermediaries processing data on behalf of other organisations will be required to notify those organisations without undue delay, where they have reason to believe that a data breach has occurred.

(ii) New Offences Relating to Flagrant Mishandling of Personal Data

Individuals who handle or have access to personal data will be expected to be more accountable. The PDPC will introduce 3 new offences to directly criminalise the mishandling of personal data by individuals:

• Knowing or reckless unauthorised disclosure of personal data.
• Knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person.
• Knowing or reckless unauthorised re-identification of anonymised data.

This is a significant development in the safeguarding of personal data. Individuals found guilty of an offence will be liable to a fine of up to $5,000 and/or imprisonment for up to two years. This would include employees who act in contravention of an employer’s policies or act outside their scope of employment. As such, organisations are expected to enhance the role of the Data Protection Officer and focus on staff training and protocols.

(b) Enabling Meaningful Consent

The PDPA requires organisations to obtain consent for the collection, use or disclosure of personal data, subject to the exceptions currently set out in the Second, Third, and Fourth Schedules of the PDPA. It may not be possible for organisations to anticipate the specific purpose for each collection of data at the outset; neither is it always practical to seek express consent. To ensure meaningful consent by individuals, the PDPC will expand the concept of deemed consent.

Deemed Consent by Contractual Necessity

Consent will be deemed to have been given where data has been disclosed to, and used by, a third party organisation and it is reasonably necessary to conclude or perform a contract or transaction between the individual and the disclosing organisation.

Deemed Consent by Notification

Consent will be deemed to have been given where individuals have been notified of the purpose of the intended collection, given a reasonable opportunity to opt-out, and have not opted out. Under this approach, the organisation must conduct a data protection impact assessment, as an accountability measure to ascertain whether there will be any adverse impact on the individual. Organisations cannot rely on deemed consent by notification for purposes that are likely to have any adverse impact or consequences for the individual (e.g. direct marketing purposes). Express consent from the individual is required for direct marketing purposes.

Exceptions to the Consent Requirement

The Bill will introduce two new exceptions to the consent requirement, covering situations where there are substantial public or systemic benefits and where obtaining individuals’ consent may not be appropriate.

(i) Legitimate Interests Exception

This enables an organisation to collect, use, or disclose personal data where it is in the legitimate interest of the organisation and where the benefit to the public outweighs any adverse effect to the individual. This will facilitate information technology and network security, as well as prevent illegal activities such as fraud and money laundering. Organisations wishing to rely on this ‘legitimate interests’ basis must fulfil certain requirements, e.g. conducting a risk and impact assessment as prescribed.

(ii) Business Improvement Exception

Businesses will be able to use personal data without having to obtain consent for business improvement purposes - including ensuring better operational efficiency, improved services, for product or service developments, and to get to know customers better. The proposed business improvement exception only applies to the use of such data, and not to the collection or disclosure of such data.

(c) Increasing Consumer Autonomy

A number of measures are being introduced to provide consumers with greater autonomy in respect of their personal data.

Data Portability Obligation

This will make it easier for consumers to switch service providers and avoid being “stuck with” a single provider. At an individual’s request, an organisation will be obliged to transmit all data about the individual that is in its possession or under its control, to another organisation in a commonly used machine-readable format. This will improve competition as it facilitates the movement of consumer data from one service provider to another. The requesting individual must have an existing, direct relationship with the organisation. Further, the receiving organisation must have a presence in Singapore.

The range of data covered by the data portability obligation includes all user provided data and data generated by the individual’s activities in using the product or service. An important exception to the data portability obligation will relate to data which, if disclosed, would reveal confidential commercial information that could harm the competitive position of the organisation. The PDPC will have the power to review any refusal to port data; the failure to port data within a reasonable time; and the fees imposed to port data.

Improved Controls for Unsolicited Marketing Messages

The Do Not Call (DNC) provisions in the PDPA and the Spam Control Act (SCA) will be amended to provide consumers with greater protection against, and control over, unsolicited marketing messages. The following measures will be introduced:

• The SCA will be extended to cover messages sent to instant messaging account platforms.

• The DNC provisions will be expanded to prohibit the sending of unsolicited messages to numbers obtained through the use of dictionary attacks and harvesting software.

• Obligations and liabilities will be imposed on third-party checkers to communicate accurate DNC register query results to organisations on whose behalf they are checking the register.

(d) Increasing Deterrence and Strengthening Enforcement Powers

In response to the growing threat of data breaches, the PDPA will be amended to ensure better deterrence and effective enforcement.

Increased Financial Penalties

Currently, the PDPC can impose a financial penalty of up to S$1 million or issue other remedial directions to the organisation for data breach. The maximum financial penalty will be increased to 10% of an organisation’s annual gross turnover in Singapore, or S$1 million, whichever is greater.

Statutory Undertakings

The implementation of a data breach management plan can be the subject of a statutory undertaking. The PDPC will investigate the underlying breach if the organisation fails to comply with the statutory undertaking and the PDPC will be empowered with a range of options for enforcing breaches of statutory undertakings. This, together with mandatory data breach notification, will promote more accountable data protection practices.

Referrals to Mediation

The PDPC will be empowered to make referrals to mediation, without both parties having to consent. This will enable the PDPC to better manage the increase in data protection complaints/disputes.

The proposed amendments to the PDPA seek to balance the rights of the individual with the organisation’s needs for innovation, flexibility and greater business use of personal data, with an increased emphasis on accountability and responsibility, placing the onus on the organisation to make its own risk-based assessments.