Updated: Dec 22, 2020
Singapore’s Personal Data Protection Act 2012 (PDPA) is now a fairly old piece of legislation relative to similar acts around the globe and advancements in use of data by commercial organisations. Amendments were approved by the Singaporean parliament on 2 November 2020 that look to keep pace with those advancements, to permit businesses to utilise them reasonably but to also retain the confidence of consumers in the security and responsible use of their data. The amendments also bring the PDPA into line with international norms on data protection legislation, allowing international organisations to adopt a more consistent compliance approach.
The amendments are comprehensive and will come into effect when published in the government gazette. Generally, no grace period has been provided for compliance, so we recommend that you react to these developments without delay. We have chosen to highlight certain amendments below that we believe will be of particular interest to you. 1. Increase in financial penalty caps The maximum financial penalty for breaches of the PDPA has now been increased to SG$ 1 million, or 10% of the organisation’s annual turnover in Singapore where that turnover exceeds SG$ 10 million, whichever is higher. We understand that this penalty provision will not be enforced until one year after the amendments become effective. While these penalties are still not at the EU’s GDPR levels, they could become very substantial for organisations with significant Singaporean operations. They should, at the very least, prompt renewed attention to compliance, particularly in the light of the new compulsory requirement to notify certain data breaches discussed immediately below. 2. Mandatory notification requirements The Personal Data Protection Commission (PDPC), which enforces the PDPA, must be notified of data breaches that are, or are likely to be, of significant scale. Suggestions are that this ‘significant scale’ means a breach affecting 500 people or more. The PDPC, and the affected individuals, must also be informed when a data breach results, or is likely to result, in significant harm to individuals (such as through identity theft or fraud, and encompassing physical, psychological, emotional, or financial harm). The aim here is to allow the individuals to protect themselves in response to notification of the breach, eg change passwords, cancel credit cards, etc. Having said this, an organisation suffering a breach potentially causing significant harm does also have the option to swiftly undertake certain prescribed remedial actions, so that it becomes unlikely an individual will suffer significant harm. In that event, the requirement to notify the affected individual lapses, although the PDPC must still be informed. The onus is placed on organisations to promptly assess the scale and impact of data breaches, and react accordingly. 3. Data portability obligation An individual now has the right to require that an organisation holding his/her personal data transfer it to another organisation. This follows the introduction of this right in various other countries and, in effect, it recognises the value personal data now commands in the commercial marketplace and allows individuals to accordingly take their data to different businesses, if they wish. This only applies to data in electronic form, where the organisation has an ongoing relationship with the individual and where the recipient is in Singapore or otherwise in another country prescribed by the PDPC. Once those conditions are met, the circumstances under which the organisation can deny the request are very limited. Incidentally, there is nothing preventing an organisation from charging for the data transfer, although we expect subsequent regulations to limit the amount chargeable. 4. New exceptions to consent - legitimate interests and business improvement The general rule is that personal data may only be collected, used and disclosed with consent. Two important exceptions have been created: (i) Legitimate interests An organisation may collect and use personal data without consent if it is in the ‘legitimate interests’ of the organisation, and those legitimate interests outweigh any adverse effects on the individual. Legitimate interests may include fraud prevention/detection, for example where an insured’s claims history is assessed by an insurance company. The organisation must conduct an assessment to understand the respective interests and adverse effects, and how the adverse effects may be reduced. In other words, it is effectively a balancing/weighting exercise for the organisation. It must also provide individuals with reasonable access to their data collected under the exception. (ii) Business improvement An exception has also been created that allows commercial organisations to, without consent, use personal data, or share it with a related commercial organisation, for ‘business improvement purposes’. These can be:
Improving, enhancing or developing goods or services
Improving, enhancing or developing operational methods or processes
Learning about and understanding the behaviour and preferences of individuals
Identifying goods or services that may be suitable for individuals, or personalising/customising them
Where the data is being shared under the latter two categories, the individual must be an existing customer of the disclosing organisation, and an existing or prospective customer of the related, receiving organisation. Further conditions, in all cases of sharing or use of personal data for business improvement purposes are that: (i) the business improvement purpose cannot be reasonably achieved without sharing/using the data in personally identifiable form; (ii) the sharing or usage would be considered appropriate under a reasonable judgment; and (iii) in the case of data sharing, the sharing organisations are bound by contract or corporate rules that require appropriate safeguarding of the disclosed data by the recipient. Neither of these exceptions can be utilised for sending direct advertising or marketing messages for goods/services/property. The general rule for direct marketing remains that an individual must expressly consent to it by an ‘opt in’. 5. Expansion of deemed consent The circumstances under which a person can be deemed to have consented to collection, use and disclosure of his/her data have also been expanded in two ways: (i) Contractual necessity: Where a person provides their data for the purposes of either entering into or performing a contract, the recipient organisation may deem consent to collect, use and disclosure such data as reasonably necessary to enter into or perform that contract. For example, where a person hands over a credit card for payment for services, it is necessary for the recipient to collect, use and disclose personal data to financial services organisations to process the payment. (ii) Notification: An organisation may also collect, use or disclose personal data after notifying its intention to do the same and reasons why, provided that (i) the individual does not object within a reasonable period, and (ii) the collection, use or disclosure is unlikely to have an adverse effect on the individual (eg if it is not sensitive data, and its use will not harm the individual). Put another way, this is deemed consent by the individual’s inaction. 6. Liability issues A previous exclusion of liability for agents of government has been removed, meaning that private sector organisations can no longer evade liability under the PDPA on the grounds that they act on behalf of public agencies. New, personal criminal offences have been created for (a) unauthorised disclosure of personal data; (b) improper use of personal data that results in personal gain for the offender or another person, or harm or loss to another person; and (c) unauthorised re-identification of anonymised information. These amendments can then be used to effectively ‘pierce the corporate veil’ and prosecute, for example, employees who deliberately or recklessly mishandle personal data in a manner not authorised by the employer. What you should do:
Consider how your business can benefit from the new exceptions to consent and the expansion of deemed consent.
Review your data privacy policies, statements and procedures to comply with these amendments.
Undertake PDPA training for staff, particularly highlighting the new personal liability issues, the data portability obligation, the mandatory notification requirements and what else needs to happen when a data breach of significant scale or causing significant harm occurs.
Review standard data protection clauses in your template contracts.
Review contracts with data intermediaries, particularly in terms of mandatory breach notifications.
For further information, please contact:
Jonathan Goacher., Partner, Hill Dickinson