Updated: Nov 23, 2020
Singapore has introduced several significant changes in a long-awaited overhaul of the Personal Data Protection Act 2012 (PDPA) to bring the law in closer alignment with the nation’s digital agenda and global privacy norms. These amendments are the result of a further three public consultations on the key policy positions between 2017 and 2019 so these changes have been anticipated for a long time in Singapore and in the region more broadly. Many of the amendments are seen as being business friendly while strengthening the accountability of organisations for personal data in their possession or under their control. The amendments also add flexibility and clarity to the PDPA. The commencement date of these amendments has not yet been announced and the accompanying regulations and guidelines have not yet been published. The key changes affecting organisations that are proposed in the Bill are summarised as follows: Mandatory Data Breach Notification Organisations will now be required on a mandatory basis to notify the Personal Data Protection Commission (PDPC) and affected individuals when a notifiable data breach has occurred reflecting best practice in data protection globally. A data breach will be notifiable to PDPC if it (i) results in, or is likely to result, in significant harm to the individuals to whom any personal data affected by a data breach relates; or (ii) affects a minimum number of individuals to be prescribed in the regulations that are yet to be published. PDPC has indicated that this would be data breaches affecting 500 or more individuals. Organisations will also be required to notify affected individuals if the data breach is likely to result in significant harm to them. Where an organisation has reason to believe that a data breach has occurred affecting personal data in its possession or under its control, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach. Where a data breach meets the criteria for notifying PDPC, the organisation must notify PDPC as soon as practicable and no later than three calendar days after the organisation conducts such assessment. Organisations must also notify all affected individuals on or after notifying PDPC. PDPC makes it clear that the expectation is not for notifications to PDPC and affected individuals to be made at the same time. However, PDPC must be notified before or at the same time as affected individuals are notified, to allow PDPC to assist affected individuals who contact PDPC once they are notified. Data intermediaries (or processors) will be required to notify the organisation without undue delay from the time it has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of such organisation. Increase in penalties:
Increase in maximum financial penalty - the Bill increases the maximum financial penalty for data breaches under the PDPA to (i) up to 10% of an organisation’s annual gross turnover in Singapore; or (ii) S$1 million, whichever is higher. This moves Singapore closer to data privacy regimes like the EU GDPR however the turnover is limited to domestic turnover, rather than global turnover. New offences for individuals – the Bill introduces a fine of up to $5,000 or to imprisonment of up to 2 years (or both) to hold individuals accountable for knowingly or recklessly disclosing, using or re-identifying personal data when they are unauthorised to do so. Such individuals could include employees of an organization or public agency. New grounds for processing data without consent: Legitimate interests exception – this exception will allow organisations to collect, use or disclose personal data without obtaining the consent of the individual where it is in the legitimate interests of the organisation and the benefit to the public is greater than any adverse effect on the individual. PDPC provides some examples where this could apply, including for detecting or preventing illegal activities (e.g. fraud and money laundering) or threats to physical safety and security, ensuring IT and network security and preventing misuse of services. The Bill requires organisations to conduct a specific assessment to determine whether this exception would apply in a particular situation and also to specifically notify the individual of their reliance on this exception. Business improvement exception – this exception will allow organisations to use personal data without obtaining the consent of the individual for the following business improvement purposes: (i) to improve or enhance any goods or services provided by the organisation, or develop new goods or services; (b) to improve or enhance the methods or processes, or develop new methods or processes, for the operations of the organisation; (c) to learn about and understand the behaviour and preferences of the individual or any other customer of the organisation in relation to the goods or services provided by the organisation; (d) to identify goods or services provided by the organisation that may be suitable for the customers of the organisation other than individual customers. Organisations will be able to rely on this exception only if the business purpose cannot be achieved without the use of personal data in an individually identifiable form and such use does not have any adverse effect on the individual. Expansion of deemed consent – the Bill expands the existing concept of “deemed consent” under the PDPA. Deemed consent will now include: Deemed consent by contractual necessity – where an individual has provided personal data to an organisation with the view to entering into a contract with that organisation, consent is deemed to have been given to the organisation for the disclosure to and use of the personal data by a third-party, and that third-party’s collection and use of the personal data, where it is reasonably necessary for the conclusion or performance of a contract or transaction between the individual and the organisation. Deemed consent by notification – consent may be deemed to be given if (a) the organisation notifies the individual of the purpose of the intended collection, use or disclosure of his/her personal data, with a reasonable period for the individual to opt-out of the collection, use or disclosure of his/ her personal data for that purpose; and (b) the individual did not opt-out within that period. In order to rely on this deemed consent, organisations must conduct an assessment to determine that the intended collection, use or disclosure of personal data is not likely to have any adverse effect on the individual and satisfy other requirements to be prescribed in the regulations.
Data portability obligation An organisation that is prescribed in the regulations or belongs to a class of organizations that is prescribed in the regulations (a porting organization), will now be required to transmit a requesting individual’s personal data to another organisation that has a presence in Singapore. The obligation will apply to personal data in the possession or under the control of the porting organisation if such personal data belongs to a class of personal data that is prescribed in the regulations and if the requesting individual has an ongoing relationship with the porting organisation. The data portability rule does not apply to certain types of data listed in a schedule to the Bill, including “derived personal data” which means personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual. In addition, an organization is not required to port data if (a) it will unreasonably interfere with the operations of the porting organisation because of the repetitious or systematic nature of the data porting request, (b) the burden or expense of transmitting the applicable data is unreasonable to the porting organisation or disproportionate to the individual’s interests, (c) the data porting request relates to applicable data that does not exist or cannot be found or is trivial, or (d) if the data porting request is frivolous or vexatious. The technical and process details of porting data are yet to be provided in the regulations, which the consultation paper has indicated could include data formats and transfer protocol. 4 Key Takeaways for Organisations Significant data breaches will need to be notified Breaches of the PDPA will carry higher financial to the PDPC and the affected individuals penalties for organisations (up to 10% of domestic turnover) and possible offences for its employees Please click the image to enlarge.
For further information, please contact:
Clare Harris, Associate, Linklaters