14 December 2020
Amendments to the Personal Data Protection Act and what it means for you
The Personal Data Protection Act 2012 (“PDPA”) governs the collection, use and disclosure of personal data by organisations in Singapore. The Personal Data Protection (Amendment) Bill (“Bill”), which seeks to amend the PDPA, was first introduced in Parliament on 5 October 2020 and subsequently passed on 2 November 2020.
We previously discussed the key proposed amendments to the PDPA (link) based on the draft Bill published by the Singapore Ministry of Communications and Information and the Personal Data Protection Commission of Singapore (“PDPC”) for public consultation on 14 May 2020.
In this briefing note, we summarise the key changes to the PDPA as passed by Parliament:
New mandatory data breach notification;
New offences relating to the mishandling of personal data;
Removal of exclusion for agents of public agencies;
Expansion of categories of deemed consent;
New exceptions to the consent requirement;
New data portability obligation;
Increased financial penalty cap for breaches; and
Additional rules on telemarketing and spam control.
Mandatory Data Breach Notification
Under the Bill, organisations are required to notify (a) the PDPC and (b) individuals whose personal data have been affected by the data breach, if either:
the data breach results in or is likely to result in significant harm to the affected individuals; or
the data breach affects at least a certain number of individuals.
What constitutes “significant harm” has not been specified in the Bill but clarification will be provided in impending subsidiary legislation, which will also specify the numerical threshold in (ii) which, based on current indications, is likely to be 500.
Where an organisation has determined that a data breach is required to be notified, it must notify (a) the PDPC within 3 calendar days and (b) affected individuals (as the case may be) as soon as practicable.
There are two general exceptions to the requirement to notify affected individuals:
Remedial action has been taken in accordance with any prescribed requirements, that renders it unlikely that the data breach will result in significant harm to the affected individuals; and
Any technological measure has been implemented prior to the occurrence of the data breach, that renders it unlikely that the data breach will result in significant harm to the affected individuals.
In addition, the PDPC or a law enforcement agency may direct the organisation not to notify all or certain affected individuals.
New Offences Relating to the Mishandling of Personal Data
The Bill introduces new offences to hold individuals accountable for knowing or reckless unauthorised disclosure or use of personal data, or re-identification of anonymised data in the possession or under the control of an organisation.
The penalty is a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years, or both.
Removal of Exclusion for Agents of Public Agencies
The Bill removes the current exclusion from Parts III to VI of the PDPA for organisations acting on behalf of any public agency, while retaining such exclusion for the public agency itself.
Expanded Categories of Deemed Consent
The PDPA currently provides that an individual is deemed to consent to the collection, use and disclosure of his/her personal data for a purpose if the individual voluntarily provides the personal data to the organisation for that purpose, and it is reasonable that the individual would do so. The Bill expands the categories of deemed consent to include the following:
Deemed consent by contractual necessity: where disclosure to and use of an individual’s personal data by organisation A to organisation B is reasonably necessary for the conclusion of a contract between the individual and organisation A.
Deemed consent by notification: where the organisation provides notification to the individual of the purpose of the collection, use or disclosure with a reasonable opt out period, and the individual did not opt out within that period. The organisation must assess and ascertain that such collection, use or disclosure is not likely to have an adverse effect on the individual and/or implement reasonable measures to eliminate, reduce or mitigate any such adverse effect. Deemed consent will not apply to any purpose prescribed by subsidiary legislation. The PDPC has indicated that one of these excluded purposes to be prescribed will be the sending of direct marketing messages.
New Exceptions to the Consent Requirement
Two new exceptions to the consent requirement are included in the Bill:
Legitimate interests exception: an organisation may collect, use or disclose personal data without consent where it is in the legitimate interests of the organisation or another person and the benefit to such organisation or person is greater than any adverse effect on the individual. The organisation must: (a) assess any likely adverse effect to the individual and implement reasonable measures to eliminate, reduce or mitigate such identified adverse effect; and (b) provide the individual with reasonable access to information about the organisation’s collection, use or disclosure in accordance with this provision. This exception cannot be used for marketing messages.
Business improvement exception: An organisation may use personal data without consent for the following business improvement purposes, where such purposes cannot be achieved using aggregated data, and a reasonable person would consider such use to be appropriate under the circumstances:
(a) operational efficiency and service improvements;
(b) developing, enhancing or personalising products/services; and
(c) learning and understanding its customers’ behaviour and preferences.
This exception cannot be used for marketing messages.
The Bill also revises the research exception under the PDPA (which permits use and disclosure of personal data without consent for research purposes), which now requires a clear public benefit for use or disclosure for the research purpose.
New Data Portability Obligation
The Bill introduces a new obligation on an organisation to transmit an individual’s personal data to another organisation if requested by that individual, where the individual has an ongoing relationship with the organisation. This is intended to provide individuals with greater autonomy over their personal data, and facilitate smoother switching between service providers. This obligation will apply to “applicable data” and a “porting organisation”, which will both be prescribed by subsidiary legislation. Different periods may be prescribed for different applicable data or different porting organisations. Certain categories of personal data are excluded from such data transfers.
Increased Financial Penalty Cap for Breaches
Under the PDPA, the PDPC may impose a financial penalty of up to S$1 million for data breaches. The Bill increases the maximum financial penalty for data breaches to (a) up to 10% of an organisation’s annual turnover in Singapore where such turnover exceeds $10 million, or (b) in any other case, S$1 million.
Additional Rules on Telemarketing and Spam Control
The Bill updates the “Do Not Call” (“DNC”) provisions in the PDPA to prohibit the sending of messages to telephone numbers generated through the use of dictionary attacks or address-harvesting software. The maximum financial penalty that may be imposed for these new offences is:
for an individual - S$200,000;
for a person whose annual turnover in Singapore exceeds $20 million - 5% of the annual turnover; and
in any other case - $1 million.
The Bill also expands coverage of the Spam Control Act (Cap. 311A) from messages sent to e-mail addresses and mobile telephone numbers to those sent to instant messaging accounts, including those on Telegram, WeChat, or Facebook Messenger.
Preparations for Compliance
The PDPC states on its website that the Bill will come into force in early 2021. It is anticipated that different parts of the Bill will be implemented in phases. In the meantime, organisations should implement the following preparatory compliance measures:
Conduct a thorough review of current personal data policies and processes for compliance with the new requirements, and identify and rectify potential areas of non-compliance.
Formulate and implement SOPs for data breach incident management, remediation and notification to meet the new requirements.
Review current data handling contracts and processes with public agencies in view of the impending removal of the exclusion for agents of public agencies.
Review current consent collection procedures in the light of the revised consent requirements and exceptions.
Review current data portability procedures for compliance with the new requirements, pending the issuance of subsidiary legislation and PDPC guidance.
Review telemarketing and instant messaging marketing practices (including those on social media platforms) for compliance with the expanded DNC and spam control provisions.
For queries or more information, please contact:
This article is intended to provide general information only and should not be relied upon as an exhaustive or comprehensive statement of law. Should you have any specific questions, please speak with one of our above contacts, or your usual contact at Amica Law LLC.
© 2020 Amica Law LLC. All rights reserved.