Key amendments to the Singapore Personal Data Protection Act would take into account technological advances, new business models, and global developments in data protection legislation.
Following a public consultation conducted by the Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) on the draft Personal Data Protection (Amendment) Bill from 14 to 28 May 2020, the proposed amendments to the Singapore Personal Data Protection Act (PDPA) were introduced in the Singapore Parliament by the Minister for Communications and Information on 5 October 2020.
The proposed amendments seek to take into account technological advances, new business models, and global developments in data protection legislation. There are four key areas of amendments:
Currently, the PDPC encourages organisations to make voluntary notifications on the occurrence of a data breach. However, there is no express requirement in the PDPA requiring organisations to do so.
The bill proposes to make it mandatory for organisations to report notifiable data breaches.
Where an organisation has reason to believe that a data breach has occurred, it must conduct, in a reasonable and expeditious manner, an assessment as to whether it is a notifiable data breach.
If the notification criteria is met, the organisation must notify the PDPC as soon as practicable but no later than 72 hours after the organisation has made an assessment that a notifiable data breach has occurred, and must notify the affected individuals as soon as practicable.
To facilitate the collection, use, or disclosure of personal data for legitimate interests and business purposes, in particular where there are wider public or systemic benefits, the bill seeks to expand the scope of “deemed consent” under the PDPA and introduce new exceptions to the requirement to obtain consent from individuals before collecting, using, or disclosing their personal data.
The bill seeks to widen the scope of “deemed consent” under the PDPA to cover these circumstances:
The bill also seeks to allow organisations to collect, use, or disclose personal data without having to obtain consent from the individuals in two additional circumstances:
The bill proposes to introduce a new data portability obligation to provide consumers with greater autonomy over their personal data, enable consumers to switch to new service providers more easily, and also support the development of new and innovative services or applications as organisations will have more access to data.
Under the new data portability obligation, an organisation must, at the request of an individual, transmit his or her personal data that is in the organisation’s possession or under its control to another organisation in a commonly used machine-readable format.
There will, however, be exceptions to the data portability obligation. For example, the obligation only applies to data which is provided by the individual or is data about the individual created in the course of the individual’s use of the relevant product or service. Data which is derived by the organisation in the course of business from other personal data will not be covered. The individual exercising the right must also have an existing, direct relationship with the organisation, the data must be in electronic form, and the receiving organisation must generally have a presence in Singapore.
The sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address harvesting software will be prohibited under the Do Not Call provisions of the PDPA.
The Spam Control Act will also be amended to cover commercial text messages sent to instant messaging accounts and in bulk.
Currently, the maximum financial penalty for a breach of the provisions of the PDPA is S$1 million. To serve as a stronger deterrent, the bill seeks to increase the financial penalty to (1) up to 10% of an organisation’s annual turnover in Singapore; or (2) S$1 million, whichever is higher. For breach of the Do Not Call provisions of the PDPA, the MCI and PDPC intend to introduce tiered financial penalty caps, aligned with the egregiousness of the breach.
Currently, in determining the financial penalty quantum, PDPC considers factors such as whether the organisation took any action to mitigate the effects of the data breach and the type and nature of the personal data affected. Some of these factors are listed in the Guide on Active Enforcement issued by the PDPC. To provide additional clarity and regulatory certainty, the MCI and PDPC intend to set out in the PDPA a nonexhaustive list of factors that the PDPC would consider and give weight to as appropriate when determining the quantum of financial penalty to impose.
The bill will be debated at the next parliamentary sitting. If passed, it will be the first amendment to the PDPA since it was enacted in 2012. Organisations should do the following:
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers, who are directors of Morgan Lewis Stamford LLC, a Singapore law corporation affiliated with Morgan, Lewis & Bockius LLP: