Proposed Amendments to Singapore’s Personal Data Protection Act 2012 and Spam Control Act

Introduction

As Singapore’s digital landscape continues to evolve, technological innovations and cybersecurity breaches are posing challenges to its consent-based approach to data protection. On one hand, organisations are collecting large volumes of data and it is becoming increasingly unfeasible to obtain the consent of individuals for each instance of data collection and new business purposes. On the other hand, individuals are unable to provide meaningful consent as their decisions may not fully take account of the systemic risks or benefits to data collection. It is under these circumstances that the Personal Data Protection Commission (PDPC) and the Ministry of Communications and Information (MCI) have decided to review Singapore’s Personal Data Protection Act 2012 (PDPA) to propose a shift towards an accountability-based approach to data protection.

This article aims to discuss and summarise certain proposed amendments to the PDPA and the Spam Control Act, based on the public consultation paper issued by the PDPC and MCI on 14 May 2020.

Consent Obligation

Exceptions to the Consent Obligation

Currently, the Second, Third and Fourth Schedules of the PDPA provide several exceptions to the consent obligation for collecting, using and disclosing personal data. In light of the proposed amendments, these schedules have been consolidated and simplified with the proposed addition of two new “business-friendly” exceptions:

1. Legitimate interests exception: Organisations may collect, use or disclose personal data without consent in circumstances where it is in the legitimate interests of the organisations and the benefit to the public is greater than any adverse effect on the individual. Some examples of legitimate interests include preventing illegal activities (e.g., fraud and money laundering) or threats to safety and security, ensuring IT and network security and to prevent misuse of services; and
2. Business improvement exception: Organisations may use personal data without consent for business improvement purposes, such as (i) to increase operational efficiency; (ii) to develop or improve products/services; and (iii) to know more about the organisation’s customers.

Expanded Deemed Consent

Section 15 of the PDPA currently provides that an individual is deemed to have consented to the collection, use and disclosure of his/her personal data if the individual voluntarily provides the personal data to the organisation and it is reasonable to do so. It is proposed that the deemed consent will be expanded to include:

1. Deemed consent by contractual necessity: Consent is deemed to be given where it is necessary for the closing of performance of a contract or transaction; and
2. Deemed consent by notification: Consent is deemed to be given if the organisation provides appropriate notification to the individual of its purpose of collection, use or disclosure of the personal data with a reasonable period for the individual to opt out, and the individual did not do so. Organisations will need to assess and ensure that the intended collection, use and disclosure of personal data will not have any adverse effect on the individual.

Data Portability Obligation

It is proposed that organisations must be able provide an individual’s personal data that is in its possession or control to another organisation in a machine-readable format when requested by an individual who has an existing and direct relationship with the organisation.

The data portability obligation is however limited in scope to (i) receiving organisations that are either formed or recognised under the law of Singapore or have a place of business in Singapore and (ii) user-provided data and user activity data that is held in electronic form. Personal data about an individual that is derived by an organisation in the course of business from other personal data is excluded from the data portability obligation.

Exceptions to the data portability obligation will be similar to those set out in the Fifth Schedule of the PDPA. In the event an organisation declines a data porting request, it must notify the individual of its reasons within a reasonable time. The PDPC may review an organisation’s refusal to port data and can direct an organisation to do so. In any event, organisations will be required to preserve the personal data (or a copy thereof) that is requested by an individual for (i) at least 30 days after declining the request or (ii) until the individual has exhausted his/her right to review/appeal to the PRPC, Data Protection Appeal Committee, High Court or Court of Appeal, whichever is later.

Mandatory Data Breach Notification

Notification Requirement

It is proposed that organisations are required to notify the PDPC of a data breach that (i) results or is likely to result in significant harm to the individuals to whom the data breach relates, or (ii) is of a significant scale (i.e., affecting more than 500 individuals). Organisations are also required to notify affected individuals of a data breach if it results or is likely to result in significant harm to them. Prescribed categories of personal data (e.g., identification numbers, credit/debit card numbers, medical history information, etc.), which are compromised in a data breach will be deemed “likely to be regarded as significant harm.”

Organisations must notify both the PDPC and the affected individuals as soon as practicable; however, the PDPC must be notified before or at the same time as affected individuals, and in any event no later than three days after the day the organisation makes an assessment of a notifiable breach.

Exceptions to the Notification Requirement

There are certain exceptions to the requirement to notify individuals:

1. Remedial action exception: Organisations that have taken remedial actions such that the data breach is unlikely to result in significant harm to the affected individuals;
2. Technological protection exception: Organisations that have taken security measures (e.g., encryption that is of a reasonable security standard), that the data breach is unlikely to result in significant harm to the affected individuals; and
3. Permitted authority exception: Organisations that are instructed by a prescribed law enforcement agency or directed by PDPC not to notify any affected individuals.

New Offences and Enforcement Mechanisms

Egregious Mishandling of Personal Data

It is proposed that organisations may be liable for the actions of their employees (excluding public officers) in the course of their employment who egregiously mishandle person data in the possession of or under the control of the organisation. Some of these offences include:

1. Knowing or reckless unauthorised disclosure of personal data;
2. Knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and
3. Knowing or reckless unauthorised reidentification of anonymised data.

Increased Financial Penalties

The proposed amendments aim to increase the maximum financial penalty for data breaches under Section 29(2)(d) of the PDPA to (i) up to 10 percent of an organisation’s annual gross turnover in Singapore where such organisation has an annual turnover exceeding S$10 million; or (ii) in such other cases, S$1 million.

Attendance for Investigation

The proposed amendments introduce an offence for persons who (i) fail to comply with an order to appear before a PDPC inspector and provide their statements in connection with an investigation; or (ii) fail to provide any document or information as required under paragraph 1(1) of the Ninth Schedule to the PDPA.

Referrals to Mediation

The proposed amendments will provide the PDPC with the power to direct data protection complainants to resolve disputes via mediation, as well as to the power to establish or approve such mediation schemes.

Improved Controls for Unsolicited Messages

It is proposed that the do-not-call provisions in the PDPA will be extended to include the prohibition of sending messages to telephone numbers obtained through the use of dictionary attacks or address-harvesting software. It is also proposed that the Spam Control Act will be amended to prohibit unsolicited commercial messages sent to instant messaging accounts, such as WhatsApp, WeChat and Telegram.

Alignment with GDPR?

The proposed amendments, and in particular the move towards a risk-based approach to data protection, helpto align the PDPA closer to the provisions of the European Union’s General Data Protection Regulation (GDPR). For instance, the proposed revenue-based financial penalty cap (see “New Offences and Enforcement Mechanisms” above) imposed on organisations that violate the PDPA closely follows that of the penalties under the Article 83 of the GDPR.

Also, the proposed data portability obligation on organisations (see “Data Portability Obligation” above) provides similar rights to individuals under Article 20 of the GDPR. Generally, data portability would apply to personal data provided by an individual to an organisation as well as to personal data that is gathered by organisations from an individual’s activities, such as browsing history, cookies, or traffic and location data. However, it is important to highlight that an individual’s right to data portability under Article 20 of the GDPR, may be limited to personal data where processing is based on the grounds of an individual’s consent or for the performance of a contract. In contrast, the proposed data portability obligation under the PDPA, does not appear to be linked to the consent obligation, and therefore, user-provided data and user activity data that is held in electronic form may be available for data portability.

In addition, the proposed legitimate interests exception to the consent obligation under the PDPA also appears to be a concept borrowed from Article 6(1)(f) of the GDPR. However, it is important to highlight that this exception differs largely from the GDPR. In particular, Article 6(1)(f) of the GDPR requires the controller (i.e., the organisation) to conduct an assessment of whether the legitimate interests pursued by the controller or by a third party are overridden by the interests or fundamental rights and freedoms of the data subject (i.e., the individual), which requires protection of personal data.

In contrast, the proposed legitimate interests exception requires an organisation to conduct an assessment of whether the benefit to the public is greater than any adverse effect on the individual. In other words, the exception would only apply where there are public and systemic advantages. This may be beneficial for government or publicly driven measures (such as contact-tracing applications during COVID-19 or anti-money laundering monitoring measures); however, its utility for private organisations may be limited in scope.

Concluding Thoughts

The proposed amendments seem to be more stringent with the new enforcement measures, and it places increasing responsibility on organisations. In light of the foregoing, organisations should be aware of the implications of the proposed amendments as they are considered and finalised by the MCI and the PDPC to determine the best approach towards continued data protection compliance.

The opinions expressed in this article are my own and do not represent the opinions of my employer. This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a suitably qualified lawyer in your jurisdiction. The author does not accept or assume any responsibility or liability in respect of this article.