The Ministry of Communications and Information (MCI) and the Personal Data Privacy Commission (PDPC) has on 14 May 2020 issued a consultation paper inviting feedback on proposed changes to the Personal Data Protection Act 2012 (PDPA). This Client Update outlines the key changes.

INTRODUCTION

At present, the PDPA establishes a set of basic rules for data protection within the private sector. It establishes two related frameworks – firstly, a set of privacy rules (currently contained in Parts IV to VI of the PDPA) when collecting, using and sharing personal data, and secondly, a related regime establishing the Do Not Call (DNC) Registry , and regulating the use of Singapore telephone numbers for telemarketing.

KEY CHANGES

The principal changes proposed to the PDPA are as follows:

New Mandatory Data Breach Notification Regime

A new Part VIA will be introduced into the PDPA to provide for a mandatory data breach notification requirement.

A data breach will be a notifiable data breach in two circumstances:

  1. where the data breach results or is likely to result in significant harm to the individuals (whose personal data is involved in the data breach); or
  2. where the data breach affects not fewer than a prescribed minimum number of individuals (presently proposed to 500 individuals).

With regard to the concept of significant harm, it will be prescribed in regulations that data breaches involving certain types of sensitive personal data (such as identification numbers, credit card numbers and medical information) will be deemed to be likely to cause significant harm.

Once an organisation has reason to believe that a data breach has occurred, it would be obliged to assess if the data breach is notifiable. If it is, the organisation must notify the PDPC as soon as practicable and in any case no later than 3 days after it assesses that that the data breach is notifiable.

The organisation must also notify the individuals affected by the notifiable data breach in any manner that is reasonable in the circumstances. However, notifying the affected individuals is not required if the organisation is able to and has taken remedial action to negate the likelihood of significant harm or if the organisation has applied technological measures that renders it unlikely that the notifiable data breach will result in significant harm (such as encryption effective to continue to protect the data).

New Regime for Data Portability

A new Part VIB will also be introduced into the PDPA to provide for data portability. Such a regime will provide individuals with greater autonomy and control over their personal data, by enabling them to make a request to one organisation (the porting organisation) to transmit to another organisation (the receiving organisation) the applicable personal data specified in a data porting request that meets prescribed requirements.

This regime will apply to user-provided data (i.e. data supplied by the individual to an organisation, such as an individual's personal particulars) as well as user activity data (i.e. data which an organisation compiles from an individual's usage of products or services). The individual will only be entitled to make a data porting request if he has an existing direct relationship with the porting organisation. The receiving organisation must also have a presence in Singapore.

Enhancements to the Consent Regime

Under the present framework of the PDPA, consent is the cornerstone for the obligations relation to the collection, use and disclosure of personal data. Apart from express consent, the notion of deemed consent is already recognised in section 15. Currently, a person is deemed to consent to a collection, use or disclosure of personal data by an organisation for a particular purpose if he voluntarily provides (without explicit consent) the organisation with the personal data and it is, in the circumstances, reasonable for the individual to voluntarily provide that data.

This formulation has been considered to be too narrow and MCI and PDPC are now proposing to accommodate the additional notion of contractual necessity, such that where an individual contracts with an organisation and provides personal data to the organisation in connection with that contract, the individual would be deemed to consent to that organisation disclosing the personal data to another organisation if the disclosure is reasonably necessary for the conclusion or performance of the contract between the individual and the first organisation.

The PDPA will also be amended to provide, in certain specified circumstances, for deemed consent by notification, such that an organisation can rely on deemed consent after having notified an individual of the purpose of an intended collection, use or disclosure of personal data and the individual fails to opt-out within a reasonable period of time. To guard against misuse, certain preconditions must be met. An organisation must have first assessed that the intended collection, use or disclosure is not likely to have an adverse effect on the individual. This is also not available as a basis for an organisation to send direct marketing messages to the individual. As in all other cases involving deemed consent, the individual remains free to withdraw consent for the collection, use or disclosure.

To cater to situations where there may be broader public benefits overriding the need to obtain an individual's consent, two new exceptions dispensing with consent will be introduced:

The first new exception will allow an organisation to collect, use or disclose personal data where it is in the legitimate interest of the organisation and there is a benefit to the public that outweighs any adverse effect on an individual. Again, safeguards would have to be observed. In particular, the organisation seeking to rely on this exception must first take appropriate measures to mitigate any likely adverse effect on the individual and then balance the resulting public benefit against any likely residual adverse effect on the individual. This exception cannot be relied upon as a means to send direct marketing messages.

The second new exception relates to personal data already collected in accordance with the data protection provisions and permits an organisation to further use that personal data for a new purpose without the need for consent. The new purpose must be to improve the operation of the organisation's business, whether through operational efficiency, improving products and services or to better understand the organisation's customers. The use of the personal data for business improvement must be objectively reasonable (in that the purpose cannot be otherwise achieved without the use of the data in an individually identifiable form) and it must not be used in such a way as to have an adverse effect on an individual.

The existing research exception will also be revised to incorporate the safeguard that the use of personal data for research must not have an adverse effect on individuals and the result of the research must not be published in any form which identifies any individuals.

Improved controls over unsolicited commercial marketing messages

In order to catch up with technological developments, MCI and PDPC will also be making changes to both the PDPA and the Spam Control Act to tighten regulatory control over unsolicited marketing messages.

The Spam Control Act will be amended to apply to messages sent to accounts on instant messaging platforms.

The Do Not Call provisions in the PDPA will be extended to apply to the sending of specified messages to telephone numbers obtained through dictionary attacks and address harvesting software. This aims to deter spammers who take advantage of technology to indiscriminately send unsolicited messages to a large number of recipients.

The Do Not Call provisions in the PDPA will also be amended to impose duties on third parties who may be engaged by organisations to check the DNC Registers on their behalf. Such third party checkers must accurately communicate the results of the checks on the relevant DNC Registers. Provided that the checker has no reason to believe otherwise and has not acted recklessly, the organisation who sends the message would be deemed to have complied with its duty to check the DNC Registers upon being informed by the checker that the number is not listed in the relevant DNC Register.

Strengthening Enforcement Powers

Several new offences will be introduced to enable action to be taken against blameworthy individuals for knowingly or recklessly mishandling personal data that is possessed by an organisation. However, this is not intended to detract from the policy position that organisations are to be primarily responsible and accountable for PDPA compliance. The consultation paper makes clear that the PDPC will continue to look to the organisation as being primarily accountable for data protection.

Currently the PDPC is able to impose a financial penalty of up to S$1 million for breaches of the PDPA. This will now be enhanced so that the maximum financial penalty the PDPC can impose will either be 10% of an organisation's annual gross turnover in Singapore or S$1 million, whichever is the higher.

Other Enhancements to the Privacy Protection Regime

Various other changes are also proposed, including:

  • the ability of the PDPC to enforce orders for a person to appear before the PDPC and to provide information;
  • the ability of the PDPC to accept and enforce voluntary undertakings to remediate any shortcomings;
  • the power of the PDPC to establish mediation schemes for private PDPA disputes

Structural Changes to the Architecture of the PDPA

One interesting structural change to be noted is that the proposed reorganisation of the exceptions to the consent requirement when collecting, using or disclosing personal data. Currently, the exceptions to the consent requirement when collecting, using and disclosing personal data are separately set out in the Second, Third and Fourth Schedules of the PDPA respectively. Given that many of the exceptions are actually common to the activities of collection, use and disclosure, the exceptions will now be re-organised with those exceptions that are common to all three activities being placed together in one place (the new First Schedule). The exceptions specific only to collection of personal data will then be contained in Part 1 of a new Second Schedule, the exceptions specific only to use of personal data will be contained in Part 2 of the new Second Schedule, and the exceptions specific only to disclosure of personal data will be contained in Part 3 of the new Second Schedule.

CONCLUSION

The consultation period runs from 14 to 28 May 2020.

A copy of the MCI/PDPC Consultation Paper is available at the link below:
https://www.mci.gov.sg/public-consultations/public-consultation-items/public-consultation-on-the-draft-personal-data-protection-amendment-bill

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.