On 2 November 2020, the Parliament of Singapore passed the Personal Data Protection (Amendment) Bill (Bill), amending the Personal Data Protection Act (PDPA) and Spam Control Act (SCA). While the Bill opens up avenues for organisations to collect, use and process personal data without individuals ’express consent, it also enhances the enforcement powers of the Personal Data Protection Commission (PDPC) and imposes new breach notification requirements. Organisations should therefore prepare for possible changes to how they process personal data and detect and assess data breaches before the Bill takes effect, likely in early 2021.
The Bill is largely consistent with the proposed amendments set out in the consultation paper published by the PDPC on 14 May 2020. (For additional information on those amendments, please see our article on that consultation paper.)
Under the Bill, organisations may disclose personal data without express consent through two new forms of deemed consent: deemed consent by contractual necessity and deemed consent by notification.
Organisations will also be able to collect, use and disclose personal data without consent under the legitimate interests exception (e.g., for purposes of detecting or preventing illegal activities, threats to physical or IT safety and security, preventing misuse of services and carrying out corporate due diligence); and the business improvement exception (e.g., using personal data to create credit risk model for operational efficiency, to understand spending habits or behaviour and preferences, develop new products or services, and train machine learning models).
Organisations relying on the new the deemed consent by notification must first conduct an assessment to determine that the collection, use or disclosure of personal data is not likely to have an adverse effect on individuals. Similarly, to apply the legitimate interests exception, an assessment must first be undertaken to ensure that there are legitimate interests to support the collection, use or disclosure of personal data and which outweigh any adverse effect on individuals.
Organisations cannot rely on the expanded deemed consent or new exceptions to the consent obligation, and would still need to get express consent, in order to send direct marketing messages to individuals.
Organisations will be required to issue notifications to the PDPC and affected individuals regarding notifiable data breaches, in line with the accountability principle.
A notifiable data breach is a data breach that:
Notification of a notifiable data breach must be made:
The PDPC proposes that a data breach notification shall include the following information:
The data portability obligation requires an organisation to, upon the request of an individual, safely transmit applicable data to a receiving organisation in a machine-readable format and in accordance with any prescribed requirements such as technical, user experience and consumer protection matters.
The data portability obligation applies only in cases where the following conditions are met:
An organisation may disclose a third-party individual’s personal data without consent only if:
Whether or not an organisation accedes to or refuses a data porting request, it must preserve any applicable data specified in that request, for the prescribed period.
The Bill introduced consequential amendments to the SCA to manage the current overlapping requirements and address any gaps relating to unsolicited commercial messages. Unsolicited commercial messages sent to IM accounts such as Telegram will now be covered under the SCA, while sending of marketing messages to a telephone numbers using a dictionary attack or address harvesting software will now be covered under the PDPA.
In addition, third-party checkers (i.e., non-employees that provide information to an organisation, for reward, on whether certain Singapore telephone numbers are listed in a Do-Not-Call Registry) will be required to ensure that they provide accurate information to organisations in accordance with prescribed requirements. An organisation may rely on a valid confirmation received from a third-party checker provided there is no reason to believe that, and the organisation is not reckless as to whether, the prescribed confirmation period has expired or the information from the third-party checker is false or inaccurate.
The maximum financial penalty which the PDPC may impose for data breaches will be increased to:
In all cases, the financial penalty to be imposed will depend on the facts of the case, such as the seriousness and impact of the breach and the presence of any mitigating factors.
OrionW regularly advises clients on data protection matters. For more information about the Personal Data Protection Act, or if you have questions about this article, please contact us at firstname.lastname@example.org
Disclaimer: This article is for general information only and does not constitute legal advice.