On 2 November 2020, the Parliament of Singapore passed the Personal Data Protection (Amendment) Bill (Bill), amending the Personal Data Protection Act (PDPA) and Spam Control Act (SCA).  While the Bill opens up avenues for organisations to collect, use and process personal data without individuals ’express consent, it also enhances the enforcement powers of the Personal Data Protection Commission (PDPC) and imposes new breach notification requirements. Organisations should therefore prepare for possible changes to how they process personal data and detect and assess data breaches before the Bill takes effect, likely in early 2021.

The Bill is largely consistent with the proposed amendments set out in the consultation paper published by the PDPC on 14 May 2020.  (For additional information on those amendments, please see our article on that consultation paper.)

Additional Grounds for Collecting, Using and Disclosing Personal Data

Under the Bill, organisations may disclose personal data without express consent through two new forms of deemed consent: deemed consent by contractual necessity and deemed consent by notification.  

• Deemed consent by contractual necessity expressly allows a downstream organisation (Y), such as a service provider to an organisation with whom an individual has a contract (X), to disclose that individual’s personal data to another downstream organisation, such as Y’s sub-contractor, where such disclosure is necessary to fulfil the contract between the individual and X.  For example, an individual buys food for delivery through a restaurant’s mobile app.  The restaurant engages a service provider to deliver all food orders; in turn, the service provider sub-contracts the delivery function to another organisation. The restaurant and the service provider may rely on deemed consent by contractual necessity to disclose the individual’s personal data to the service provider and the sub-contractor, respectively.
• Deemed consent by notification may be relied on where an organisation collects personal data with consent for a specific purpose (e.g., for managing disputes) and intends to use the same data for a different purpose (e.g., to develop customised online services), after individuals are notified of that different purpose and do not opt-out after a reasonable period.

Organisations will also be able to collect, use and disclose personal data without consent under the legitimate interests exception (e.g., for purposes of detecting or preventing illegal activities, threats to physical or IT safety and security, preventing misuse of services and carrying out corporate due diligence); and the business improvement exception (e.g., using personal data to create credit risk model for operational efficiency, to understand spending habits or behaviour and preferences, develop new products or services, and train machine learning models).

Organisations relying on the new the deemed consent by notification must first conduct an assessment to determine that the collection, use or disclosure of personal data is not likely to have an adverse effect on individuals.  Similarly, to apply the legitimate interests exception, an assessment must first be undertaken to ensure that there are legitimate interests to support the collection, use or disclosure of personal data and which outweigh any adverse effect on individuals.

Organisations cannot rely on the expanded deemed consent or new exceptions to the consent obligation, and would still need to get express consent, in order to send direct marketing messages to individuals.

Mandatory Data Breach Notification

Organisations will be required to issue notifications to the PDPC and affected individuals regarding notifiable data breaches, in line with the accountability principle.

A notifiable data breach is a data breach that:

• results or is likely to result in significant harm to an affected individual; or
• is or is likely to be of a significant scale.

Notification of a notifiable data breach must be made:

• to the PDPC: as soon as is practicable, but no later than 3 calendar days, after conducting an assessment of whether the data breach is a notifiable data breach; and
• to affected individuals: on or after notifying the PDPC, unless an exception applies.

The PDPC proposes that a data breach notification shall include the following information:

• the facts of the data breach;
• the chronology of the data breach discovery (for notifications to the PDPC);
• the organisation’s data breach management and remediation plan; and
• the contact details of the organisation’s representative.

Data Portability Obligation

The data portability obligation requires an organisation to, upon the request of an individual, safely transmit applicable data to a receiving organisation in a machine-readable format and in accordance with any prescribed requirements such as technical, user experience and consumer protection matters.

The data portability obligation applies only in cases where the following conditions are met:

• the applicable data is in electronic form;
• the porting organisation has an ongoing, direct relationship with the individual;
• the data was collected or created by the porting organisation within a prescribed period before receiving the data porting request;
• the receiving organisation is formed or recognised under the law of, or have residence or an office in, Singapore or a prescribed country; and
• an exception under the Bill does not apply.

An organisation may disclose a third-party individual’s personal data without consent only if:

• the data porting request is made in the requesting individual’s personal or domestic capacity;
• the data porting request relates to the requesting individual’s user activity data or user-provided data; and
• the receiving organisation uses that personal data only for the purpose of providing any goods or services to the requesting individual.

Whether or not an organisation accedes to or refuses a data porting request, it must preserve any applicable data specified in that request, for the prescribed period.

Changes to the Spam Control Act (SCA) and PDPA Do Not Call Provisions

The Bill introduced consequential amendments to the SCA to manage the current overlapping requirements and address any gaps relating to unsolicited commercial messages.  Unsolicited commercial messages sent to IM accounts such as Telegram will now be covered under the SCA, while sending of marketing messages to a telephone numbers using a dictionary attack or address harvesting software will now be covered under the PDPA.

In addition, third-party checkers (i.e., non-employees that provide information to an organisation, for reward, on whether certain Singapore telephone numbers are listed in a Do-Not-Call Registry) will be required to ensure that they provide accurate information to organisations in accordance with prescribed requirements.  An organisation may rely on a valid confirmation received from a third-party checker provided there is no reason to believe that, and the organisation is not reckless as to whether, the prescribed confirmation period has expired or the information from the third-party checker is false or inaccurate.

Increased Financial Penalty Cap

The maximum financial penalty which the PDPC may impose for data breaches will be increased to:

• up to 10% of the annual turnover of an organisation whose annual gross turnover in Singapore exceeds S$10 million; or
• S$1 million, in any other case.

In all cases, the financial penalty to be imposed will depend on the facts of the case, such as the seriousness and impact of the breach and the presence of any mitigating factors.

For More Information

OrionW regularly advises clients on data protection matters. For more information about the Personal Data Protection Act, or if you have questions about this article, please contact us at info@orionw.com

Disclaimer: This article is for general information only and does not constitute legal advice.

‍