The Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) published a consultation paper on the proposed amendments to the Personal Data Protection Act (PDPA) and related amendments to the Spam Control Act (SCA).
The key areas of the proposed amendments include:
- strengthening the accountability of organisations;
- enabling meaningful consent where necessary;
- providing for greater consumer autonomy over their personal data; and
- increasing deterrence and strengthening the effectiveness of PDPC’s enforcement efforts.
Strengthening Accountability
The proposed amendments explicitly refer to the accountability principle, which is currently implied in sections 11 and 12 of the PDPA, and remove the exclusion granted to organisations collecting, using or disclosing personal data on behalf of a public agency from the application of the PDPA’s Data Protection provisions.
In line with the accountability principle, the proposed amendments also require organisations to issue data breach notifications in certain cases and to conduct breach assessments to determine if data breach notification criteria are met.
- The PDPC must be notified as soon as practicable (and within 3 calendar days) after the day the organisation determines that the data breach (a) results, or is likely to result, in significant harm to the affected individuals or (b) is of a significant scale, which may be further prescribed to mean 500 or more affected individuals.
- Affected individuals must be notified as soon as practicable if the data breach is likely to result in significant harm to them, unless (a) the breach is unlikely to result in such significant harm because the organisation had taken remedial actions to reduce the impact to affected individuals or the data subject of the breach were subject to technological protection, (b) the organisation is instructed by the PDPC or a prescribed law enforcement agency not to do so or (c) the PDPC exempts it from such notification requirement.
Further regulations will be issued prescribing data categories which, if involved in a data breach, will be considered likely to result in significant harm to individuals.
Enabling Meaningful Consent
To ensure meaningful consent by individuals, the proposed amendments expand the current PDPA provisions of deemed consent to include:
- deemed consent for contractual necessity: for disclosure to, and collection and use by, third-party organisations where it is reasonably necessary for the conclusion or performance of a contract or transaction between an individual and an organisation; and
- deemed consent by notification: where (a) the organisation provides appropriate notification to the individual of the purpose of data collection, use or disclosure; (b) the individual is given a reasonable period to opt-out of such collection, use or disclosure; and (c) the individual did not opt-out within that period.
Exceptions to the consent requirement will also be introduced to enable organisations to collect, use or disclose personal data:
- legitimate interests exception: where it is in the legitimate interests of the organisation and the benefit to the public outweighs any adverse effect on the individual (e.g., detecting or preventing illegal activities, or threats to safety and security); and
- business improvement exception: for business improvement purposes such as (a) operational efficiency and service improvements; (b) developing or enhancing products/services; and (c) knowing the organisation’s customers.
Deemed consent by notification and the legitimate interests exception cannot be relied on to use personal data for sending direct marketing messages and require the organisation to conduct a prior assessment of the likely adverse effect to individuals.
Revisions will also be made to allow organisations to use and disclose personal data for research purposes (including market research) without consent provided that the use of personal data will not have an adverse effect on individuals, and the research results will not be published in a form which identifies any individual.
Providing Greater Consumer Autonomy
Organisations will be subject to a new data portability obligation which will enable individuals to request the transmission of a copy of their personal data to another organisation with a presence in Singapore, subject to certain exceptions. This obligation will come into effect upon the issuance of regulations further detailing its scope and requirements.
Additionally, the PDPA and SCA proposed the following amendments to manage the current overlapping requirements relating to unsolicited commercial messages:
- the SCA will cover commercial messages sent to IM accounts (e.g., Telegram and WeChat) and in bulk;
- the PDPA Do-Not-Call provisions will also prohibit the sending of specified messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software;
- third-party checkers of Do-Not-Call Registers will be required to communicate accurate results to organisations and be subject to liability for providing wrong information; and
- the ongoing relationship exemption to the Do-Not-Call provisions set out in the Personal Data Protection (Exception from Section 43) Order 2013 will be incorporated into the PDPA.
Increasing Deterrence and Strengthening the Effectiveness of Enforcement Efforts
The proposed amendments aim to increase deterrence and strengthen enforcement efforts by:
- enforcing the current Do-Not-Call provisions under the same administrative regime as the Data Protection provisions, which will empower the PDPC to issue directions for infringements;
- increasing the maximum financial penalty the PDPC may impose to (a) up to 10% of an organisation’s annual gross turnover in Singapore; or (b) S$1 million, whichever is higher;
- introducing a criminal offence for a person’s failure to comply with an order to appear before the PDPC or an inspector to provide statements or documents in relation to an investigation;
- introducing a statutory undertaking scheme to expand the range of options for enforcing breaches of undertakings; and
- enabling referrals to mediation to manage the increase in data protection complaints.
For More Information
OrionW regularly advises clients on Data Protection matters. For more information about the Personal Data Protection Act, or if you have questions about this article, please contact us at info@orionw.com
Disclaimer: This article is for general information only and does not constitute legal advice.