Eight years have passed since the enactment of Singapore’s comprehensive data protection law, the Personal Data Protection Act 2012 (PDPA).
On May 14, 2020, a public consultation paper and accompanying Personal Data Protection (Amendment) Bill (Amendment Bill) were published, to solicit feedback on several proposed revisions to the PDPA.
The consultation closed on May 28, 2020, with 70 responses received from organizations and 17 from individuals.
Autoren: Carolyn Chia (Resource Law LLC)
What are the changes proposed by the Amendment Bill?
The proposed changes are significant. Key amendments include:
- Increased financial penalties for contraventions of the PDPA
- Mandatory data breach notification
- Revised consent framework
- New data portability obligation
- Enhanced rules on telemarketing and spam
- Increased financial penalties for contraventions of the PDPA
There will be an increase in the financial penalty that the Personal Data Protection Commission (Commission) can impose on an organization that infringes the PDPA. Previously, there was a maximum cap of SGD 1 million.
The Amendment Bill proposes to raise that cap to 10 percent of the gross annual turnover in Singapore of an organization, if its annual turnover exceeds SGD 10 million; or SGD 1 million, whichever is higher.
- Mandatory data breach notification
A mandatory obligation will be imposed to notify the Commission and affected individuals of any notifiable data breach.
A data breach is notifiable if it:
- is likely to result in significant harm to an affected individual (for instance, where a breach affects a certain class of personal data which is to be prescribed in further regulations); or
- affects not fewer than the minimum number of affected individuals prescribed (which has been proposed to be 500).
A “data breach” is defined broadly to refer to any unauthorized access of or other similar risk posed to personal data; or the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorized access of or other similar risk posed to the personal data is likely to occur.
A data breach notification to the Commission must be made without undue delay, and in any event no later than 3 calendar days from the day an organization assesses that a breach is notifiable, which assessment must be carried out expeditiously.
The exceptions to notifying affected individuals are:
- Where remedial actions have been taken; or
- Where the personal data is subject to technological protection measures (e.g., encryption), such that the breach is unlikely to result in significant harm to the affected individuals.
- A data intermediary is required to notify an organisation of a suspected data breach, which affects personal data it was processing on that organisation’s behalf, without undue delay.
- Revised consent framework
- For contractual necessity (i.e., where data processing is reasonably necessary to perform a contract); and
- Where individuals have been notified of the purpose of the data processing and given an opportunity to opt out. Here, the organization must assess that processing is unlikely to have an adverse effect on the individual. This type of deemed consent cannot be relied upon for direct marketing. Further, since this is not an exception to consent, individuals still retain a right to withdraw their consent subsequently.
There will be three new exceptions to consent, as follows:
(i) Legitimate interests
This exception applies where the legitimate interests of the organization and the benefit to the public (or any section thereof) together outweigh any adverse effect on the individual. This is distinct from how legitimate interests could apply under the European Union’s General Data Protection Regulation.
Examples of how legitimate interests could be relied upon in Singapore include where data is processed for the purposes of detecting or preventing illegal activities (e.g., fraud or money laundering) or threats to physical safety and security, ensuring IT and network security, or preventing the misuse of services. In order to rely upon this exception to consent, organizations must conduct a risk and impact assessment, and disclose their reliance on this exception (e.g., in an external-facing policy or agreement).
The exception cannot be used to send direct marketing messages to individuals.
(ii) Business improvement
This exception applies where there is a need to:
- Carry out operational efficiency and service improvements;
- Develop or enhance products/services; or
- Know more about the organization’s customers.
The use of personal data must be what a reasonable person would consider appropriate in the circumstances, and the data must not be used to make a decision that is likely to have an adverse effect on any individual. This exception also applies to a group of companies, including subsidiaries within an organization.
(iii) Revised research exception
This exception applies provided that, among other things:
- The use of personal data or results of the research does not have an adverse effect on individuals; and
- Results are not published in a form that identifies any individual.
There will also be a loosening of the restrictions on the use of personal data for research purposes without consent; for instance, the exception can apply to institutes carrying out scientific research and development, or arts and social science research, or to market research aimed at understanding potential customer segments.
However, disclosure for research purposes will continue to be subject to more stringent restrictions relating to impracticality and public interest.
- New data portability obligation
The Amendment Bill introduces a new data portability right for individuals, giving them the ability to request the transmission of their data to another service provider.
An organization’s portability obligation will only apply to:
- User-provided data and user activity data held in electronic form, including business contact information. This data may include third party personal data, where the request is made in the requesting individual’s personal or domestic capacity;
- Requesting individuals with an existing, direct relationship with the organization; and
- Receiving organizations with a presence in Singapore. However, data portability could subsequently be extended to like-minded jurisdictions offering comparable protections and reciprocal arrangements.
The Commission will work with industry and sector regulators to establish and set out further requirements under regulations, including:
- A “whitelist” of data categories to which portability applies;
- The technical and process details to ensure the correct data is transmitted safely to the right receiving organization, and in a usable format;
- Any relevant data porting request models. Consumers can either make the data porting request directly to the porting organization (push model) or through the receiving organization (pull model). Data porting between organizations can also take place between two organizations or through an intermediary; and
- Safeguards for individuals, tailored to the risks associated with the dataset under the whitelist. This could include cooling-off periods for certain datasets to provide time for a consumer to change their mind and withdraw a porting request, and the establishment of a blacklist of organizations that porting organizations may justifiably refuse to port data to.
Exceptions to the data portability obligation will be provided for, which will likely be similar to those for the access obligation.
Personal data that is derived by an organization in the course of business from other data about the individual or another individual in its possession or control, but excluding data derived using a simple mathematical function, will be excluded from the portability obligation.
Refusals of porting requests must be notified to individuals, together with the reasons for the refusal, and within a reasonable time. The Commission will have the power to review these refusals and any fees for the porting of data.
- Enhanced rules on telemarketing and spam
- The Spam Control Act will cover the bulk sending of commercial text messages to instant messaging accounts.
- The “do not call” (DNC) provisions will prohibit the sending of specific messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software.
- Third party checkers will be required to communicate accurate DNC register results to the organizations on behalf of which they are checking the DNC register, and the checkers will be liable for DNC infringements resulting from any erroneous information provided by them.
- The DNC provisions will be enforced under the same administrative regime as the other data protection obligations in the Spam Control Act, as opposed to being enforced as criminal offenses.
Other changes proposed in the Amendment Bill
The other changes proposed in the Amendment Bill include:
- An express mention of “accountability” in the Bill, indicating that organizations will be expected to demonstrate compliance.
- Organizations acting on behalf of public agencies will be subject to the Bill. Currently, they are exempted.
- New offenses to hold individuals accountable for egregious mishandling of personal data on behalf of an organization or public agency, namely:
- Any unauthorized disclosure of personal data that is carried out knowingly or recklessly;
- Any unauthorized use of personal data that is carried out knowingly or recklessly and results in a wrongful gain or a wrongful loss to any person; and
- Any unauthorized re-identification of anonymized data that is carried out knowingly or recklessly.
This does not include public officers, who are subject to the Public Sector (Governance) Act 2018.
- It will be an offense for a person to fail to:
- Comply with an order to appear before the Commission or an inspector of the Commission;
- Provide a statement in relation to any investigation; or
- Produce any document specified in a written notice.
- Where the Commission reasonably believes that an organization has not complied with the PDPA, the organization can give, and the Commission may accept, a written voluntary undertaking. Such an undertaking can include having to take or refrain from taking specified action within a specified time, and to publicize such undertaking.
- The Commission has discretion to vary the terms of such undertaking and to require additional undertakings where appropriate. Any failure to comply with a voluntary undertaking may give rise to a direction by the Commission.
- The implementation of the data breach management plan may be the subject of a statutory undertaking which, when coupled with mandatory breach notification, can be used by the Commission in any act of enforcement.
- The Commission will have the power to:
- Approve mediation schemes; and
- Direct complainants to resolve data protection disputes via mediation, without the need to secure the consent of both parties.
- Organizations will be required to preserve personal data requested under an access or porting request for at least 30 calendar days after rejection of the request, or until the individual has exhausted their right to apply to the Commission for reconsideration of the request or appeal to the Data Protection Appeal Committee, High Court, or Court of Appeal, whichever is later.
- The scope of the business asset transaction exception in the PDPA will be extended to the personal data of independent contractors, in addition to that of employees, customers, directors, officers, and shareholders of the organization.
Why is there a need to amend the PDPA?
The changes proposed in this review of the PDPA are driven by a need to align Singapore’s existing data protection law with global regulatory developments and to ensure Singapore keeps pace with the evolving technological and business landscape whilst providing for effective protection of personal data in the digital economy.
What do I need to do to get ready for the new laws?
Businesses should put in place a clear action plan to get ready for compliance with the forthcming changes to the PDPA.
(A) Internal documents:
- Data protection policies and standard operating procedures (SOPs) should be reviewed and updated where necessary. Where applicable, global policies should be tailored for compliance with the Singapore requirements.
- A robust incident response and management plan should be drafted, implemented, and tested across the organization. As breaches take numerous forms, such a plan should ideally address the different types of data incidents that an organization could encounter, from incidents caused by malicious activities to human and/or computer system error.
- Such a plan should guide stakeholders on how to identify a breach when it occurs, whom to inform, how to record/document relevant matters, and other specific actions to take in response to an incident.
(B) External documents:
- Businesses should ensure that relevant agreements are reviewed to provide adequate protection against data breaches. This may include the provision of undertakings from counterparties on data privacy and security, subcontracting restrictions, rights to audit and insurance requirements, and liabilities and indemnities.
- Crucially, there should be a comprehensive provision to deal with incident and breach escalation, assistance to remediate, and notification obligations.
- Where applicable, consent clauses should be refined in order to take advantage of the updated consent framework, so as to ensure better protection of the operational and/or commercial interests of the business.
- Insofar as this is applicable, parties should also provide for relevant mechanisms for any portability request handling between themselves.
- Businesses can consider entering into appropriate addenda for any existing contracts, as well as standard template agreements for future adoption.
(C) Operational steps:
- On portability, it would be helpful for businesses to engage with relevant stakeholders and discuss an action plan that addresses any necessary technical arrangements and the business’s operational compliance early.
- It is also useful to conduct trainings to familiarize employees with any updated policies and the incident response plan, and to run cybersecurity tabletop simulations and data breach exercises to test employees on the same.
- With remote working as the new “normal,” it is especially critical that employees know what to do should they encounter a data incident. Any delay or inaction on the part of a single employee could potentially lead to serious repercussions for the entire organization.
Reed Smith can help you navigate the requirements to comply with the new law, and to address risks of incurring a hefty fine.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2020-435