2021 has been an exciting time for the data protection landscape in Singapore. Earlier this year, on 1 February, the Personal Data Protection (Amendment) Act 2020 (No. 40 of 2020) (PDPA Amendments) took effect. Further amendments to the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA) are expected to be made in phases. Some of these proposed changes were discussed in our previous client alerts, Upcoming changes to Singapore’s data protection law and Singapore’s amended data protection law to take effect imminently.
As we round up the year, we take stock of three key developments in the amended PDPA: (1) the Personal Data Protection Commission’s (PDPC) enforcement decisions in 2021; (2) the ‘legitimate interests’ and ‘business improvement’ exceptions to consent; and (3) dealing with data breaches.
Enforcement decisions in 2021
As of the time of writing this alert, 29 PDPC decisions have been issued in 2021. Under these decisions:
- Four organisations were given directions by the PDPC.
- Four were found to not be in breach.
- Six were given warnings.
- Fifteen were given financial penalties.
The largest financial penalty of SGD 74,000 was imposed on Commeasure for the biggest data leak in Singapore to date, affecting 5.9 million consumers. The penalty was imposed on Commeasure, the website operator of RedDoorz, a hotel booking and management platform operating in the region, for failing to put in place reasonable security arrangements to prevent unauthorised access to and exfiltration of customer’s personal data hosted in a cloud database.
Interestingly, the majority of the 29 decisions published by the PDPC originated from self-reporting rather than complaints. Fourteen voluntary undertakings accepted by the PDPC were also published. These came from various organisations in different sectors, including banking, education, health and fitness, transport and non-profit.
The authors deduce that such self-reporting and voluntary undertakings stemmed primarily from the introduction of the mandatory breach notification obligation and updated enforcement framework under the PDPA Amendments. We also foresee an upwards trajectory in such trends, as organisations move towards greater accountability in line with the updated PDPA.
Legitimate interests or business improvement?
While businesses undoubtedly reveled in the introduction of the legitimate interest and business improvement exceptions to consent, there are noteworthy distinctions in their applicability.
For example, organisations relying on the legitimate interest exception have to:
- conduct an assessment to determine whether or not their legitimate interests and/or those of another person outweigh any adverse effect on the individual whose personal data is being processed;
- identify and implement measures to mitigate any such adverse effect; and
- provide the individual concerned with reasonable access to information about the processing of their personal data pursuant to the legitimate interests exception.
In contrast, organisations relying on the business improvement exception, such as for customer analysis or segmentation, must:
- prove that the processing cannot be achieved without the personal data being in an individually identifiable form, and that a reasonable person would consider such processing appropriate in the circumstances; and
- before it can share the data with a related organisation, implement contracts or binding corporate rules in order to safeguard such data.
It is pertinent to note that the EU General Data Protection Regulation’s (GDPR) legitimate interests exception1 is one of six lawful grounds a controller may rely on to process personal data, and what might fall under such exception may not mirror the PDPA’s legitimate interests exception.2 For instance, unlike the GDPR, the PDPA sets out specific circumstances or contexts in which legitimate interests may apply: for the purposes of evaluations, investigations, proceedings, or debt recovery.