2. Compulsory data breach reporting to the Personal Data Protection Commission (Commission) and affected individuals

Organisations that encounter a data breach must notify the Commission and affected individuals in certain specified cases.

A ‘data breach’ is defined broadly as any unauthorised access of or other, similar risk to personal data; or the loss of any storage medium or device on which personal data is stored in circumstances where unauthorised access of or other, similar risk to the personal data is likely to occur. Hence, a data breach could encompass various incidents, including:

• cyberattacks;
• incidents caused by human error; or
• incidents arising from computer system errors.

A data breach is notifiable if it:

• is likely to result in significant harm to any affected individual (for instance, where the breach affects a certain category of personal data which is to be specified in further regulations); or
• is of a significant scale (i.e., affecting a prescribed minimum number of individuals).

Future regulations will set out the categories of personal data which, if compromised, will be considered likely to result in significant harm to the individuals affected.

Where an organisation has reason to believe that a data breach affecting personal data in its possession or control has occurred, it must conduct an assessment of whether the breach is notifiable, in a reasonable and expeditious manner. The timeframe for reporting to the Commission is within three calendar days from the day an organisation determines that a breach is notifiable. The timeframe for notifying affected individuals is without undue delay. Hence, from a practical standpoint, an organisation should generally report a notifiable breach to the Commission first (i.e., before notifying the individuals), or notify both the Commission and the individuals at the same time, whichever is appropriate.

The exceptions to notifying affected individuals are: (a) where remedial actions have been taken; or (b) where the personal data is subject to technological protection measures (e.g., encryption), such that the breach is unlikely to result in significant harm to the affected individuals.

Data intermediaries must notify, without undue delay, the organisation on whose behalf they are processing personal data of any suspected data breach which affects that personal data.

What you should be doing now: You should have a robust data incident response plan in place. Even if your organisation has a global policy or one for related entities outside of Singapore, this should be localised to comply with the specific requirements under the PDPA. Having a data incident response plan will also improve your chances of a voluntary statutory undertaking being accepted by the Commission in lieu of its carrying out an investigation into your organisation. See ‘Voluntary statutory undertaking’ below for more details.

3. Expanded rules on deemed consent

Consent to the processing of personal data will be deemed to have been obtained in either of the following two circumstances:

(a) Contractual necessity: where the processing of personal data is reasonably necessary to perform a contract; or

(b) Notification and opt-out: where reasonable steps have been taken to notify individuals of the purpose of the data processing and they are given a reasonable period of time to opt out. In this instance, the organisation must carry out a risk and impact assessment to determine that processing is unlikely to have an adverse effect on the individuals. The notification and opt-out ground cannot be relied on for direct marketing. Further, as deemed consent is not an exception to consent, individuals still retain the right to withdraw their consent subsequently.

4. New exceptions to consent

In addition, the following three new exceptions to consent have been introduced:

(a) Legitimate interests: This exception applies where the legitimate interests of the organisation and the benefit to the public (or any section thereof) together outweigh any adverse effect on the affected individual. To rely on this exception, organisations must conduct a risk and impact assessment, and disclose their reliance on this exception (e.g., in an external-facing policy or agreement). Examples include where data is processed for the purposes of detecting or preventing illegal activities (e.g., fraud or money laundering) or threats to physical safety and security, ensuring IT and network security, or preventing the misuse of services. However, the exception cannot be relied on to carry out direct marketing without consent.

(b) under Business improvements: This exception applies where organisations need to know more about their customers, including prospective customers, in order to carry out operational efficiency and service improvements, or develop or enhance products/services. This exception also applies to groups of companies, including subsidiaries within an organisation. To rely on this exception, the following conditions must be met:

• The purpose cannot reasonably be achieved without personal data in an individually identifiable form.
• A reasonable person would consider the purpose to be appropriate.
• The personal data disclosed must relate to an individual who is a customer of both the disclosing and collecting organisation, if the purpose of such sharing is to learn and understand the behaviour and preferences of the customer, or to identify goods or services that may be suitable for the customer.
• This exception must not be relied on to collect, use or disclose personal data for the purpose of sending direct marketing messages.
• For intra-group sharing of the data, the relevant group entities must be bound by any contract or binding corporate rules requiring the recipient of the data to implement and maintain appropriate safeguards for the data.

(c) Research: To rely on this exception, the use of personal data:

• Must have a clear public benefit;

• In an individually identifiable form must be necessary to reasonably accomplish the research purpose;
• Must not have an adverse effect on individuals; and
• Must not be published in a form that identifies any individual;

This exception might apply to institutes carrying out scientific research and development, or arts and social science research, or to market research aimed at understanding potential customer segments.

In these circumstances, any disclosure of personal data will require proof (in addition to the above-listed conditions) that it is impracticable to obtain consent.

What you should be doing now: You should review your relevant policies, agreements, processes and practices to assess if your existing reliance on consent should be revised or updated, in order to take advantage of the updated consent framework.

5. Tighter rules on telemarketing and spam control

The ‘do not call’ (DNC) provisions will prohibit the sending of specific messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software.

Third party checkers will be required to communicate accurate DNC register results to the organisations on behalf of which they are checking the DNC register, and the checkers will be liable for DNC infringements resulting from any erroneous information provided by them.

The DNC provisions will be enforced under the same administrative regime as the other data protection obligations in the PDPA, as opposed to being enforced as criminal offences. Failure to comply with the DNC provisions can attract a financial penalty of up to: (a) in the case of an individual, SGD 200,000; or (c) in any other case, SGD 1 million, save that a penalty of up to 5 per cent of their AGT in Singapore may be imposed for the use of dictionary attacks or address harvesting software, where that AGT exceeds SGD 20 million.

The Spam Control Act will be updated to cover the bulk sending of commercial text messages to instant messaging accounts.

What you should be doing now: If you engage in telemarketing or the bulk sending of marketing emails, you will need to comply with these updated requirements, or risk being subject to a financial penalty by the Commission.

6. A new data portability obligation

The Bill introduces a new data portability right for individuals, giving them the ability to request the transmission of their data to another service provider.

An organisation’s portability obligation will only apply to:

• User-provided data and user activity data held in electronic form, including business contact information. This data may include third party personal data if the request is made in the requesting individual’s personal or domestic capacity.
• Requesting individuals with an existing, direct relationship with the organisation.
• Receiving organisations with a presence in Singapore. However, data portability may subsequently be extended to like-minded jurisdictions offering comparable protections and reciprocal arrangements.

The Commission will work with industry and sector regulators to establish and set out further requirements in subsequent regulations, including:

• A ‘whitelist’ of data categories to which portability applies.
• The technical and procedural details to ensure the correct data is transmitted safely to the intended receiving organisation, and in a usable format.Any relevant data porting request models. Consumers can either make the data porting request directly to the porting organisation (push model) or through the receiving organisation (pull model). Data porting can also take place between two organisations or through an intermediary.
• Safeguards for individuals, tailored to the risks associated with the dataset under the whitelist. This could include cooling-off periods for certain datasets, to provide time for a consumer to change their mind and withdraw a porting request, and the establishment of a blacklist of organisations that porting organisations may justifiably refuse to port data to.

Exceptions to the data portability obligation are be similar to those for the access obligation, including:

• Opinion data kept solely for an evaluative purpose;
• Personal data which, if disclosed, would reveal confidential commercial information that could reasonably harm the competitive position of the organisation;
• Derived personal data (i.e. personal data that is derived by an organisation in the course of business from other personal data about an individual in the organisation’s possession or control, but excluding personal data derived using any prescribed means or method, such as mathematical averaging and summation);
• Where the burden or expense of transmitting the data is unreasonable to the porting organisation or disproportionate to the individual’s interests;
• Where transmitting the data will unreasonably interfere with the operations of the porting organisation due to the repetitious or systematic nature of the porting request; or

• The request is trivial, or frivolous or vexatious or relates to data that does not exist or cannot be found.

Personal data that is obtained by an organisation in the course of business from other data about the individual or another individual in its possession or control, other than data obtained using a simple mathematical function, will be excluded from the portability obligation.

Any refusal to port a request must be notified to the individual concerned within a reasonable period of time, together with the reasons for the refusal. The Commission will have the power to review refusals and any fees for the porting of data.

What you should be doing now: There will be a sunrise period for organisations to comply with the data portability obligation. You should continue to monitor developments, including future regulations which lay out technical aspects, procedures and other relevant details.

7. Other changes to the PDPA

Other changes proposed in the Bill include:

• Accountability obligation: An express mention of “accountability” in the Bill, indicating that organisations will be expected to demonstrate compliance.
• Organisations acting on behalf of public agencies: Organisations acting on behalf of public agencies will no longer be exempt from the Bill’s provisions.
• Individual offences: New offences to hold individuals accountable for egregious mishandling of personal data on behalf of an organisation or public agency, namely: (a) any unauthorised disclosure of personal data that is carried out knowingly or recklessly; (b) any unauthorised use of personal data that is carried out knowingly or recklessly and results in any person’s wrongful gain or loss; and (c) any unauthorised re-identification of anonymised data that is carried out knowingly or recklessly. This does not include public officers, who are subject to the Public Sector (Governance) Act 2018. It will be an offence for a person to fail to: (i) comply with an order to appear before the Commission or an inspector of the Commission; (ii) provide a statement in relation to any investigation; or (iii) produce any document specified in a written notice.
• Voluntary statutory undertaking: The Commission has discretion to suspend, discontinue or refuse to conduct an investigation into a matter where it accepts a voluntary undertaking from an organisation. Such an undertaking may include a commitment to take or refrain from taking certain actions within a specified period of time, and to publicise such undertaking. The Commission may vary the terms of such undertaking and to require additional undertakings where appropriate. Any failure to comply with a voluntary undertaking may give rise to a direction by the Commission.
• Mediation: The Commission will have the power to approve mediation schemes, and direct complainants to resolve data protection disputes via mediation, without the need to secure the consent of both parties.
• Preservation of data for access or portability: Organisations will be required to preserve personal data requested under an access or porting request for a prescribed period after rejection of the request, or until the individual has exhausted their right to apply to the Commission for reconsideration of the request or appeal to the Data Protection Appeal Committee, High Court, or Court of Appeal, whichever is later.
• Business asset transactions: The scope of the business asset transaction exception in the PDPA will be expanded to include the personal data of independent contractors, in addition to that of employees, customers, directors, officers, and shareholders of the organisation. The exception will apply to transactions involving the sale and purchase of an interest in an organisation, whether the interest is in a party to the transaction itself, or of another organisation held by a party to the transaction. “Interest” includes a share in a corporation. The exception also applies to: (a) amalgamations of corporations with one or more related corporations; or (b) the transfer or disposal of any of the business or assets of a corporation to a related corporation.
• Factors for determining financial penalty: The Commission will have regard to and give such weight as it considers appropriate to the following matters: (a) the nature, gravity and duration of any non-compliance; (b) the type and nature of personal data affected; (c) whether the organisation or person gained any financial benefit; (d) whether the organisation took any mitigating action and its timeliness and effectiveness; (e) whether adequate and appropriate compliance measures were implemented; (f) whether the organisation had previously failed to comply with the PDPA; (g) the compliance with any direction given by the Commission in relation to remedying or mitigating the effect of any contravention; (h) whether the penalty is proportionate and effective, having regard to achieving compliance and deterring contraventions; (i) the likely impact of the imposition of the penalty on the organisation, including its ability to continue its usual activities; and (j) any other relevant matter.

Reed Smith can help you navigate the requirements to ensure you comply with the new law, and to address the risk of incurring a hefty fine.

Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.

Client Alert 2020-541