Singapore's Personal Data Protection Commission (PDPC) and the Ministry of Communications and Information (MCI) are conducting a public consultation on significant proposed amendments to the Personal Data Protection Act (PDPA) and the Spam Control Act (SCA), after taking into consideration the feedback received in 3 previous public consultations.
To adapt to our fast-moving technological and business landscape, the proposed amendments are set to (i) introduce further obligations, restrictions and penalties on organisations, such as new mandatory breach notification requirements, new data portability obligations, further restrictions in respect of unsolicited messages and greater PDPC enforcement powers, and at the same time, (ii) provide organisations greater scope of powers to collect, use and disclose personal data, such as introducing further exceptions for legitimate interests and business improvement and expanding the concept of "deemed consent".
Some of the proposed amendments have been covered in previous consultations, but others have not. These include amendments arising from the recommendations of the Public Sector Data Security Review Committee that may affect parties handling government data and impose penalties (potential fines and/or imprisonment) against individuals (including employees) who are involved in egregious mishandling of personal data.
The PDPC will also have increased powers to institute financial penalties of up to 10% of an organisation's annual gross turnover in Singapore, over and above the current threshold of SGD 1 Million.
Organisations are encouraged to provide comments on the proposed amendments by 5pm on 28 May 2020. Please reach out to us should you require any clarifications or require assistance to provide feedback on the consultation.
Given the scope of the proposed changes, there is likely to be something for every organisation to consider in this consultation.
Accountability and Enforcement
Of key consideration to all organisations should be the enhancements to accountability - which places greater emphasis on organisations (and individuals) to be accountable for personal data related practices. Not only must the PDPC be notified of significant data breaches, penalties for offences have (in a GDPR like manner) been tagged to revenue, giving the PDPC both greater visibility to take action and powers to institute a higher level of fines than before. Employees who act in contravention of an employer's policies and practice, or act outside their scope of employment or authorisation, run the risk of personal liability that may include fines and imprisonment.
This is likely to change the calculus for organisations in respect of their exposure to the PDPA. Organisations are encouraged to relook at their internal policies and processes to plug gaps and improve internal governance protocols and oversight, especially in relation to management of data breaches. (Please refer to our update on the active enforcement framework for more information.) For some organisations, this may engender a shift in mindset and attitudes towards how the organisation, and its personnel, manage personal data.
Parties handling personal data on behalf of a public agency will no longer have the benefit of exclusion from the main provisions of the PDPA.
Consent and Data Innovation
The enhanced consent regime and data innovation provisions are intended to facilitate innovation and take into account other wider public or systemic benefits. This may change the basis upon which companies justify the processing of personal data under the PDPA.
Organistions may find themselves less reliant on express consent to justify secondary use of personal data, especially for product development and customer insights. There may be other means to justify the processing of personal data where organisations do not have a direct avenue to obtain express consent from the individual.
In-house counsels advising product teams may find these provisions useful in providing guidance to their internal business units and may wish to revisit existing guidance in light of these developments.
Spam Control and DNC
Companies sending marketing collateral via internet messaging services will need to ensure that marketing campaigns comply with the labelling and opt-out requirements under the Spam Control Act.
Third party service providers that check the DNC registry on behalf of another organisation will become directly liable for the accuracy of its service to communicate the results of a DNC check.
The data portability requirement is of less immediate concern, but we encourage organisations to watch this space. While changes to the PDPA will be made to enable data portability, the requirement to provide data portability will only be introduced, with further clarifications, in applicable regulations
The proposed amendments relate to four key areas. The key amendments are summarised below:
Strengthening the Accountability of Organisations
The MCI/PDPC proposes to insert an explicit reference to acccountability at Part III of the PDPA. In ensuring accountability, a new mandatory data breach notification requirement will be introduced, whereby organisations are required to notify PDPC of any data breaches that result in, or is likely to result in, significant harm to individuals to whom any personal data affected by a data breach relates to ("affected individuals"), or is of a significant scale. Further, organisations are also required to notify affected individuals of the data breaches that will or is likely to result in significant harm. Data intermediaries are also required to notify organisations, without undue delay, where they have reason to believe that a data breach has occurred in relation to personal data that is processed on behalf of and for the purposes of another organisation. The 500 affected individuals threshold for 'a significant scale', is retained from the previous consultation. The up to 30 day period for assessment is not included in the proposed amendments, though it is referred to in the existing Guide to Managing Data Breaches. Organisations will at least have to justify that they acted in a "reasonable and expeditious manner".
To further enhance accountability of organisations: (i) organisations in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of personal data are no longer excluded from the data protection obligations of the PDPA; and (ii) the MCI/PDPC will also introduce new offences under the PDPA to hold individuals accountable for egregious mishandling of personal data (i.e. the knowing or reckless unauthorised disclosure, unauthorised use of personal data for a wrongful gain or a wrongful loss and unauthorised re-identification of anonymised data).
Ensuring Meaningful Consent
The MCI/PDPC is seeking to ensure meaningful consent by expanding the scope of deemed consent to situations where: (i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or (ii) where organisations have provided notification to an individual regarding the purpose of the intended collection, use or disclosure of personal data and the individual was given a reasonable opportunity to opt-out, and has not opted out. In the latter, organisations are required to assess and ascertain that the intended use, collection or disclosure is not likely to have an adverse effect on the individual, and this ground may not be relied on for direct marketing.
Further, the MCI/PDPC also seeks to introduce two new exceptions to the consent requirement.
Firstly, organisations may collect, use or disclose personal data (without obtaining the individual's consent) where it is in the legitimate interests of the organisation and the benefit of the public is greater than any adverse effect on the individual, e.g., to prevent illegal activities. Secondly, organisations may collect, use or disclose personal data (without obtaining the individual's consent) for business improvement purposes, such as efficiency and service improvements and knowing the organisation's customers.
Lastly, in relation to the existing research exception to the consent requirement, where organisations may collect, use or disclose personal data (without obtaining the individual's consent) for research purposes, the MCI/PDPC seek to introduce accountability requirements, such that: (i) the use of the personal data or results of the research will not adversely affect the individual, and (ii) results of the research will not be published in a form that identifies any individual.
Improving Customer Autonomy
The MCI/PDPC is proposing to introduce a Data Portability Obligation to provide consumers greater autonomy over their personal data, allowing individuals to request an organisation to transmit copies of their personal data to other organisations. This is in line with similar provisions in the EU, California and Australia.
However, to prevent the compliance burden becoming too great, this Data Portability Obligation will be scoped to the following data which is: (i) user provided, (ii) from requesting individuals that have an existing direct relationship with the organisation, and (iii) where the receving organisation has a presence in Singapore. It is highlighted that this may include personal data of third parties in certain situations.
This Data Portibility Obligation will not come into effect immediately. It will be governed by the issuance of new regulations, which will cover (i) a "whitelist" of data catagories (to which the Data Portibility Obligation applies), (ii) technical and process details, (iii) relevant data porting request models, and (iv) safeguards for individuals, and come into effect with the issuance of these regulations. Although not specified in the proposed amendments, the previous consultation paper envisages that the organisation should port the data within 7 calendar days of receiving the individual's request, or any other periods specified.
The MIC/PDPC is providing certain exceptions to this Data Portability Obligation, proposing to mirror the current exceptions to the Access Obligation (stated in the Fifth Schedule of the PDPA). Data derived by an organisation in the course of business ("derived personal data"), data that may be contrary to the national interest, or data that may threaten or harm the individual who made the request, will all be prohibited from being ported.
Do Not Call Registry/Spam Control Provisions
Lastly, the MCI/PDPC is also proposing to amend the DNC Provisions and Spam Control Provisions to improve customer autonomy relating to unsolicited commercial messages. These changes will increase the coverage of the provisions to include messages sent to instant messaging accounts and also introduces obligations and liability on third-party checkers.
Strengthening the PDPC's Enforcement Powers
PDPC as Enforcer
The MCI/PDPC proposes to allow for the PDPC to enforce the DNC Provisions under the same administrative regime as the Data Protection regime, empowering the PDPC to issue directions for infringements, instead of relying on criminal prosecution if there is a breach.
The MCI/PDPC also intends to increase the maximum financial penalty cap for data breaches under the PDPA, to the higher of (i) 10% of an organisation's annual gross turnover, or (ii) SGD 1 million, to serve as a stronger deterrent.
It is also proposing to introduce a requirement to comply with a request for attendance before the PDPC or an inspector, and to make it an offence if the person or organisation fails to comply. Currently, the PDPC has no recourse against non-compliance.
The MCI/PDPC intends to introduce statutory undertakings, e.g., organisations undertaking to implement a data protection management plan, to allow regulators to apply more flexible and individually tailored approches to enforcement. It is hoped this, together with mandatory breach notifications, will encourge organisations to adopt accountable practices.
Lastly, the MCI/PDPC plans to amend the PDPA to provide the PDPC the power to (i) establish/approve one or more mediation schemes, and (ii) direct complainants to resolve disputes via mediation.
Other proposed amendments
Individuals may request access to their personal data in an organisation's control or access. However, there is currently no obligation for organisations to preserve a copy of an individuals's personal data if the organisation denies such a request. To prevent situations where requesting individuals are unable to obtain access to requested personal data when seeking recourse for the rejection of such a request, MCI/PDPC will require organisations to preserve personal data requested pursuant to access and porting requests.
MCI/PDPC is planning to reduce the scope of the current prohibitions to providing access in relation to user provided data and user activity data, permitting organisations to provide access to such personal information even where it could (i) reveal personal data about another individual; or (ii) reveal the identity of an individual who has provided personal data about another individual and that individual does not consent to the disclosure of his/her identity.
In line with the changes discussed above at Section (3) in relation to improving customer autonomy, MCI/PDPC also intends to provide an exception for "derived personal data" from the Correction Obligation (in addition to the exception for the Data Portability Obligation). Organisations will still be required to provide individuals with access to derived personal data however.
Finally, the MCI/PDPC is steamlining and consolidating the exceptions to the Consent Obligations, simplifying the provisions on how organisations may collect, use, and disclose peronal data without consent.
For more information, please refer to the Public Consultation Document and the Personal Data Protection (Amendment) Bill 2020.
For your reference, our earlier updates to related matters consolidated by this amendment are available in Annex 1. While the general direction of matters consulted previously remains the same, there may be some changes in the present consultation.
Singapore: New PDPC Guidelines on Cloud Services and Data Access Requests: https://www.bakermckenzie.com/en/insight/publications/2019/11/new-pdpc-guidelines
Singapore: Guide on Active Enforcement Released: https://www.bakermckenzie.com/en/insight/publications/2019/06/singapore-pdpc-guide-released
PDPC Refreshes Guide on Managing Data Breaches in Anticipation of a Proposed Mandatory Breach Notification Requirement: https://www.bakermckenzie.com/en/insight/publications/2019/06/pdpc-refreshes-guide-on-managing-data
Public Consultation on Proposed Data Portability and Data Innovation Provisions: https://www.bakermckenzie.com/en/insight/publications/2019/05/public-consultation-on-proposed-data-portability
Consultation on Singapore Model AI Governance Framework and adoption of FEAT Principles: https://www.bakermckenzie.com/en/insight/publications/2019/02/consultation-on-singapore-model-ai