On 14 May 2020, the Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) released an online public consultation on a draft Bill proposing changes to the Personal Data Protection Act 2012 and the Spam Control Act (the draft Bill).
The tabled changes were consolidated and gathered from feedback received by the MCI and PDPC from 3 public consultations held between 2017 and 2019.
Key proposed amendments to the PDPA and SCA include:
- Introduction of mandatory breach notification
- Organisations must notify the affected individuals and the PDPC of data breaches as soon as practical if:
Modifying “consent” under the PDPA
- the breach results in, or is likely to result in, significant harm to the affected individuals; and
- the scale of the breach is significant (i.e. involves 500 or more individuals).
Introducing new exceptions to consent for “legitimate interests” and “business improvement”
- “Deemed consent” under the PDPA will be expanded to include “deemed consent by contractual necessity” and “deemed consent by notification” in order to facilitate the use and processing of personal data for reasonable business purposes.
Introduction of right to data portability
- Organisations will be allowed to collect, use and disclose personal data for “legitimate interests” and use personal data properly collected for “business improvement” without consent.
- This is to cater to circumstances where there are larger public or systemic benefits and where obtaining the consent of individuals may not be appropriate.
- This also aligns the law with other countries where legitimate interest is an accepted basis for data processing.
Tightening anti-spam laws
- Organisations will be required to provide an individual’s data, at the individual’s request, to another organisation in a commonly used machine-readable format.
- This will enable consumers to switch to new service providers more easily and facilitate the development of new and innovative services/applications given the increased access organisations will have to data.
Enhancing financial penalties
- The Do Not Call provisions under the PDPA will be enhanced to outlaw the sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address harvesting software.
- In addition, the SCA will be amended to cover unsolicited marketing text messages sent to instant messaging accounts such as Telegram and WhatsApp, and in bulk.
- The financial penalties cap will be increased under the PDPA to serve as a stronger deterrent. Under the proposed amendments, the PDPC may impose a financial penalty of up to 10% of the offending organisation’s annual turnover or S$1 million, whichever is higher.
- The stricter penalty will also be more aligned with other jurisdictions such as Australia and the European Union.
The public consultation period runs from 14 May 2020 to 28 May 2020, 5:00 PM (GMT +8). You may find the public consultation document and the procedures for the submission of feedback/comments here.