Singapore set to introduce mandatory breach notification under data protection laws

Singapore
This article is produced by CMS Holborn Asia, a Formal Law Alliance between CMS Singapore and Holborn Law LLC.

On 5 October 2020, the Personal Data Protection (Amendment) Bill (Bill) was introduced in the Singapore Parliament by the Minister for Communications and Information. A public consultation was conducted by the Ministry of Communications and Information and the Personal Data Protection Commission (PDPC) earlier this year for the draft Bill.

The Bill proposes the following key amendments to the Personal Data Protection Act 2012 (PDPA):

  1. An increase in the cap on financial penalties

The current maximum financial penalty which can be imposed for a breach of the provisions of the PDPA is S$1 million. Under the proposed amendments, the maximum financial penalty will be raised to 10% of the offending organisation’s annual turnover in Singapore if its gross annual turnover in Singapore exceeds S$10 million, or S$1 million, whichever is higher.

  1. Mandatory data breach notification requirement

The PDPC currently recommends organisations to make voluntary notifications to the PDPC and affected individuals where a data breach occurs. However, there is presently no mandatory data breach notification requirement under the PDPA.

The Bill proposes to require an organisation to notify the PDPC and the affected individuals of a data breach if the breach results in, or is likely to result in, significant harm to the affected individuals, with some exceptions. The Bill also proposes to make it mandatory for an organisation to notify the PDPC if the scale of the breach is significant.

Under the proposed amendments, where an organisation has reason to believe that a data breach has occurred, it must conduct an assessment of whether the data is notifiable in a reasonable and expeditious manner. Where an organisation assesses that a data breach is a notifiable data breach, it must notify the PDPC within 3 calendar days after it has made that assessment. In addition, the organisation must notify the individuals affected by a data breach that results in, or is likely to result in, significant harm to the individual on or after notifying the PDPC, in a manner that is reasonable in the circumstances. This closely follows the model in the Australian Privacy Act.

  1. Expansion of “deemed consent”

In order to facilitate the use and processing personal data for reasonable business purposes, the Bill proposes to expand the scope of “deemed consent” under the PDPA to include circumstances:

  1. where the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract; or
  2. where reasonable steps are taken to notify an individual of the purpose of the intended collection, use or disclosure of personal data (which must not be likely to have an adverse effect on the individual) and the individual is given a reasonable opportunity to opt out of the organisation’s proposed collection, use or disclosure of personal data. This ground cannot be relied on for the collection, use or disclosure of personal data for direct marketing.
  1. New exceptions to consent for “legitimate interest” and “business improvement”

The Bill proposes to introduce several new exceptions which allow an organisation to collect, use or disclose personal without obtaining consent from the individual, including:

  1. where the collection, use or disclosure is in the legitimate interests of the organisation or another person, and the legitimate interests is greater than any adverse effect on the individual; or
  2. where the collection, use or disclosure is for business improvement purposes (such as improving or enhancing any goods or services provided or any methods or processes, learning about and understanding the behaviour and preferences of the individual in relation to the goods or services provided).

The above exceptions cannot be relied on for the collection, use or disclosure of personal data for direct marketing.

The introduction of these exemptions will align the PDPA closer to the GDPR and will help businesses who are currently unable to rely on these exemptions in Singapore.

  1. Introduction of right to data portability

Under the proposed amendments, organisations will be generally required to give effect to an individual’s request for the transmission of their data to another organisation where:

  1. the receiving organisation is formed or recognised under the law of Singapore or a prescribed foreign jurisdiction, or is resident or has an office or a place of business in Singapore or a prescribed jurisdiction;
  2. the applicable data is in electronic form and was collected or created by the porting organisation within the prescribed period before the date of the data porting request; and
  3. the porting organisation has an ongoing relationship with the requesting individual at the time it receives the data porting request.

Here again the amendment appears to be aimed at aligning the PDPA with the GDPR and providing additional rights to individuals.

  1. Tightening anti-spam laws
  2. The Bill proposes to enhance the Do Not Call provisions under the PDPA by prohibiting the sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address harvesting software. In addition, the Bill proposes to introduce tiered financial penalty caps for breaches of the Do Not Call provisions of the PDPA, namely (i) in the case of an individual, a financial penalty of up to S$200,000 may be imposed; and (ii) in any other case, a financial penalty of up to S$1 million may be imposed, save that a penalty of up to 5% of an offending organisation’s annual turnover in Singapore may be imposed for the use of dictionary attacks or address harvesting software, where the annual turnover exceeds S$20 million.

    The Spam Control Act will also be amended to cover unsolicited marketing text messages sent to instant messaging accounts in bulk.

The amendments to the PDPA will be debated at the second reading of the Bill in Parliament, which will take place on 2 November 2020. If passed, the Bill may come into force before the end of 2020. You may find a copy of the Bill here.

If you would like to be kept updated on or have any queries in relation to the Personal Data Protection (Amendment) Bill, please do not hesitate to approach the key contacts listed below.