This article is produced by CMS Holborn Asia, a Formal Law Alliance between CMS Singapore and Holborn Law LLC.
On 5 October 2020, the Personal Data Protection (Amendment) Bill (Bill) was introduced in the Singapore Parliament by the Minister for Communications and Information. A public consultation was conducted by the Ministry of Communications and Information and the Personal Data Protection Commission (PDPC) earlier this year for the draft Bill.
The Bill proposes the following key amendments to the Personal Data Protection Act 2012 (PDPA):
The current maximum financial penalty which can be imposed for a breach of the provisions of the PDPA is S$1 million. Under the proposed amendments, the maximum financial penalty will be raised to 10% of the offending organisation’s annual turnover in Singapore if its gross annual turnover in Singapore exceeds S$10 million, or S$1 million, whichever is higher.
The PDPC currently recommends organisations to make voluntary notifications to the PDPC and affected individuals where a data breach occurs. However, there is presently no mandatory data breach notification requirement under the PDPA.
The Bill proposes to require an organisation to notify the PDPC and the affected individuals of a data breach if the breach results in, or is likely to result in, significant harm to the affected individuals, with some exceptions. The Bill also proposes to make it mandatory for an organisation to notify the PDPC if the scale of the breach is significant.
Under the proposed amendments, where an organisation has reason to believe that a data breach has occurred, it must conduct an assessment of whether the data is notifiable in a reasonable and expeditious manner. Where an organisation assesses that a data breach is a notifiable data breach, it must notify the PDPC within 3 calendar days after it has made that assessment. In addition, the organisation must notify the individuals affected by a data breach that results in, or is likely to result in, significant harm to the individual on or after notifying the PDPC, in a manner that is reasonable in the circumstances. This closely follows the model in the Australian Privacy Act.
In order to facilitate the use and processing personal data for reasonable business purposes, the Bill proposes to expand the scope of “deemed consent” under the PDPA to include circumstances:
- where the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract; or
- where reasonable steps are taken to notify an individual of the purpose of the intended collection, use or disclosure of personal data (which must not be likely to have an adverse effect on the individual) and the individual is given a reasonable opportunity to opt out of the organisation’s proposed collection, use or disclosure of personal data. This ground cannot be relied on for the collection, use or disclosure of personal data for direct marketing.
The Bill proposes to introduce several new exceptions which allow an organisation to collect, use or disclose personal without obtaining consent from the individual, including:
- where the collection, use or disclosure is in the legitimate interests of the organisation or another person, and the legitimate interests is greater than any adverse effect on the individual; or
- where the collection, use or disclosure is for business improvement purposes (such as improving or enhancing any goods or services provided or any methods or processes, learning about and understanding the behaviour and preferences of the individual in relation to the goods or services provided).
The above exceptions cannot be relied on for the collection, use or disclosure of personal data for direct marketing.
The introduction of these exemptions will align the PDPA closer to the GDPR and will help businesses who are currently unable to rely on these exemptions in Singapore.
Under the proposed amendments, organisations will be generally required to give effect to an individual’s request for the transmission of their data to another organisation where:
- the receiving organisation is formed or recognised under the law of Singapore or a prescribed foreign jurisdiction, or is resident or has an office or a place of business in Singapore or a prescribed jurisdiction;
- the applicable data is in electronic form and was collected or created by the porting organisation within the prescribed period before the date of the data porting request; and
- the porting organisation has an ongoing relationship with the requesting individual at the time it receives the data porting request.
Here again the amendment appears to be aimed at aligning the PDPA with the GDPR and providing additional rights to individuals.
The amendments to the PDPA will be debated at the second reading of the Bill in Parliament, which will take place on 2 November 2020. If passed, the Bill may come into force before the end of 2020. You may find a copy of the Bill here.
If you would like to be kept updated on or have any queries in relation to the Personal Data Protection (Amendment) Bill, please do not hesitate to approach the key contacts listed below.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.