Major Amendments To Singapore’s Data Protection Law Passed – 4 Key Takeaways For Your Organisation.

Increase in maximum financial penalty – the Bill increases the maximum financial penalty for data breaches under the PDPA to (i) up to 10% of an organisation’s annual gross turnover in Singapore; or (ii) S$1 million, whichever is higher. This moves Singapore closer to data privacy regimes like the EU GDPR however the turnover is limited to domestic turnover, rather than global turnover.

New offences for individuals – the Bill introduces a fine of up to $5,000 or to imprisonment of up to 2 years (or both) to hold individuals accountable for knowingly or recklessly disclosing, using or re-identifying personal data when they are unauthorised to do so. Such individuals could include employees of an organization or public agency.

New grounds for processing data without consent:

Legitimate interests exception – this exception will allow organisations to collect, use or disclose personal data without obtaining the consent of the individual where it is in the legitimate interests of the organisation and the benefit to the public is greater than any adverse effect on the individual. PDPC provides some examples where this could apply, including for detecting or preventing illegal activities (e.g. fraud and money laundering) or threats to physical safety and security, ensuring IT and network security and preventing misuse of services. The Bill requires organisations to conduct a specific assessment to determine whether this exception would apply in a particular situation and also to specifically notify the individual of their reliance on this exception.

Business improvement exception – this exception will allow organisations to use personal data without obtaining the consent of the individual for the following business improvement purposes: (i) to improve or enhance any goods or services provided by the organisation, or develop new goods or services; (b) to improve or enhance the methods or processes, or develop new methods or processes, for the operations of the organisation; (c) to learn about and understand the behaviour and preferences of the individual or any other customer of the organisation in relation to the goods or services provided by the organisation; (d) to identify goods or services provided by the organisation that may be suitable for the customers of the organisation other than individual customers. Organisations will be able to rely on this exception only if the business purpose cannot be achieved without the use of personal data in an individually identifiable form and such use does not have any adverse effect on the individual.

Expansion of deemed consent – the Bill expands the existing concept of “deemed consent” under the PDPA. Deemed consent will now include:

Deemed consent by contractual necessity – where an individual has provided personal data to an organisation with the view to entering into a contract with that organisation, consent is deemed to have been given to the organisation for the disclosure to and use of the personal data by a third-party, and that third-party’s collection and use of the personal data, where it is reasonably necessary for the conclusion or performance of a contract or transaction between the individual and the organisation.

Deemed consent by notification – consent may be deemed to be given if (a) the organisation notifies the individual of the purpose of the intended collection, use or disclosure of his/her personal data, with a reasonable period for the individual to opt-out of the collection, use or disclosure of his/ her personal data for that purpose; and (b) the individual did not opt-out within that period. In order to rely on this deemed consent, organisations must conduct an assessment to determine that the intended collection, use or disclosure of personal data is not likely to have any adverse effect on the individual and satisfy other requirements to be prescribed in the regulations.

Data portability obligation

An organisation that is prescribed in the regulations or belongs to a class of organizations that is prescribed in the regulations (a porting organization), will now be required to transmit a requesting individual’s personal data to another organisation that has a presence in Singapore.

The obligation will apply to personal data in the possession or under the control of the porting organisation if such personal data belongs to a class of personal data that is prescribed in the regulations and if the requesting individual has an ongoing relationship with the porting organisation. The data portability rule does not apply to certain types of data listed in a schedule to the Bill, including “derived personal data” which means personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual. In addition, an organization is not required to port data if (a) it will unreasonably interfere with the operations of the porting organisation because of the repetitious or systematic nature of the data porting request, (b) the burden or expense of transmitting the applicable data is unreasonable to the porting organisation or disproportionate to the individual’s interests, (c) the data porting request relates to applicable data that does not exist or cannot be found or is trivial, or (d) if the data porting request is frivolous or vexatious. The technical and process details of porting data are yet to be provided in the regulations, which the consultation paper has indicated could include data formats and transfer protocol.

4 Key Takeaways for Organisations

Significant data breaches will need to be notified Breaches of the PDPA will carry higher financial to the PDPC and the affected individuals penalties for organisations (up to 10% of domestic turnover) and possible offences for its employees

Please click the image to enlarge.