Singapore's Personal Data Protection Regime Enhanced
The Background: On February 1, 2021, Singapore's Personal Data Protection (Amendment) Act 2020 ("PDPAA") came into effect.
The Situation: The PDPAA is the first comprehensive update to Singapore's Personal Data Protection Act 2012 ("PDPA") since its enactment in 2012 and is aimed at reflecting global developments in individual privacy protection while enabling businesses to use data to grow and innovate in the digital economy.
Looking Ahead: Organisations should be aware of the changes that have been made to the PDPA and review and update their policies and procedures (both internal- and external-facing) to comply with the new obligations and the ways in which they utilise data collected under the PDPA.
Key amendments introduced under the PDPAA include:
CLARIFYING "CONSENT" REQUIREMENTS
One of the key tenets of the PDPA is that of consent. Generally, organisations which wish to collect, use and disclose ("Use") personal data for any purpose must first notify the individual of such purpose and obtain the individual's consent to such Use. Consent for the purposes of the PDPA can be express or deemed depending on the circumstances. There are also a number of exceptions. In public consultation, it was recognised that consent protects individual consumers. However, concerns were raised by businesses that relying heavily on high requirements for consent, such as under the General Data Protection Regulation ("GDPR"), is unwieldy and may lead to "consent fatigue". The PDPAA clarifies the consent requirements by amending the deemed consent and exception provisions, while introducing greater accountability on an organisation relying on such provisions.
The PDPAA introduces two new situations of "deemed consent":
Contractual Necessity. Where an individual provides personal data to an organisation in connection with the entry into a contract, the individual will be deemed to have consented to the Use of such data by the organisation to a third party and by such third party to another person, in each case, as reasonably necessary for the conclusion or performance of the contract. Under the GDPR, processing for the "performance of a contract" with an individual is considered lawful as well―not by way of "deemed consent", though, rather by way of a statutory justification.
Notification. Where an organisation, before Using an individual's personal data:
- Assesses that the proposed Use of personal data is not likely to have an adverse effect on the individual or identifies any such adverse effect and implements reasonable measures to eliminate or mitigate such effect or reduce the likelihood of its occurrence;
- Takes reasonable steps to notify the individual of the organisation's intention to Use the personal data and the purpose(s) of such Use; and
- Provides a reasonable period and manner for the individual to notify the organisation that he or she does not consent, and the individual does not make such notification, the individual will be deemed to have consented to such Use.
This ground of "deemed consent" does not apply where the purpose for the relevant Use is the sending of a message to the relevant individual for one of the following purposes:
- Offering to supply, advertising or promoting goods, services or interests in land;
- Offering to provide, advertising or promoting business or investment opportunities; or
- Advertising or promoting suppliers/providers or prospective suppliers/providers of goods, services, interests in land or business or investment opportunities.
The assessment for the purposes of relying on this ground of "deemed consent" must specify the information prescribed in new Personal Data Protection Regulations 2021 ("Regulations 2021").
Exceptions to Consent
The PDPAA introduces two new exceptions to the consent requirement:
Legitimate Interests. Where such Use is in the legitimate interests of the organisation or another person and such interests outweigh any adverse effect on the individual. To rely on this exception, the organisation must have conducted an assessment to determine that the conditions are met, including identifying any such adverse effect and identifying and implementing reasonable measures to eliminate or mitigate, and reduce the likelihood of the occurrence of, the same. The organisation must also provide the individual with reasonable access to information about the Use of the individual's personal data in reliance on this exception. The assessment for the purposes of relying on this exception must specify the information prescribed in the Regulations 2021. This exception of "legitimate interests" shows some similarities with "legitimate interest" processing acknowledged as a statutory justification for the processing of personal data under the GDPR.
Business Improvement. Where the purpose of such Use is to improve, enhance or develop goods or services provided to or operational methods or processes, learning about the individual's behaviour and preferences in relation to goods or services provided, or identifying goods and services that may be suitable, or personalising or customising such goods and services, for the individual or another individual. Such purposes must also be those a reasonable person may consider appropriate in the circumstances and cannot be achieved without the use of personal data. In addition, for intra-group sharing of personal data, the related corporations must also be bound by contract or other agreement, or binding corporate rules, to implement and maintain appropriate safeguards of the personal data. "Business" or "service" improvement has also been acknowledged under the GDPR in certain circumstances as lawful "legitimate interest" processing.
STRENGTHENING ORGANISATIONAL ACCOUNTABILITY
Mandatory Data Breach Notification
The PDPAA introduces a new breach notification obligation. Specifically, organisations are required to assess data breaches affecting personal data in their possession or under their control, and to notify the Personal Data Protection Commission ("PDPC") and affected individuals as soon as practicable but no later than three calendar days after the organisation has determined that a notifiable data breach has occurred. This is a similarly short notification period as the 72 hours during which the GDPR requires notification of a breach. Notifiable data breaches are those that result, or are likely to result, in "significant harm" to any affected individual, or that are or are likely to be of a significant scale. Other than under the GDPR, a data breach that relates to unauthorised access, collection, use, disclosure, copying or modification of personal data only within an organisation is not a notifiable data breach for this purpose.
The Personal Data Protection (Notification of Data Breaches) Regulations 2021 ("NDB Regulations"), which also came into operation on February 1, 2021, provide that a data breach will be deemed to result in significant harm to an individual if it relates to:
- Certain prescribed information relating to such individual, including, for example, such individual's full name, alias, identification number, salary or remuneration, income from goods or property sale(s), credit, debit or charge card or bank account number and information that identifies the individual as being subject to certain investigations, arrests, programme, court orders, etc.; or
- Both (i) the individual's account identifier (e.g., name or number) and (ii) the password, security code, access code, response to a security question, biometric data or other data used or required to access or use the individual's account with an organisation.
Pursuant to the NDB Regulations, a data breach will be deemed to be of a significant scale if it affects at least 500 individuals.
Where an organisation believes a notifiable data breach has occurred, it must conduct an assessment to determine if the data breach is notifiable. If the organisation in question is a data intermediary, it must notify the organisation on whose behalf it is processing the relevant data. The latter must then conduct the relevant assessment.
The notification required to be made to the PDPC by the relevant organisation and/or affected individuals must contain prescribed information as set out in the NDB Regulations.
Removing Exclusions for Agents of Government
The PDPAA removes the current exclusion of certain private sector organisations from PDPAA where they are acting on behalf of public agencies.
NEW DATA PORTABILITY OBLIGATIONS
The PDPAA entitles individuals to request that porting organisations (with whom the relevant individual has an ongoing relationship) transmit applicable data (in electronic form) about such individual to another organisation (in Singapore or in a prescribed foreign country or territory). This will allow individuals to switch to new service providers more easily, thus preventing consumer lock-in. The right to data portability existing under the GDPR has the same overall objective.
This new data portability obligation is amongst the provisions of the PDPAA that have yet to come into operation and details of its operation remain to be refined.
INTRODUCING NEW OFFENCES
Dictionary Attacks and Address-Harvesting Software
The PDPAA introduces a new prohibition against the sending of unsolicited messages to telephone numbers generated or obtained through the use of a dictionary attack or address-harvesting software. Significant financial penalties for noncompliance of up to (for individuals) S$200,000, (for persons whose annual turnover in Singapore exceeds S$20 million) 5% of its annual turnover in Singapore, and (in any other case) S$1 million, may be imposed. Any person who suffers loss or damage is also given a right of action for relief in civil proceedings in a court.
In a similar vein, the Spam Control Act (Chapter 311A of Singapore) ("SCA") will also be amended to cover electronic messages sent to instant messaging accounts (e.g., WhatsApp), subjecting such messages to the prohibitions under the SCA against the use of dictionary attacks and address-harvesting software and unsolicited commercial electronic messages sent in bulk.
Egregious Mishandling of Personal Data
The PDPAA introduces new offences for individuals who knowingly or recklessly commit any unauthorised (i) disclosure to another person, (ii) use that results in a gain for himself or another person or harm or loss to another person and/or (iii) re-identification of anonymised information, in each case, in relation to personal data in the possession or under the control of an organisation or a public agency. If convicted, an individual could be fined up to S$5,000 and/or imprisoned up to two years.
ENHANCING THE ENFORCEMENT REGIME
Voluntary Undertakings Scheme
The PDPAA introduces a new regime of voluntary undertakings. A written voluntary undertaking may be given by an organisation that has reported to or is under investigation by the PDPC for failing to comply with certain obligations under the PDPA, such as that relating to the Use, access and care of personal data, data portability and data breach notification. Such undertaking may include undertakings to take or refrain from taking specified remedial actions.
An undertaking may be accepted by the PDPC if the PDPC is of the view that an undertaking achieves a similar or better enforcement outcome more effectively and efficiently than a full investigation or other enforcement action such as a financial penalty. If accepted, the PDPC may suspend or discontinue its investigation(s) in relation to the relevant organisation. The PDPC may also publish the voluntary undertaking or a summary on the PDPC's website (at https://www.pdpc.gov.sg) or in such other manner as the PDPC may decide.
The PDPAA empowers the PDPC to compel individuals and organisations to resolve complaints by means of mediation if the PDPC is of the opinion that the particular complaint may be more appropriately resolved by mediation. The previous requirement for consent of the parties has been removed.
The PDPC may also establish or approve dispute resolution scheme(s) for the resolution of complaints by individuals against organisations and make relevant regulations relating to the operation of such scheme(s).
Power to Subpoena for Investigations
The PDPAA enhances the PDPC's powers of investigation to allow it to compel the attendance of relevant person(s), and the production of any document in the person's custody or control, to be examined.
Enhanced Financial Penalties
Currently, the maximum financial penalty that the PDPC may direct organisations to pay for noncompliance with the PDPAA provisions governing the collection, use and disclosure of personal data by organisations is S$1 million. Reflecting the trend of higher and revenue-based penalties in jurisdictions such as the European Union, the PDPAA increases this to the higher of (i) (in the case of an organisation whose annual turnover in Singapore exceeds S$10 million) 10% of its annual turnover in Singapore and (ii) (in any other case) S$1 million. These enhanced penalties are amongst the provisions of the PDPAA that have yet to come into operation. This cap will take effect no earlier than one year after the PDPAA comes into force and will apply only to breaches that occur after the effective date of the PDPAA.
Right of Private Action
An individual whose rights are harmed by an organisation's breach of the PDPA will now have a right to bring a private action for relief in civil court.
The PDPC has also updated its Advisory Guidelines on Key Concepts in the Personal Data Protection Act, the Do Not Call Provisions and Enforcement of Data Protection Provisions on February 1, 2021, to provide clarity on the amendments to the PDPA. Companies should refer to these updated guidelines when reviewing policies and procedures in ensuring compliance with the PDPA.
Two Key Takeaways
- The PDPAA introduces amendments to the consent requirements, including new business-friendly exceptions, data portability obligations and a mandatory data breach notification regime.
- The PDPAA also enhances the enforcement powers of the PDPC and significantly increases the financial penalty cap for data breaches up to 10% of an organization's annual turnover where such turnover exceeds $10 million or, in any other case, S$1 million.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.