Are the upcoming amendments to the PDPA fit for purpose?

Introduction

On 2 November 2020, the Singapore Parliament passed a slew of changes to the Personal Data Protection Act (PDPA) aimed at strengthening the data privacy regime in Singapore and bringing the law into alignment with global standards. The key amendments, which are wide-ranging, are presently set out in the Personal Data Protection (Amendment) Bill. In conjunction with this, the Personal Data Protection Commission (the Commission) has published a series of Draft Advisory Guidelines, to flesh out the key provisions of the Bill.

While no timeframe has been given for the enactment of the amendments to the PDPA, we expect this to take place in early 2021 (with no transition period). The Draft Advisory Guidelines are expected to be finalised and issued by the Commission in their present form (or in a materially similar form) shortly thereafter.

In anticipation of this, we summarise the salient changes to the data privacy regime.

Executive Summary

In summary:

1. Data breaches. New provisions will be introduced to deal with data breaches, and numerous obligations will be imposed on organisations to notify the Commission and affected individuals of "notifiable" data breaches (ie where significant harm was caused or where the breach was of a significant scale).

2. Deemed consent. The scope of deemed consent will be extended to cover situations of contractual necessity, and where individuals have been notified of the purpose of, and given an opportunity to opt out of the collection, use and disclosure of personal data, and have not done so.

3. New exceptions to the requirement for consent. Organisations will no longer be required to obtain consent for the collection, use and disclosure of personal data where there are legitimate interests for not doing so; for business improvement purposes; and for research purposes.

4. Increased financial penalties. There will be increased financial penalties for breaches of the PDPA, of up to S$1 million¹ or 10% of an organisation's annual turnover in Singapore, whichever is higher.

5. Data portability. Individuals will be able to request a porting organisation to transmit personal data about the individual to a receiving organisation, provided the personal data exists in an electronic form and there is an ongoing relationship between the individual and the porting organisation.

6. Telemarketing and spam control. The existing rules will be strengthened to impose positive duties on senders to ensure and confirm that recipients of unsolicited messages are not on the Do Not Call Register. Organisations also cannot rely on the new exceptions to send direct and unsolicited marketing messages.

Data breaches and the need for mandatory notifications in certain circumstances

While the PDPA provides, amongst other things, statutory protection against the unauthorised collection, use and disclosure of personal data, it did not hitherto contain provisions to address data breaches. Protections are now being introduced to deal with data breaches, which is defined as:

1. the unauthorised access, collection, use, disclosure, copying, modifications or disposal of personal data; or

2. the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.

Going forward, organisations that become aware of an actual or potential data breach (whether through self-discovery, tip-off or following a notification by a data intermediary² will be required to reasonably and expeditiously assess³ whether the data breach is "notifiable", ie a data breach which the organisation has assessed as having met the following criteria:

1. Resulting in significant harm. The data breach will be considered to cause or be likely to cause "significant harm" to an individual if the personal data disclosed contains either of the following:

   • an individual's full name or full national identification number AND a combination of any of the following personal data: (i) financial information; (ii) life or health insurance information; (iii) specified medical information by a medical professional; (iv) information which leads to the identification of any vulnerable person who is the subject of an investigation or relating to court proceedings involving a child or young person; or (v) a private key or password used to authenticate or sign an electronic record or transaction; or
   • an individual's bank or other account information AND a combination of any of the following: (i) biometric data; (ii) security codes; or (iii) passwords used to gain access to the account.

2. Is of a significant scale. This refers to a data breach involving the personal data of over 500 individuals (or, where the actual number cannot be assessed, there is reason to believe that there are at least 500 affected individuals).

In a case where the data breach involves multiple organisations, they may collaborate in assessing⁴ whether the breach is notifiable. However, each has an independent and non-derogable obligation to notify the Commission based on its own conclusions following the joint assessment⁵. The organisation must also notify each affected individual⁶ of the data breach unless any of the following conditions are met:

1. remedial action was taken, making it unlikely that the data breach will result in significant harm to the affected individuals;

2. appropriate technological protections (eg encryption or password protection) was applied beforehand, rendering the personal data inaccessible or unintelligible; or

3. the Commission or a law enforcement agency has specifically prohibited such notification.

There is no prescribed method by which affected individuals should be notified of a data breach. Organisations should ensure that the mode of notification is appropriate and effective in reaching the affected individuals in a timely manner, and the notice is clear and easily understood. Importantly, the notification requirement does not apply where the data breach has occurred within the organisation, even if the significant harm or significant scale limbs are satisfied, since the data breach has been contained within the organisation.

Broadening the scope of deemed consent

It is a fundamental tenet of the PDPA that organisations are not allowed to collect, use or disclose an individual's personal data unless the employee has given express consent (or is deemed to have given consent) for the collection, use or disclosure of the personal data; or any of the statutory exceptions apply. In respect of deemed consent, presently this may be inferred if the individual voluntarily provides the personal data after being notified of the purpose for the collection, use or disclosure of the personal data, and it is reasonable to assume that the individual would voluntarily provide the personal data sought.

In the future, deemed consent for the collection, use or disclosure of personal data may also be inferred from the following:

1. Contractual necessity. This refers to the situation where the collection, use or disclosure of personal data is reasonably necessary for the conclusion or performance of a contract. In such case, the organisation contracting with the individual may use or disclose information with its "downstream" organisations, which in turn may use or disclose information with organisations further downstream for the purpose of performing a contract (eg in a contract for the sale of goods on an e-commerce website, the retailer, e-commerce company, online payment gateway and delivery partners will be able to rely on deemed consent on the basis of contractual necessity to use and disclose a customer's personal data).

2. Notification. This refers to the situation where individuals have been notified of the purpose for the collection, use and disclosure of personal data, and have been given a reasonable period of time to opt out (and have not done so). The individuals will be deemed to have given consent for the collection, use and disclosure of the personal data for the purpose so notified in such a case, provided organisations have taken the following steps beforehand:

   • an individual's full name or full national identification number AND a combination of any of the following personal data: (i) financial information; (ii) life or health insurance information; (iii) specified medical information by a medical professional; (iv) information which leads to the identification of any vulnerable person who is the subject of an investigation or relating to court proceedings involving a child or young person; or (v) a private key or password used to authenticate or sign an electronic record or transaction; or
   • an individual's bank or other account information AND a combination of any of the following: (i) biometric data; (ii) security codes; or (iii) passwords used to gain access to the account.

So as to pre-empt against any potential abuse of the deemed consent mechanism, statutory limits will be imposed and deemed consent will be held not to apply in the case of sending direct marketing messages. Express consent by opting-in (eg by checking an unchecked box) will be required before an organisation will be allowed to collect, use or disclose personal data for such a purpose. Moreover, and  just like express consent, deemed consent may be revoked at any time provided the individual informs the organisation of the withdrawal of the consent for the collection, use or disclosure of the personal data.

New statutory exceptions to the requirement for consent

The PDPA already sets out an extensive list of exceptions to the need to obtain consent for the collection, use and disclosure of personal data. These exceptions will be reformulated under a new set of Schedules, and new categories of exceptions to the need to obtain consent for the collection, use and disclosure of personal data will also be introduced.

The legitimate interests exception

The phrase "legitimate interests" refers generally to any lawful interest of an organisation or other person. Organisations may rely on either a list of specific legitimate interests (eg for evaluative purposes, for any investigation or proceedings, or for the recovery or payment of a debt owed) or a general exception in any other instance that meets the definition of "legitimate interests". However, given the potentially broad scope of the general exception, organisations must first assess the adverse effect which such collection, use or disclosure of personal data without consent could have on the individual, and ensure that the organisation's legitimate interests outweigh any such adverse effect. An organisation must therefore take the following steps:

1. identify and articulate its legitimate interest(s) in collecting, using or disclosing personal data without consent;

2. conduct an assessment to identify any adverse effect(s) and to implement reasonable measures to mitigate such adverse effect(s) on the individual; and

3. take reasonable steps to provide the individual with reasonable access to the information which is being relied upon for the exception (N.B. this does not require the organisation to disclose its assessment referred to in (b) above to the individual).

Additionally, and upon request by the Commission, an organisation must provide justification of its reliance on the general exception, including the disclosure of its assessment and any relevant documents.

The business improvement exception

This exception applies only in the following situations:

1. using personal data without consent for "relevant purposes", which is defined as: (i) improving, enhancing or developing new goods or services; (ii) improving, enhancing or developing new methods or processes for business operations in relation to the organisations' goods and services; (iii) learning or understanding behaviour and preferences of individual; or (iv) identifying goods or services that may be suitable for individuals or personalizing or customising any such goods or services for individuals; or

2. sharing (ie collecting and disclosing) personal data between entities within a group, for any of the following business improvement purposes: (i) improving, enhancing or developing new goods or services; (ii) improving, enhancing or developing new methods or processes for business operations in relation to the organisations' goods and services; (iii) learning or understanding behaviour and preferences of existing or prospective customers; or (iv) identifying goods or services that may be suitable for existing or prospective customers.

Organisations wishing to rely on this exception must ensure that:

1. the business improvement purpose cannot reasonably be achieved without using the personal data in an individually identifiable form;

2. such use of the personal data for the business improvement purpose is one that a reasonable person would consider appropriate in the circumstances; and

3. in the case of limb (b) (ie the sharing of personal data between group entities), that the organisations are bound by a contract, agreement or binding corporate rules which require the recipient(s) to implement and maintain appropriate safeguards for the personal data.

The research exception

This exception is intended to allow an organisation to use personal data for the purpose of carrying out broader research and development in situations where such use may not have an immediate application to its products, services, business operations or market. Organisations may rely on this exception if the following conditions are met:

1. the research purpose cannot be achieved unless the personal data is provided in an individually identifiable form;

2. there is a clear public benefit to the use of the personal data;

3. the individual will not be affected by the use of the personal data for such a purpose; and

4. any results published must be in a form that does not identify the individual.

If an organisation wishes to disclose personal data for a research purpose, it must demonstrate, in addition to points (a) to (d) above, that it is impracticable for the organisation to seek the consent of the individual for the disclosure of the personal data.

Increase in financial penalties

The current financial penalties under the PDPA are generally very low, with organisations liable to a maximum fine of S$1 million⁷ for breaches of any obligations around the protection, collection, use, disclosure access to and correction of personal data. This will be revised upwards in due course, with the Commission being empowered to impose a financial penalty of up to S$1 million or 10% of the organisation's annual turnover in Singapore, whichever is higher.

New right of data portability

For the first time, the right of data portability will be statutorily enshrined in order to provide individuals with greater autonomy and control over their personal data. Under this obligation, an individual may request a porting organisation to transmit to a receiving organisation the applicable data about the individual.

The data portability obligation is applicable only to personal data in an electronic form, and where there is an ongoing relationship between the individual and the porting organisation. In terms of territoriality, the receiving organisation must be formed or recognised under the laws of Singapore or have a presence in Singapore. In addition, data about an individual that is derived by an organisation in the course of its business from other personal data, is excluded from the portability regime.

Enhanced rules on telemarketing and spam control

Under the current PDPA, individuals are granted protection from unsolicited messages (including phone calls) only if they subscribe to the Do Not Call Register maintained by the Commission. The protections accorded to such subscribers will be further strengthened by imposing a positive duty on senders to check that a Singapore telephone number is not listed in the Do Not Call Register. Senders are only permitted to send messages upon receipt of valid confirmation that the Singapore telephone number is not listed in the Do Not Call Register.

Singapore's Spam Control Act (Cap. 311A) will also be amended to cover commercial electronic messages sent to instant messaging accounts in bulk.

Organisations are expressly excluded from relying on the legitimate interests exception and business improvement exception mentioned above in order to send direct marketing messages.

Recommendations for employers

The above amendments to the PDPA represent a fairly significant development of the data privacy regime in Singapore, necessitated in no small part by the ceaseless march of technology and the development of new forms of communication. While the oft-repeated criticism that the law (and, by extension, regulators) always follow several paces behind technology does contain a measure of truth, these amendments to the PDPA are well thought out, and likely to bring Singapore closer in line with the global standard that is currently outlined in the General Data Protection Regulation 2016/679.

In anticipation of this, we recommend that employers in Singapore take the following steps:

1. review their data privacy, data retention and data transmission policies and update these to bring them in line with the new requirements;

2. formulate a data breach crisis plan to set out protocols to deal with data breaches, including: carrying out an assessment to determine if the data breach is notifiable; notifying the Commission and the affected individuals of breach when required; managing the breach; and remediation plans;

3. ensuring that employees have provided express consent to collection, use and disclosure of personal data for all purposes reasonably connected with the employment relationship, so as to obviate the need to rely on deemed consent or one of the exceptions;

4. review contracts and agreements with third parties (including data intermediaries) to ensure that they contain the necessary indemnities and warranties to protect the organisation in the event of a data breach; and

5. ensure that their advertising vendors abide by the enhanced rules on telemarketing and spam control.

¹Approximately US$760,000 at the time of publication.
²A data intermediary is an organisation which processes personal data on behalf of another. A new obligation will be introduced to require data intermediaries to notify organisations whose data is being processed of any data breach regarding that organisation's data.
³This should not exceed 30 days.
⁴This should not exceed 30 days.
⁵This must be done within three calendar days after the completion of the assessment.
⁶This may be done either concurrently or as soon as practicable after notifying the Commission.
⁷Approximately US$760,000 at the time of publication.