Singapore passed some key amendments to the Personal Data Protection Act 2012 establishing a new norm for administrative fines at 10% of turnover.
Now companies, with turnover exceeding Singapore dollar 10 million per year, responsible for data breaches face financial penalties upto 10% of their turnover or Singapore dollars 1 million which ever is higher. For companies with turnover less than S$10 million the maximum pernalty remains at S$ 1 million.
a) New offences related to the mishandling of personal data has been introduced
b) Deemed consent provision has been expanded
c) New Exceptions have been introduced in consent requirement
d) New Data Portability obligation has been introduced
e) Spam Control act has been expanded to cover instant messaging platforms.
f) In addition to the increase in the fines related to data breach, notification has been made mandatory.
g) The applicability of the law has been extended by removing the exemption provided for Organisations acting on behalf of public agencies from the Act
The new offences introduced include
- any unauthorised disclosure of personal data that is carried out knowingly or recklessly;
- any unauthorised use of personal data that is carried out knowingly or recklessly and results in a wrongful gain or a wrongful loss to any person; and
- any unauthorised re-identification of anonymised data that is carried out knowingly or recklessly.
(This does not include public officers, who are subject to the Public Sector (Governance) Act 2018.)
It will also be an offence for a person to fail to:
- comply with an order to appear before the PDPC or an inspector of the PDPC;
- provide a statement in relation to any investigation; or
- produce any document specified in a written notice.
The definition of “Deemed consent” is expanded to include:
- for contractual necessity, i.e. where data processing is reasonably necessary to perform a contract; and
- where individuals have been notified of the purpose of the data processing and given an opportunity to opt out.
New exceptions are being provided for Consent in the following instances.
Now consent will not be required where the legitimate interests of the organisation and the benefit to the public (or any section thereof) together outweigh any adverse effect on the individual.
This could include where data is processed for the purposes of detecting or preventing illegal activities (e.g. fraud or money laundering) or threats to physical safety and security, ensuring IT and network security, or preventing the misuse of services.
Organisations must however conduct a risk and impact assessment, and disclose any reliance on legitimate interests and cannot use the provision to send direct marketing messages to individuals.
Tthere will be a business improvement exception to consent, where there is a need to:
- carry out operational efficiency and service improvements;
- develop or enhance products/services; or
- know more about the organisation’s customers.
The use of personal data must be what a reasonable person would consider appropriate in the circumstances, and the data must not be used to make a decision that is likely to have an adverse effect on any individual. This exception also applies to a group of companies, including subsidiaries within an organisation.
Also, the research exception to consent will be available, provided that, among other things:
- the use of personal data or results of the research must not have an adverse effect on individuals; and
- results must not be published in a form that identifies any individual.
There will also be exception to institutes carrying out scientific research and development, or arts and social science research, or to market research aimed at understanding potential customer segments. However, disclosure for research purposes will continue to be subject to more stringent restrictions relating to impracticality and public interest.
Additionally the scope of the business asset transaction exception in the PDPA will be extended to the personal data of independent contractors, in addition to that of employees, customers, directors, officers and shareholders of the organisation.
Data portability right will now be available to individuals, giving them the right to request the transmission of their data to another service provider.
An organisation’s portability obligation will only apply to:
- user-provided data and data on user activity held in electronic form, including business contact information, this data may include third-party personal data, where the request is made in the requesting individual’s personal or domestic capacity;
- requesting individuals with an existing, direct relationship with the organisation; and
- receiving organisations with a presence in Singapore; however, data portability could subsequently be extended to like-minded jurisdictions offering comparable protections and reciprocal arrangements.
The PDPC will work with industry and sector regulators to establish and set out further requirements under regulations, including:
Exceptions to the data portability obligation will be provided, similar to those for the access obligation.
Personal data that is derived by an organisation in the course of business from other personal data will not be covered by the portability obligation.
Refusals of porting requests must be notified to individuals, together with the reasons for the refusal, and within a reasonable time. The PDPC will have the power to review these refusals and any fees for the porting of data.
Organisations will be required to preserve personal data requested under an access or porting request for at least 30 calendar days after rejection of the request, or until the individual has exhausted their right to apply to the PDPC for reconsideration of the request or appeal to the Data Protection Appeal Committee, High Court or Court of Appeal, whichever is later.
The Spam Control Act 2007 will now cover the bulk sending of commercial text messages to instant messaging accounts. ‘Do not call’ (‘DNC’) provisions will prohibit the sending of specific messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software.
Third-party checkers will be required to communicate accurate DNC register results to the organisations on behalf of which they are checking the DNC register, and the checkers will be liable for DNC infringements resulting from any erroneous information provided by them.
The DNC provisions will be enforced under the same administrative regime as the other data protection obligations in the PDPA, as opposed to being enforced as criminal offences.
There will be a higher level of accountability for the Organisations who will be expected to demonstrate compliance.
Thus the law in Singapore has become more stringent and at the same time brought in more clarity.