On 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission ("PDPC") launched a public consultation on the draft Personal Data Protection (Amendment) Bill 2020 ("Draft Bill"). The Draft Bill proposes a suite of amendments to be made to the existing Personal Data Protection Act 2012 (No. 26 of 2012) ("PDPA") and the Spam Control Act (Cap. 311A) ("SCA").
Key Proposed Amendments
The Draft Bill consolidates and refines the key amendments previously proposed by the PDPC in several public consultation exercises held between 2017 and 2019. The changes aim to enhance the accountability of organisations in relation to their collection, use or disclosure of personal data and increase public trust, as well as maintain the relevancy of the PDPA in light of recent technological advancements and an increasingly data-driven economy. The proposed amendments bring the PDPA more in line with regional and international data privacy standards. We have set out a summary of some of the key amendments below.
(I) NEW CATEGORIES OF "PERSONAL DATA"
The Draft Bill introduces three new sub-categories of "personal data" under the PDPA:
- "Derived personal data" – this refers to personal data that is derived by an organisation in the course of business from other personal data about the individual or another individual in the possession or under the control of the organisation. However, this does not include data that is derived by the organisation using simple sorting or common mathematical functions, like averaging and summation.
- "User activity data" – this refers to personal data that is created in the course or as a result of the individual's use of any product or service provided by the organisation. For example, transaction data or data collected by wearables and sensors.
- "User provided data" – this refers to personal data provided by an individual to the organisation.
As further discussed below, some of the proposed new obligations introduced under the Draft Bill may not apply to certain sub-categories of personal data. For example, "derived personal data" will not be subject to the data portability or data correction obligation. The intention is to protect and incentivise organisations to create innovative new products or services, which may be indirectly hindered by the data portability or data correction obligation if "derived personal data" were included. If an organisation were required to transfer any "derived personal data" to a competitor, then this could inadvertently result in the disclosure of confidential information that could damage the organisation's competitive advantage.
(II) MANDATORY BREACH NOTIFICATION
Currently under the PDPA, data controllers are not obligated to notify the PDPC or the affected data subjects in the event of any data breach. The new amendments would introduce a mandatory data breach notification requirement. In particular, data controllers would be required to:
- notify the PDPC where it determines that the data breach results in, or is likely to result in significant harm, or is of a significant scale, no later than 3 days after making such an assessment; and
- notify the affected individuals where it determines that the data breach results in, or is likely to result in significant harm to those individuals, as soon as practicable.
The PDPC is expected to issue subsidiary regulations to provide further details on these obligations, such as the definitions of "significant harm" and "significant scale", and the method of notification required. According to the consultation document, a numerical threshold of 500 or more affected individuals will likely be prescribed for determining whether a data breach is of a "significant scale".
Data intermediaries would also be required to notify the data controller without undue delay upon the discovery of a data breach. Certain exceptions have also been proposed in respect of these breach notification requirements. For example, where encryption or other technological protection measures have been implemented by the data controller, which minimises the potential harm that could arise from the data breach.
(III) EXPANSION OF DEEMED CONSENT
The Draft Bill introduces two new sets of circumstances that may amount to "deemed consent" and can be relied upon in lieu of express consent. Specifically, "deemed consent" can be found where:
- the collection, use and disclosure of personal data is reasonably necessary for the conclusion or performance of a contract or transaction between an individual and an organisation; or
- the individual has been notified of the purpose of the intended collection, use or disclosure of his or her personal data, and has been provided with a reasonable period to opt-out but has failed to do so.
In order to be able to rely on (b) above, a data controller is required to conduct an impact assessment on the intended collection, use or disclosure of personal data, and implement measures to eliminate or reduce the risks of any adverse effects to the individual.
(IV) NEW EXCEPTIONS TO CONSENT REQUIREMENT
The Draft Bill proposes two new exceptions to the consent requirement under the PDPA. These exceptions are:
- the "legitimate interests" exception – this allows the organisation to collect, use or disclose personal data without consent where such collection, use or disclosure is in the legitimate interests of the organisation, and the benefit to the public is greater than any adverse effect on the individual (e.g. for detecting or preventing illegal activities); and
- the "business improvement" exception – this allows the organisation to collect, use or disclose personal data without consent, for the following business improvement purposes: (A) operational efficiency and service improvements; (B) developing or enhancing products or services; and (C) knowing the organisation's customers.
When relying on the "business improvement exception", companies should also ensure that the personal data must not be used to make a decision that is likely to have an adverse effect on an individual.
(V) RIGHT TO DATA PORTABILITY
Under the Draft Bill, individuals will be provided with a new right to data portability which will obligate data controllers, at the request of an individual, to transmit his or her personal data that is in the organisation's possession or under its control, to another organisation in a commonly used machine-readable format.
However, data portability obligations will be subject to certain proposed limits. For example, these obligations will only apply if:
- the data porting request relates to "user provided data" and "user activity data" held in electronic form (accordingly, the obligation does not apply in respect of any request for porting of "derived personal data");
- the requesting individuals have an existing, direct relationship with the organisation; and
- the receiving organisations have a presence in Singapore (i.e. organisations that are either registered or have a place of business in Singapore).
Where the personal data to be ported contains personal data of other individuals (e.g. an individual's social media account data may include names and photographs of third parties), the organisation does not have to obtain the relevant third parties' consent when fulfilling a data porting request, provided that the data porting request is made in the requesting individual's personal or domestic capacity.
If the Draft Bill is passed, the data portability obligations will likely only take effect at a later stage when additional regulations have been issued. These regulations are expected to contain further details on how to comply with the obligation, such as prescribing a "whitelist" of data categories to which the data portability obligation applies, imposing certain technical and process requirements in relation to the data porting, stipulating different data porting request models, and implementing additional safeguards for individuals such as establishing a "blacklist" of entities to whom porting organisations may legally refuse to port data.
The upcoming regulations will also provide for a list of exceptions to the data portability obligation which will likely be similar to the existing exceptions to the data access request obligation currently under the PDPA.
(VI) STRICTER ANTI-SPAM CONTROLS
The SCA, together with the PDPA, currently form the primary anti-spam legislation in Singapore. As it currently stands, the SCA only applies to unsolicited commercial messages sent to Singapore phone numbers in bulk ("spam") but does not regulate such spam messages sent to instant messaging accounts over platforms such as Telegram or WeChat. Given the increasing popularity of such platforms (which are not based on the user's telephone number), the Draft Bill introduces amendments to the SCA to expand its scope.
In addition, under the Draft Bill, the Do-Not-Call provisions under the PDPA will be amended to prohibit the sending of specified messages to telephone numbers obtained through the use of dictionary attacks and address harvesting software.
This amendment will align the Do-Not-Call provisions under the PDPA with the SCA, which currently prohibits the use of dictionary attacks and address harvesting software to generate electronic addresses for the sending of electronic messages.
(VII) INCREASED FINANCIAL PENALTIES
Amongst other proposals of enhanced enforcement powers of the PDPC, the Draft Bill will also increase the current maximum financial penalty for breach of the PDPA to: (a) S$1 million; or (b) up to 10% of the organisation's annual gross turnover in Singapore, whichever is higher. This proposal will align the maximum penalties under the PDPA with those under the laws of the EU and Australia where a revenue-based maximum financial penalty is similarly adopted to serve as a stronger deterrent.
The Draft Bill represents the first comprehensive review of the PDPA since its enactment in 2012. These proposed changes will help companies engaging in data-driven businesses overcome the challenges that they have been facing in complying with their obligations under a consent-focused data protection regime. Based on the responses received during the consultation exercise, public support for these amendments has been fairly high as organisations generally favour a shift towards a more flexible and risk-based approach.
On the other hand, increasing an organisation's accountability over the personal data under their control serves to boost public confidence and provide better protection of the individual's rights – an issue of increasing concern over the past few years in light of the numerous high profile data breaches, such as the SingHealth data breach in 2018 which has been called the "most serious breach of personal data" in Singapore's history.
The public consultation exercise ended on 28 May 2020 and the Draft Bill will now undergo final revisions before being introduced in the Singapore Parliament.
Visit us at www.mayerbrownjsm.com
Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein. Please also read the JSM legal publications Disclaimer.