Mandatory data breach notification, data portability, and other proposed changes to Singapore’s data protection laws
On 14 May 2020, the Ministry of Communications and Information (“MCI”) and the Personal Data Protection Commission (“PDPC”) launched a public consultation on the draft Personal Data Protection (Amendment) Bill (the “Bill”). The consultation closed on 28 May 2020.
This article will discuss the following proposed amendments to the Personal Data Protection Act (“PDPA”):
- a new mandatory data breach notification requirement;
- expansion of the scope of deemed consent;
- a new data portability obligation; and
- increased enforcement powers.
1. New mandatory data breach notification
In line with strengthening the accountability principle in the laws on personal data protection, the proposed amendments impose a mandatory data breach notification requirement under the PDPA. Under this regime, organisations are required to notify the PDPC of a data breach that:
- results in or is likely to result in significant harm to the affected individuals; or
- is of a significant scale (e.g. data breaches affecting 500 or more individuals)
If an organisation believes that a data breach has occurred, it should quickly assess whether notifying the PDPC and/or affected individuals is required. If the organisation determines that such notification is required, it must notify PDPC as soon as practicable within three calendar days. Organisations are required to notify affected individuals if the data breach is likely to result in significant harm to them, unless certain exceptions apply. Examples of information that, if compromised, may cause significant harm include medical history, credit card details and identification numbers.
2. Deemed consent and exceptions to consent
The scope of deemed consent for the collection, use and disclosure of personal data is proposed to be expanded to include:
- Deemed consent by contractual necessity – where it is reasonably necessary for the performance of a contract.
- Deemed consent by notification – where the individual is notified of the intended purpose of the data processing and does not opt out within a reasonable period as provided by the organisation. It should be noted that organisations are prohibited from utilising this method to obtain consent to send direct marketing messages to individuals.
In addition, the Bill also proposes the following new exceptions to the consent requirements to address situations where there are public benefits to using and processing personal data and obtaining individuals’ consent may not be appropriate:
- Legitimate interest exception – where the legitimate interests of the organisation and the benefit to the public exceeds any adverse effect on the individual. Examples include detecting threats to physical safety and preventing illegal activities like money laundering.
- Business improvement exception – an organisation may use personal data without consent for certain business improvement purposes such as developing products/services, operational efficiency and service improvements.
3. New data portability obligation
Under the data portability obligation (“DPO”), organisations are obliged to transmit an individual’s personal data under its control or possession at the request of the individual. The DPO is intended to allow individuals to switch to new service providers more easily.
The DPO is subject to the following:
- the DPO is limited to user provided data (such as credit card details) and user activity data (such as transaction data) held in electronic form;
- requesting individuals must possess an existing, direct relationship with the organisation; and
- receiving organisations must have a presence in Singapore. The PDPC may extend data portability to like-minded jurisdictions adopting comparable protection and reciprocal arrangements.
The PDPC will work with industry and sector regulators to develop specific requirements and exceptions in relation to the DPO. The DPO will only come into effect with the issuance of these requirements.
4. New enforcement powers and penalties
The PDPC also proposes to strengthen enforcement in the following ways:
- Increased financial penalties of up to 10% of an organisation’s annual gross turnover in Singapore or SGD1 million, whichever is higher, for data breaches under the PDPA.
- Failure to appear before the PDPC or produce information or provide a statement when required by the PDPC in relation to an investigation will amount to an offence.
- When a data breach incident occurs, organisations may provide written voluntary undertakings to the PDPC to remedy the situation. Breach of these undertakings will be enforceable by the PDPC.
- Subject to certain exceptions (such as employees acting under their employers’ instructions), individuals who handle or have access to personal data will now be held accountable for egregious mishandling of such data.
The Bill incorporates feedback received from PDPC’s earlier consultations on, amongst other things, mandatory data breach notifications and data portability. We shared these initiatives in an earlier legal alert available here. Given the greater emphasis on accountability and the proposed introduction of personal liability for mishandling personal data under the Bill, organisations should consider reviewing their data management policies and internal training programmes for staff who handle or have access personal data.
If you would like to discuss the possible impact of the proposed amendments to the PDPA, please feel free to reach out to Heng Jun Meng or any director of ZICO Insights Law LLC.
This alert is for general information only and is not a substitute for legal advice.