Following the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) public consultation in May this year (Public Consultation), the Personal Data Protection (Amendment) Bill (Bill) was introduced and had its first reading in Parliament on 5 October 2020.
The Bill introduces five key changes to the Personal Data Protection Act 2012:
- Increased financial penalties: Up to 10% of annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds SGD 10 million), or S$ 1 million, whichever is higher.
- Mandatory data breach notification: Organisations must notify the PDPC of any data breach that: (i) results in, or is likely to result in, significant harm to the affected individuals; or (ii) is of a significant scale. Affected individuals must be notified if the data breach is likely to result in significant harm to them.
- Introduction of offences concerning mishandling of personal data: Individuals will be held accountable for egregious mishandling of personal data through the introduction of new criminal offences: (i) knowing or reckless unauthorised disclosure of personal data; (ii) knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and (iii) knowing or reckless unauthorised re-identification of anonymised The proposed penalty for these offences is a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years or both.
- Expansion of consent framework: New provisions to introduce deemed consent by contractual necessity and deemed consent by notification to allow organisations to collect, use and disclose personal data. Additionally, legitimate interest and business improvement exceptions have been introduced, with changes to the business asset transaction exception to broaden the scope and changes to the research exception to improve data innovation efforts. The expansions to the consent framework are accompanied by accountability requirements.
- Right to data portability: A new Part VIB will be introduced, which grants individuals the right to data portability. Pursuant to this right, organisations must, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control, to another organisation in a common machine-readable format.
These changes were earlier previewed in a draft bill that was published together the Public Consultation. Please see our earlier blog post discussing these changes.
The Bill will undergo a further two readings in Parliament and upon the President’s assent will come into operation on a date that the Minister appoints by notification in the Government Gazette. We currently anticipate that the amendments introduced by the Bill will likely come into effect by the end of 2020 or early 2021.
The increased penalties that can be imposed by the PDPC will likely bring compliance with the PDPA requirements into sharper focus for many organisations. This is compounded with the mandatory data breach regime, which will require organisations to ensure they have the policies, procedures and processes in place to handle data breach incidents to meet the new requirements. Given the current environment where there has been an increase in cyberattacks during the pandemic and the push by many organisations to digitise and engage in remote working, organisations should consider carefully the new regime and ensure they are well prepared should a cyberattack take place.