On 29 January 2021, the Personal Data Protection Commission (PDPC) announced that certain sections of the Personal Data Protection (Amendment) Act 2020 (the PDPA Amendments) will take effect from 1 February 2021 – please see PDPC’s announcement; the gazetted Commencement Notification. This legal update provides a high-level summary of the PDPA Amendments that have taken effect.
The changes introduced by the PDPA Amendments to the Personal Data Protection Act 2012 (the PDPA) are the most significant since the PDPA first came into force on 1 July 2014. Please see our earlier blog post, Singapore tables changes to the Personal Data Protection Act in Parliament, discussing the key changes introduced by the PDPA Amendments.
The PDPA Amendments will take effect in phases, with the following three key changes taking effect from 1 February 2021:
- Mandatory data breach notification: Organisations must notify the PDPC of any data breach that: (i) results in, or is likely to result in, significant harm to the affected individuals; or (ii) is of a significant scale (i.e., involves personal data of 500 or more individuals). Affected individuals must be notified if the data breach is likely to result in significant harm to them.
- Prescribed personal data or classes of personal data deemed to result in significant harm: The Personal Data Protection (Notification of Data Breaches) Regulations 2021 (Regulations on Notification of Data Breaches) provide a prescribed list of personal data or classes of personal data that shall be deemed to result in significant harm to affected individuals if compromised in a data breach (e.g., authentication data relating to an individual’s account with an organisation, credit card information, bank account number, creditworthiness of an individual, salary information etc.).
- Timeframes for notification: Notifications to the PDPC must be made as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes the assessment that a data breach is a notifiable data breach. Notifications to individuals must be made as soon as practicable, at the same time or after notifying the PDPC.
- Information required: See Regulations on Notification of Data Breaches for a prescribed list of minimum information that the notification must contain.
- Introduction of offences concerning mishandling of personal data by individuals: Individuals will be held accountable for egregious mishandling of personal data through the introduction of new criminal offences: (i) knowing or reckless unauthorised disclosure of personal data; (ii) knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and (iii) knowing or reckless unauthorised re-identification of anonymised data. The prescribed penalty for these offences, which may be imposed on individuals, is a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years or both.
- Expansion of consent framework: New provisions to introduce deemed consent by contractual necessity and deemed consent by notification to allow organisations to collect, use and disclose personal data. Additionally, legitimate interest and business improvement exceptions have been introduced, with changes to the business asset transaction exception to broaden the scope and changes to the research exception to improve data innovation efforts. The expansions to the consent framework are accompanied by accountability requirements.
Accompanying regulations have been published and will take effect together with the PDPA Amendments on 1 February 2021. These accompanying regulations include the Personal Data Protection Regulations 2021 (dealing with deemed consent by notification and legitimate interests), Regulations on Notification of Data Breaches (as mentioned above), the Personal Data Protection (Enforcement) Regulations 2021, and the Personal Data Protection (Composition of Offences) Regulations 2021. In addition, the Advisory Guidelines have been updated to provide guidance on the PDPA Amendments that came into force on 1 February 2021.
The following changes have not yet taken effect as at 1 February 2021, but are expected to take effect in the coming months:
- Increased financial penalties for organisations: Up to 10% of annual turnover in Singapore (if the organisation’s annual turnover in Singapore exceeds S$ 10 million), or S$ 1 million, whichever is higher. The Advisory Guidelines on Enforcement of Data Protection Provisions indicate that the increased financial penalties will take effect on a further date to be notified, and no earlier than 1 February 2022.
- Right to data portability: A new Part VIB, which grants individuals the right to data portability. Pursuant to this right, organisations must, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control, to another organisation in a common machine-readable format.
- Organisations should review their personal data protection policies and procedures, and ensure that they are adequately prepared to handle data breach incidents in light of the mandatory breach notification regime. Organisations should also provide internal training sessions on such updated policies and procedures.
- Organisations should consider leveraging on the expanded consent framework. In this regard, data protection impact assessments are key – organisations will need to demonstrate their assessment of the impact of new initiatives based on the expanded consent framework.