On 14 May 2020, the Singapore Ministry of Communications and Information (MCI) and the Personal Data Protection Commission of Singapore (PDPC) announced a public consultation (the Public Consultation) on the draft Personal Data Protection (Amendment) Bill (the Draft Bill) and related amendments to the Spam Control Act (SCA). The Public Consultation will take place from 14 May 2020 to 28 May 2020.

The Draft Bill is the culmination of a series of consultations between the MCI, PDPC and public and industry stakeholders over the past three years. In this post, we briefly explore how five key changes proposed in the Draft Bill will impact upon Singapore’s data protection regulatory framework:

  • Introduction of mandatory breach notification;
  • Introduction of offences concerning the mishandling of personal data;
  • Alternate bases to the collection, use and disclosure of personal data by enabling meaningful consent;
  • Introduction of a new data portability obligation; and
  • Enhanced financial penalties for breaches.
  1. Introduction of mandatory breach notification

In an effort to strengthen accountability of organisations handling personal data, the Draft Bill introduces a mandatory data breach notification regime under a new Part VIA – Notification of Data Breaches. Under the proposed mandatory data breach notification regime, organisations are required to notify:

  • the PDPC of a data breach that either (i) results in, or is likely to result, in significant harm to affected individuals, or (ii) is of a significant scale (i.e., more than 500 affected individuals); and
  • affected individuals if the data breach is likely to result in significant harm to them.

Where an organisation has determined that a data breach is required to be notified, it must notify the PDPC within 3 calendar days and affected individuals (as the case may be) as soon as practicable.

Under the proposed mandatory breach notification regime, MCI / PDPC have prescribed categories of personal data which, if compromised in a data breach, will be considered likely to result in significant harm to the affected individuals. There are proposed exceptions to the mandatory breach notification regime in circumstances where organisations have technological protection measures in place (e.g. encryption) to limit the potential harm caused by any data breach; or where they have taken remedial action swiftly after a data breach is discovered. These exceptions might obviate the need for mandatory notification.

Comment:

While there is presently no specific requirement under the PDPA to notify any party when a data breach incident occurs, breach reporting guidelines were introduced via the PDPC’s Guide to Managing Data Breaches 2.0 (PDPC Breach Guide).[1] Therefore, in practice, organisations are generally advised to consider making a data breach notification in the event a data breach incident is required to be notified under the PDPC Breach Guide. We note that while the proposed breach notification requirements are broadly similar to those specified in the PDPC Breach Guide, one key difference is the assessment period for organisations to determine whether a breach is notifiable. Under the PDPC Breach Guide, organisations have up to 30 days to assess whether a data breach incident is notifiable. This time period has been removed and replaced with a duty to “conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach”. The overriding principle behind this duty is similar to the 30 day window under the PDPC Breach Guide – that organisations ought to carry out such assessments expeditiously.

There has been a discernible trend across multiple countries implementing data breach notification regimes, and given the importance Singapore places on the management of cybersecurity risks generally, including the implementation of the Cybersecurity Act, it is not surprising that the regime covered in the PDPC Breach Guide will now have the force of law if implemented.

  1. Introduction of offences concerning mishandling of personal data

To strengthen the accountability of individuals who handle or have access to personal data, the Draft Bill proposes the following new offences under  the PDPA to hold individuals accountable for “egregious mishandling of personal data” under a new Part VIIA – Offences Affecting Personal Data and Anonymised Information:

  • knowing or reckless unauthorised disclosure of personal data;
  • knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and
  • knowing or reckless unauthorised re-identification of anonymised data.

The proposed penalty for such offences is a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years or both.

Comment:

The introduction of new offences for “egregious mishandling of personal data” by individuals plugs a gap in the PDPA, which has to-date been focused on the responsibility of organisations. While organisations may be responsible for the conduct of their employees and ought to put in place safeguards in the form of appropriate policies, procedures and training to prevent abuse of personal data, individual employees are ultimately autonomous actors whose motivations may not be aligned with that of the organisation they work for. In recent years, there have been instances of employees abusing their position and employers’ trust by misusing or mishandling personal data for their own gain. As the amount of data collected and generated continues to grow, and the value of such data increases, the risk of individuals misusing or mishandling personal data in their possession for personal gain may become greater. These new offences will aid to deter such misconduct through criminal sanctions.

  1. Alternate bases to the collection, use and disclosure of personal data by enabling meaningful consent

MCI / PDPC propose to enhance the consent-based framework for the collection, use and disclosure of personal data under the PDPA by expanding the concept of “deemed consent” under section 15 of the PDPA to include:

  • deemed consent by contractual necessity – allowing consent to be deemed for the disclosure to, and use of, personal data by third-party organisations, and such third-party organisations’ collection and use of personal data, where it is reasonably necessary for the conclusion or performance of a contract or transaction between an individual and an organisation; and
  • deemed consent by notification – allowing consent to be deemed if appropriate notification of the purpose of the intended collection, use or disclosure of an individual’s personal data, with a reasonable opt-out period, is provided. To rely on such deemed consent by notification, organisations are required to assess and ascertain that the intended collection, use or disclosure of personal data for the purpose is not likely to have an adverse effect on the individual after taking into account any measures implemented to eliminate, reduce or mitigate such adverse effect.

Further, MCI / PDPC propose to address situations where there are overriding public or systemic benefits and obtaining individuals’ consent may not be appropriate, by introducing the following new exceptions to consent:

  • legitimate interests exception – allowing organisations to collect, use or disclose personal data without consent in circumstances where it is in the legitimate interests of the organisation, and the benefit to the public is greater than any adverse effect on the individual. In order to rely on this exception, organisations will need to: (i) assess any likely adverse effect to the individuals and implement measures to eliminate, reduce or mitigate such identified adverse effect, (ii) make a determination that the benefit to the public (or any section thereof) outweighs any likely residual adverse effect to the individual; and (iii) disclose their reliance on legitimate interests to the individual to collect, use or disclose personal data; and
  • business improvement exception – allowing organisations to use personal data without consent for the following business improvement purposes – (i) operational efficiency and service improvements, (ii) developing or enhancing products/services; and (iii) knowing the organisation’s customers. This exception is subject to a reasonableness requirement, e., what a reasonable person would consider appropriate in the circumstances, and must not be used to make a decision to have an adverse effect on an individual.

In addition, MCI / PDPC also propose to revise the “research exception” to introduce conditions such that the use of personal data or the results of the research will not have an adverse effect on individuals and such results will not be published in a form that identifies any individual.

Comment:

The proposal by MCI / PDPC to provide alternate bases for organisations to collect, use and disclose data by expanding on the concept of “deemed consent’ and the introduction of the legitimate interests exception and business improvement exception seeks to address the limitations of a primarily consent-based data protection framework and will provide organisations with a more practical and sustainable approach to the collection, use and disclosure of personal data. However, these alternatives to consent do not mean that organisations are given carte blanche to manage personal data. Rather, these alternatives require organisations to be more deliberate in how they collect, use and manage data, with data privacy impact assessments being key to how organisations are able to assess the potential adverse effects of collecting, using and disclosing personal data, and being able to effectively implement measures to eliminate, reduce or mitigate such identified adverse effects. The upside to this approach is that it encourages organisations to be accountable to relevant stakeholders regarding how they manage personal data and foster trust.

  1. Introduction of a New Data Portability Obligation

To provide consumers with greater autonomy over personal data, the Draft Bill proposes to introduce a new data portability obligation under a new Part VIB – Data Portability.

Pursuant to this new data portability obligation, organisations must, at the request of an individual, transmit his/her personal data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format. To avoid placing an onerous burden on organisations fulfilling this obligation, the MCI / PDPC has proposed that this data portability obligation be limited to:

  • user provided data and user activity data held in electronic form (including business contact information);
  • requesting individuals who have an existing, direct relationship with the organisation; and
  • receiving organisations with a presence in Singapore – although MCI / PDPC indicated that obligation could be extended to “like-minded jurisdictions with comparable protection and reciprocal arrangements”.

According to MCI / PDPC, the proposed data portability obligation will be subject to exceptions that largely mirror the exceptions applicable to the Access Obligation (as set out in the Fifth Schedule to the PDPA), so as to ensure consistency in approach. In addition, to protect business innovation and investments, MCI / PDPC have stated that derived personal data would be exempted from the proposed data portability obligation.

As this is a new data protection obligation, MCI / PDPC have stated that the data portability obligation would only come into effect with the issuance of regulations to prescribe requirements that apply to the porting of specific data sets. Among other things, MCI / PDPC intend to prescribe (1) a whitelist of data categories to which the data portability regulations apply, (2) technical and process details concerning the transmission of data, (3) relevant data porting request models, and (4) safeguards for individuals.

Comment:

The introduction of a data portability obligation, which is already present in standard bearing data protection laws such as EU’s General Data Protection Regulation 2016/679 (GDPR), aims to grant individuals with greater control and autonomy over personal data and recognises the value of data in the modern business environment. While data portability may lead to increase in compliance costs for industries and businesses, the upshot to this obligation is a more free-flowing competitive business environment and level playing field for new entrants seeking to establish a foothold in an industry. Competition in a digital economy is the bedrock of innovation and would likely create new opportunities for new and established players to win over consumers through novel solutions and services.

  1. Increased financial penalties

The Draft Bill proposes to amend section 29(2)(d) of the PDPA to increase the maximum financial penalty from S$1 million to a maximum financial penalty of either (1) up to 10% of an organisation’s annual gross turnover in Singapore, or (2) S$1 million, whichever is higher.

The higher financial penalty is intended to provide a stronger deterrent effect to organisations that flout their PDPA obligations and to provide the PDPC with more flexibility in meting out financial penalties based on the circumstances and severity of the breach.

Comment:

The proposed increase in the maximum financial penalty will prompt organisations to pay closer attention to data protection compliance and devote greater resources to ensure compliance. By adopting a revenue-based maximum financial penalty, all organisations will be incentivised to ensure that they comply with the letter and spirit of the data protection obligations for fear of facing a significant penalty that could severely hit their bottomline. In addition, a revenue-based maximum penalty introduces a measure of proportionality – the current maximum penalty of S$1 million relatively speaking is less impactful for large organisations with revenues and profits that far exceed this amount, in contrast to smaller organisations.

Conclusion

It has been a number of years since the enactment and coming into force of the PDPA, which was passed in 2012 and came into force in 2014.

Since then, the digital landscape and economy has changed – both in Singapore and globally. Data is increasingly critical to businesses. This trend would likely continue with the widespread adoption and further development of technologies such as 5G, IoT and in Machine Learning and AI. At the same time, consumers and individuals are becoming increasingly aware and concerned about the use and exploitation of their personal data effective data protection legislation is therefore required to help spur business innovation and balance the interests of individuals and the public at large.

 

The authors would like to thank Jeremiah Chew, Of Counsel at Ascendant Legal, Norton Rose Fulbright’s foreign law alliance law firm in Singapore, for his contribution to this article.

[1] The PDPC Breach Guide states that “[n]otification made by organisations or the lack of notification… will affect the PDPC’s decision as to whether an organisation has reasonably protected the personal data in its possession or under its control”.