A sea change in Singapore’s data privacy law
31 May 2021
Singapore’s Personal Data Protection (Amendment) Bill 2020 was passed on November 2, 2020, following extensive public consultations between 2017 and 2020, and came into effect on February 1, 2021. The amendments to the PDPA bring about much-needed updates to align Singapore’s data privacy regime with international standards and best practices.
The key amendments in the PDPA are:
- Expanded scope for deemed consent;
- New legitimate interests and business improvement exceptions to requirement to obtain consent;
- Mandatory notification regime for data breaches;
- Personal liability for offences under the PDPA; and
- New data portability obligation for organizations.
Expanded scope for deemed consent
Prior to February 1, 2021, the PDPA provided that consent to the collection, use or disclosure of personal data may be deemed rather than express where the individual voluntarily provides personal data to an organization for a particular purpose and the collection, use or disclosure is done pursuant to that purpose.
The amended PDPA expands the scope of deemed consent in two other instances:
- Deemed consent by contractual necessity: Where an individual P discloses personal data to an organization X with a view to entering a contract or pursuant to an existing contact, P is deemed to consent to the disclosure of his or her personal data by X to another organization Y where such disclosure is necessary for the conclusion of the contract or the performance of the existing contract; and
- Deemed consent by notification: Where an organization has i) assessed that the use, collection, and disclosure of personal would not have an adverse effect on the individual; ii) taken reasonable steps to notify an individual that it intends to collect, use or disclose his or her personal data; and iii) the individual does not object to such collection, use or disclosure within the prescribed time. The Personal Data Protection Committee (the PDPC) has issued an Assessment Checklist for Deemed Consent by Notification to guide organizations seeking to rely on such deemed consent.
New exceptions for legitimate interests and business improvements
The pre-amendment PDPA contained a slew of exceptions setting out instances in which consent is not required for the collection, use and disclosure of personal data. However, a jarring difference between Singapore’s PDPA and other established privacy laws such as the General Data Protection Regulation (GDPR) is the absence of a general legitimate interest exception.
The amended PDPA bridges this gap by implementing the legitimate interests and business improvement exceptions.
The legitimate interests exception
Under the legitimate interests exception, an organization may collect, use or disclose personal without consent where:
- It is in the legitimate interests of the organization or another person; and
- The legitimate interest of the organization or other person outweigh any adverse effect on the individual.
Prior to relying on the legitimate interests exception, the organization must conduct an assessment of whether the above requirements are satisfied and provide the individual with access to information relating to the collection, use or disclosure of his or her personal information. The PDPC has released an Assessment Checklist for Legitimate Interests Exception to guide organizations in conducting such assessments.
While the legitimate interests exception may appear broad-ranging, it is clear that this exception may not be relied upon to justify all handling of personal data. In this regard, the PDPC has clarified that organizations cannot rely on the legitimate interests exception to send direct marketing messages.
The business improvement exception
In addition to the legitimate interests exception, the amended PDPA goes further in specifying that an organization may use personal data without consent for: i) improving, enhancing or developing new goods or services, or methods or processes for business processes; ii) learning about and understanding behavior and preferences of individuals in relation to its goods and services; and iii) identifying suitable goods or services or personalizing and customizing such goods or services for individuals.
The exception also allows the sharing of personal data between related corporations (such as entities within a group of companies) for the above-listed business improvement purposes, providing that such related corporations are bound by binding obligations to safeguard the personal data.
The business improvement exception may only be relied on if i) such business improvement purposes cannot reasonably be achieved without the sharing or use of personal data in an individually identifiable form and ii) such sharing or use is reasonable.
Mandatory notification regime for data breaches
Under the Amended PDPA, organizations are bound to notify affected individuals and the PDPC whenever there is a data breach (i.e., unauthorized access, collection, use, disclosure, copying or modification of personal data) that is i) likely to result in significant harm to an affected individual; or ii) is likely to be of significant scale affecting more than 500 individuals. (See Advisory Guidelines on Key Concepts in the Personal Data Protection Act (revised 1 February 2020) at [20.20] for details.)
An organization faced with a data breach is required to assess whether such data breach is notifiable. If so, the organization is to notify the PDPC and each affected individual. The notification to the PDPC must take place no later than three days after the said assessment, while the affected individuals must be notified in a manner that is reasonable in the circumstances.
Personal liability for offences under the PDPA
The amended PDPA introduces personal liability for the egregious mishandling of personal data, on top of penalties on organizations.
An individual may be liable for an offence under the PDPA if he or she:
- Knowingly or recklessly discloses or causes to be disclosed personal data possessed by an organization (or public agency) without authority to do so;
- Knowingly or recklessly uses personal data possessed by an organization (or public agency) for gain for himself or another person or to cause harm or loss to another person without authority to do so; or
- Knowingly or recklessly re-identifies anonymized information possessed by an organization (or public agency) without authority to do so.
In each case, the infringer may be liable to a fine not exceeding S$5,000 (US$3,780) or to imprisonment of up to two years or to both.
New data portability obligation
The Personal Data Protection (Amendment) Bill 2020 introduces a new data portability obligation, under which organizations belonging to a prescribed class are required upon request by an individual to transmit personal data in electronic form relating to that individual in its possession to another organization. However, this part of the bill will only be enacted on a future date to be announced. We expect more details regarding data portability to be issued by the PDPC (including the type of personal data and categories of organizations covered by the data portability obligations) before the coming into force of the amendments in the PDPA bill.
The recent and proposed amendments to the PDPA represent major and prudent steps towards streamlining data privacy compliance in Singapore. In particular, the legitimate interests and business improvement exceptions will likely be critical to businesses which are increasingly reliant on data analytics as tools of growth.