Singapore: PDPA reforms - Data protection enters a new phase
On 2 November 2020, it was announced that the Parliament of Singapore had passed a bill to reform the Personal Data Protection Act (No. 26 of 2012) ('PDPA') and the Spam Control Act 2007. Jeffrey Lim, Director at Joyce A. Tan & Partners LLC, analyses the key changes introduced and what they can tell us about Singapore's approach to data protection regulation going forward.
So now that the Singapore Parliament has passed the Personal Data Protection (Amendment) Bill, it is worth taking stock as to what the changes to the law signifies in the light of the journey so far. Where else might Singapore law, relevant to so many businesses due to the fact that Singapore is a regional hub for so many businesses in Asia, take us? Let's first catalogue a few of the key changes being made to the PDPA before drawing some conclusions.
Data portability rights
Data portability rights are an acknowledgment of both the need for innovation and the market power of having access to personal data as an asset / resource.
Organisations will be under a requirement to transmit an individual's personal data to another organisation upon the request of that individual. The organisation's obligation will only apply to:
- user-provided data;
- requesting individuals with an existing, direct relationship with the organisation; and
- receiving organisations with a presence in Singapore.
However, personal data that is derived by an organisation in the course of business from other personal data is not covered by the portability obligation.
Why the distinction? Enriched data through the application of processing, insights and the findings of data analytics are all assets that give a competitive edge, and are key drivers in digitalised economies. Allowing the transfer of data in its original user-created form, but excluding derived data allows organisations to retain the benefit of investing in their data rather than allowing it to be lost to a competitor by a portability request.
Additionally, the Personal Data Protection Commission ('PDPC') stated in the public consultation paper that it will work with industry and sector regulators to introduce regulations to improve clarity on the data portability requirement, including:
- a 'whitelist' of data categories to which portability applies;
- technical and procedural details to ensure the correct data is transmitted safely to the right receiving organisation;
- relevant data porting request models, for example, a push model where consumers can make the data porting request directly to the porting organisation, or a pull model where consumers make the porting request through the receiving organisation; and
- safeguards for individuals, for example introducing cooling-off periods for certain datasets to provide time for a consumer to change their mind and withdraw a porting request, and the establishment of a blacklist of organisations that porting organisations may justifiably refuse to port data to.
Mandatory data breach reporting
The title to this is self-explanatory, so briefly, organisations will be required to notify the data protection authority, namely the PDPC, as well as affected individuals of a data breach that:
- results in, or is likely to result, in significant harm to the affected individuals; or
- is of a significant scale.
Not all jurisdictions in Asia that have data protection / privacy laws prescribe mandatory breach notification, but its societal and strategic benefits can be simply identified as not only driving compliance efforts (and therefore improving the data / cyber 'hygiene' levels in a community), but also potentially adding more visibility to regulatory authorities and other bodies that might set important policy decisions.
Increased ceiling on fines
The amendments will increase the ceiling on fines payable under the PDPA. This will be increased to up to 10% of annual gross turnover in Singapore (for organisations with more than SGD 10 million (approx. €6.22 million) in yearly turnover), or SGD 1 million (approx. €622,300), whichever is higher.
Enhanced fines, in the form of a higher potential ceiling on administrative actions, are a way to drive organisations to make a greater effort or investment in data protection. Singapore is not alone in this – the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') in this respect is eye-popping to say the least – but the policy clearly is to call greater attention to the business community to the increased value of personal data.
As Singapore's economy hurtles forward way into digitalisation, this is an obvious policy choice.
Enhanced consent management framework
To facilitate organisations' use and processing of personal data for business purposes, the concept of 'deemed consent' will be expanded in scope so as also to cover circumstances where:
- the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or
- individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out.
Key exceptions to the consent obligation include the following:
- Legitimate interests exception – Under this exception, consent will not be required where the legitimate interests of the organisation and the benefit to the public together is greater than any adverse effect on the individual. This could include the purposes of detecting or preventing illegal activities (e.g. fraud and money laundering) or threats to physical safety and security, and ensuring IT and network security.
- Business improvement exception – Organisations may use personal data without consent for the purposes of (i) operational efficiency and service improvements; (ii) developing or enhancing products/services; and (iii) knowing the organisation's customers.
- Research exception – Organisations will be allowed to use and disclose personal data without consent for research purposes on condition that (i) the use of personal data or the results of the research will not have an adverse effect on individuals; and (ii) results of the research will not be published in a form which identifies an individual.
Each of these exceptions is telling. The policy clearly is to facilitate responsible innovation, and provide angles with which a business can not only operate, but improve its operations and undertake critical research and development in an age where data and knowledge are more important than ever.
Add it all up, and it is clear these changes signal that Singapore's journey with personal data is entering a new phase of maturity.
It's been eight years since the PDPA was passed, and six years since it came into full effect, and since then both the PDPA and the maturity of Singapore's business community has developed substantially in matters of data protection.
As the subtle shifts in the nature of enforcement cases show (i.e. moving from basic errors and breaches in data protection issues, to more sophisticated questions), the business community's ability to grapple with data protection issues has increased.
Where to next? We can pick up some clues given the trajectory of approaches we've seen in other near-areas: Singapore is already a leader in ethics frameworks on artificial intelligence, forging a values-neutral accountability framework. So it is not hard to see Singapore pressing further towards legal developments that are aimed at facilitating greater flexibility in responsible collaboration in digital use cases in data.
Might we see the push in the EU for responsible conduct of digital operators (e.g. in the example of the proposed Digital Services Act or Digital Markets Act) partly rendered in data protection laws or in near areas?
Watch this space.
Jeffrey Lim Director
Joyce A. Tan & Partners LLC, Singapore