Written by Nadine Tong and Emma Leung
Introduction
On 5 October 2020, the Personal Data Protection (Amendment) Bill (“the Bill”) was introduced and read for the first time in Parliament. The Bill proposes various changes to the existing Personal Data Protection Act 2012 (“the Act” or “PDPA”) that represent a shift to align Singapore’s data protection regime to rising global standards.[1]
This article will first set out the Act and the purpose of its amendment. It will then set out and evaluate the amendments set out in the Bill and evaluate them on several bases: firstly in terms of whether they achieve their original purpose, and secondly in comparison to the international standard of data protection.
Overall, this article seeks to argue that the amendments introduced in the Bill were useful in addressing the ‘gaps’ in data protection left in the original Act, however as the Bill is relatively new and has not yet been put into force, it remains to be seen whether the effectiveness in terms of the enforcement of the amendments.
The Act: Background
The purpose of the Act was to set a “baseline standard for data protection in the private sector”, striking a balance between the need to protect individuals’ personal data and private organisations’ need to collect, use and disclose personal data for legitimate and reasonable purposes.[2] For the purposes of the Act, “personal data” refers to data that an individual can be identified from.[3]
The Personal Data Protection Committee (“PDPC”) conducted a review of the PDPA earlier this year in May in order to take into account technological developments which have resulted in a substantial increase in the collection of personal data, new business models and global developments in data protection legislation.[4]
The PDPC put forward four key themes underlying the amendments to the Act. They are: ensuring greater accountability, enabling meaningful consent, providing greater consumer autonomy and strengthening the effectiveness of the PDPC’s enforcement efforts. Thus, the amendments were largely focused on strengthening public trust, enhancing business competitiveness, and critically, providing greater organisational accountability and assurance to consumers.[5]
Having set out the background to the Act and its amendments, this article will now move on to assessing the key amendments under each theme set out above.
Key Amendments Under the Bill
1. Greater Accountability & Enforcement Efforts
New mandatory data breach notification
Under the Personal Data Protection (Amendment) Bill 2020, the concept of mandatory data breach notification will be introduced in Part VIA Notification of Data Breaches to the PDPA. This obligation did not exist under the prior Personal Data Protection Act 2012. This amendment was part of the shift that data protection laws have been taking towards an accountability based approach, whereby organisations must meet the relevant data protection standards. The PDPC recognised such notifications are crucial to organisation accountability because they encourage organisations to “establish risk-based internal monitoring and reporting systems to detect data incidents”.[6]
What is the amendment?
Under this new mandatory data breach notification regime, organisations are required to notify:
1) The PDPC of a data breach that either
a) Results in or is likely to result in significant harm to affected individuals; or
b) Is of a significant scale (ie more than 500 affected individuals); and
2) Affected individuals of a data breach, if the breach is likely to result in significant harm to those individuals.
For the purposes of this data breach notification regime, a “data breach” refers to any unauthorised access, collection, use, disclosure, copying, modification, disposal of personal data, or loss of any storage medium or device on which personal data is stored.[7]
Where an organisation has reason to believe that a breach has occurred, it must conduct an assessment of whether the data is notifiable in a reasonable and expeditious manner.[8]
Where a breach is deemed to be notifiable[9] the organisation must notify the following parties:
1) All affected individuals as soon as possible
2) The PDPC no later than three calendar days after it has made that assessment.
Exceptions to the notification requirement are set out in Section 26(4)-(7) of the Amendment Bill. This includes situations where circumstances are such that significant harm is unlikely to occur, such as where remedial action has been taken by the organisation or technological safeguards are present, or where organisations are instructed by law enforcement agencies or PDPC not to notify individuals.[10]
Evaluation of the amendment
The increased emphasis on organisations accountability is likely to be a welcome change for users as the introduction of a mandatory data breach notification regime imposes a higher standard of responsibility on organisations in the way in which they are expected to manage personal data and breaches. This in turn will give users greater confidence and trust in organisations to store and use their data.
However, some concern has been expressed in regards to the lack of clarity as to when a data breach will be considered to result in, or likely to result in, “significant harm”. Under Section 13 of the Amendment Bill, an individual is likely to suffer “significant harm” from a data breach if it affects any prescribed class of personal data relating to the individual.
It should be noted that the proposed amendment closely follows the model in the Australian Privacy Act,[11] in line with the overarching goal to bring the data protection regime in Singapore in line with international standards.
New offences relating to the mishandling of personal data
Concurrent with the theme of overarching goal of strengthening organisation’s accountability, the PDPC has also introduced new offences relating to the mishandling of personal data under the Amendment Bill.
What are the amendments?
The Amendment Bill introduces an offence for individuals’ “egregious mishandling of personal data” in the possession or under the control of any organisation or a public agency under Part VIIA. This includes
1) Knowing or reckless unauthorised disclosure of personal data;[12]
2) Knowing or reckless unauthorised use of personal data[13] for a wrongful gain or a wrongful loss to any person; and
3) Knowing or reckless unauthorised re-identification of anonymised data.[14]
Evaluation of the offence
Overall the introduction of new offences for the mishandling of personal data by individuals is a welcome change and arguably “plugs a gap” in the PDPA[15] which has previously been focused on the responsibility of organisations, rather than of the individual. Whilst ensuring organisational accountability is undoubtedly important, ultimately the argument can be made that individual actors are “autonomous actors”,[16] whose intentions may not necessarily be aligned with the organisations that they work for.
Given the increasing amount of personal data that organisations collect from individuals and the increasing value of such data, ensuring both individual and organisational accountability is of the utmost importance in preventing mishandling of such data.
Increased financial penalties
The Amendment Bill increases the financial penalty of up to S$1 million for data breaches to:
1) Up to 10% of an organisation’s annual gross turnover in Singapore, or
2) S$1 million, whichever is higher.
The purpose of the amendment was to serve as a stronger financial deterrent, enabling the PDPC to take effective enforcement action based on the circumstances and seriousness of a breach. In this regard, the increased financial penalty effectively serves to further one of the key underlying purposes of the amendments - accountability. However, it can be argued that the shift to revenue-based financial penalties is problematic as it does not necessarily guarantee stronger enforcement of data protection laws. Additionally, this approach could punish organisations with high turnover rates and lower profit margins, such as those in the property sector. This would also mean that organisations will be subject to differing amounts of penalties for breaches of the same degree and nature. Yet on the other hand the shift in approach can be seen as introducing a measure of proportionality, as prior to this amendment the cap of SG$1 million would obviously be much more impactful for small organisations than large ones.
The amendment will also bring Singapore in line with the standard adopted in other jurisdictions, such as the Global Data Protection Regulations (“GDPR”) in Europe. The GDPR adopts a revenue-based maximum financial penalty; very similar to the PDPA, the financial penalty for a serious data breach is 4% of an entity’s global annual turnover or €20 million (S$30.7 million), whichever is higher.[17] Alternatively, a less serious breach will face a maximum of €10 million (S$16 million) or 2% of the entity’s global annual turnover, whichever is higher.[18] [Insert sentence about international standards] It should be noted that the PDPC, whilst choosing to follow a similar structure to the GDPR in terms of allotting financial penalties, did not apply a similar tiered approach which takes into account the severity of the breaches.
2. Enabling Meaningful Consent
The PDPA takes a consent-based approach to the collection, use and disclosure of personal data. However, there are limitations to this approach, as have been identified in public consultation papers on the Act.[19] It is being increasingly acknowledged that other bases for approaching data privacy are appropriate in limited circumstances, subject to various requirements (ie. reasonableness requirements and assessments of impacts on individuals).[20] Such issues have been considered in the Bill, and the following amendments were proposed in a bid to enable more meaningful consent.
Expansion of deemed consent
What is the amendment?
Under the PDPA, apart from implied consent applying where an individual voluntarily provides an organisation with their personal data, there is also deemed consent where it is necessary to satisfy the individual’s contractual needs, or when the individual is informed of the purpose of data processing. The Bill widens the scope of deemed consent under Section 15 of the Act to include:
a) deemed consent by contractual necessity -- allowing consent to be deemed for the disclosure to and use of personal data by third-party organisations, as well as these third-party organisations’ collection and use of personal data, in situations where it is reasonably necessary for a contract or transaction to be concluded or performed; and[21]
b) deemed consent by notification -- allowing consent to be deemed if an individual has been notified of the purpose of the intended collection, use or disclosure of their personal data, given a reasonable opt-out period (and has chosen not to do so). This is provided that organisations have assessed and ascertained that the intended collection, use or disclosure of personal data is not likely to adversely affect the individual, having taken into account any measures implemented to eliminate, reduce or mitigate any such adverse effect.[22]
Evaluation of the amendment
One of the issues identified with the original consent model was that it leads to consent fatigue. The strong emphasis on consent-taking has led to the use of lengthy consent forms and notices by organisations, which may overwhelm individuals,[23] leading to them providing their assent without properly reading these forms, preventing them from understanding exactly what they are consenting to. This serves to undermine the premise of obtaining consent itself. The expanded scope of deemed consent provides a more practical and sustainable approach to the collection and use of personal data, addressing the issue of consent fatigue, and therefore enabling more meaningful consent to be given.
New exceptions to the consent requirement
What is the amendment?
Apart from expanding the scope of deemed consent, the Bill also introduces two new exceptions to the requirement of consent:
(a) legitimate interests exception -- allowing an organisation to collect, use or disclose personal data without an individual’s consent where it is in the legitimate interest of the organisation to do so, and where the benefit this confers on the public is greater than any adverse effect on the individual. To rely on this exception, organisations must: (i) assess any likely adverse effect on the individual, and take steps to eliminate, reduce or mitigate any such effects; (ii) make a determination that the public benefit outweighs any likely adverse effect on the individual; and (iii) disclose their reliance on legitimate interests to the individual, in collecting, using or disclosing their personal data; and
(b) business improvement exception -- allowing an organisation to use personal data without an individual’s consent for the following business improvement purposes: (i) operational efficiency and service improvements; (ii) developing or enhancing products and services; and (iii) knowing the organisation’s customers. This exception is subject to a requirement of reasonableness (ie. what a reasonable person would deem appropriate given the circumstances), and cannot be used to make decisions which would adversely impact the individual.
Evaluation of the amendment
The expansion of the category of exceptions to consent comes about as a response to the understanding that it is not always desirable or appropriate to ask for consent.[24] The original approach to obtaining consent under the Act worked under certain assumptions, such as that individuals would weigh the personal costs of sharing their personal data against the public benefits, in making consent decisions. However, this is not always the case, the aforementioned consent fatigue being a reason for this. Furthermore, individuals’ consent decisions may not necessarily yield the best societal outcomes (ie. fraud detection).[25] These exceptions seek to address the limitations of a consent-based data protection framework, providing a more practical and sustainable means of collecting, using and disclosing personal data.
However, this does not mean that organisations are given free rein over individuals’ personal data. The PDPC has taken care to ensure adequate safeguards have been implemented. In order to rely on these exceptions, organisations are required to be more deliberate in collecting, using and managing personal data. For instance, an obligation is placed on them to assess the potential adverse effects of their personal data usage on individuals, and take steps to eliminate or at least reduce them. This makes organisations more accountable to their stakeholders, fostering greater trust in these organisations, and instilling greater confidence in Singapore’s data protection regime as a whole.
3. Greater Consumer Autonomy
Data Portability Obligation
The Amendment Bill also aims to ensure greater consumer autonomy by introducing a data portability obligation. This requires organisations to, at the request of the individual, transmit any personal data on that individual in the organisation’s possession to another organisation in a widely-used machine-readable format.
This obligation is subject to a few exceptions, one key one being that it only applies to data provided by the individual, or data on the individual generated as a result of the individual’s use of the organisation’s product or service.
Evaluation of the amendment
This data portability obligation, which can already be found in many international data protection laws, most notably the GDPR, is aimed at granting individuals more autonomy and control over their personal data, as well as facilitating more innovating and intensive use of data.[26]
While data portability does lead to an increase in compliance costs for industries and businesses, it also facilitates a ‘more free-flowing competitive business environment and level playing field for new entrants seeking to establish a foothold in an industry’.[27]
Expansion of the Spam Control Act (“SCA”)
Under the Amendment Bill, the existing Do Not Call (“DNC”) provisions under the PDPA 2012 will be amended to prohibit the sending of unsolicited messages to telephone numbers obtained through the use of dictionary attacks or address harvesting software. Additionally, the Spam Control Act will apply to unsolicited commercial text messages where they are addressed to Instant messaging (“IM”) identifies (such as Facebook and WeChat).
Evaluation of the amendment
As a result of the amendment the DNC provisions and the SCA have been consolidated and streamlined, therefore allowing businesses to benefit from the clarity for the purposes of compliance.[28] Furthermore, widening the scope of DNC provisions under the new PDPA by applying it to unsolicited marketing text messages regardless of whether they are sent in bulk will provide greater protection to individuals. Specifically bearing the focus on consumer protection and autonomy in mind, the extension of the SCA to IM identifiers helps to further this goal by allowing individuals to better manage such messages.
One might make the argument that whilst the amendments are indeed welcome and help to increase consumer protection and autonomy, more could have been done. For example, as suggested by the Ministry of Communications and Information (“MCI”) , the prohibition from IM accounts could have been extended to in-app notifications or the mobile device’s notification. The MCI argued that in line with the amendment’s objective to provide consumers with greater control over unsolicited marketing messages, the regulation of such messages should be “technologically agnostic”.[29] Indeed, such an extension would have been welcome and would have reduced the need for further amendments in the future to account for different channels of delivery.
Nonetheless, whilst the scope of the amendment could have been wider, it is fair to argue that for the time being it seems to sufficiently achieve its original objective.
Conclusion
In conclusion, broadly the amendments to the PDPA are both effective and welcome changes, setting up an effective framework to achieve the objectives of the amendments themselves, as well as moving Singapore’s data protection regime more in line with global standards, such as the GDPR. The amendments account for advances in technology, whilst also recognising the commercial reality about personal data usage and adjusting data protection laws accordingly.
However that being said, as the amendments are relatively new it remains yet to be seen whether the enforcement of said amendments will be effective.
[1] 'Significant Changes Proposed To Singapore's Data Privacy Law' (2020) <https://www.ashurst.com/en/news-and-insights/legal-updates/significant-changes-proposed-to-singapores-data-privacy-law/> accessed 8 November 2020 [2] Ministry of Communications and Information and the Personal Data Protection Commission (2020) Public Consultation on the Draft Personal Data Protection (Amendment) Bill. [3] 'PDPA Overview' (2020) <https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act.> accessed 8 November 2020. [4] (n 2) [5] Ibid. [6] ibid. [7] Ibid. [8] Section 26 of the Amendment Bill [9] Section 26B of the Amendment Bill [10] 'MCI And PDPC Propose Amendments To Personal Data Protection Act 2012 To Introduce Mandatory Breach Notification, Data Portability And Increased Financial Penalties' (Allen & Gledhill, 2020) <https://www.allenandgledhill.com/perspectives/articles/15118/sgkh-mci-and-pdpc-propose-amendments-to-personal-data-protection-act-2012-to-introduce-mandatory-breach-notification-data-portability-and-increased-financial-penalties> accessed 8 November 2020 [11] 'Singapore Set To Introduce Mandatory Breach Notification Under Data Protection Laws' (Cms-lawnow.com, 2020) <https://www.cms-lawnow.com/ealerts/2020/10/singapore-set-to-introduce-mandatory-breach-notification-under-data-protection-laws> accessed 8 November 2020 [12] Section 35B of the Amendment Bill [13] Section 35C of the Amendment Bill [14] Section 35D of the Amendment Bill [15] 'Singapore’S Public Consultation On Proposed Changes To The Singapore Personal Data Protection Act | Data Protection Report' (2020) <https://www.dataprotectionreport.com/2020/05/singapores-public-consultation-on-proposed-changes-to-the-singapore-personal-data-protection-act/> accessed 8 November 2020 [16] ibid. [17] Section 83(4) GDPR 2018. [18] Section 83(5) GDPR 2018. [19] https://iapp.org/news/a/paving-the-way-for-meaningful-consent-under-singapores-pdpa/ [20] https://www.ashurst.com/en/news-and-insights/legal-updates/significant-changes-proposed-to-singapores-data-privacy-law/ [21] Section 6 of the Amendment Bill [22] Section 7 of the Amendment Bill [23] https://iapp.org/news/a/paving-the-way-for-meaningful-consent-under-singapores-pdpa/ [24] Another issue that was identified in the Public Consultations on the PDPA [25] https://iapp.org/news/a/paving-the-way-for-meaningful-consent-under-singapores-pdpa/ [26] Section 14 of the Amendment Bill [27] (n 15). [28] 'Public Consultation On Phase Two PDPA' (Eoasis.rajahtann.com, 2020) <https://eoasis.rajahtann.com/eoasis/lu/pdf/2018-05-Public_Consultation_on_Phase_Two_PDPA.pdf> accessed 16 November 2020. [29] 'The Law Society Of Singapore's Comments On The Ministry Of Communications And Information And The Personal Data Protection Commission's Public Consultation Paper On The Draft Personal Data Protection (Amendment) Bill, Including Related Amendments To The Spam Control Act' (2020) <https://www.mci.gov.sg/-/media/mcicorp/doc/public-consultations/public-consultation-on-pdp-amendment-bill---14may2020/responses-received-from-public-consultation---4jun2020/organisations/the-law-society-of-singapore.ashx> accessed 16 November 2020.