Singapore’s Personal Data Protection Act Shifts Away from a Consent-Centric Framework

|

 

 

Authors: Caroline Hopland, Hunter Dorwart and Gabriela Zanfir-Fortuna

The Singapore Parliament passed amendments to its Personal Data Protection Act 2012 (PDPA) on November 2, 2020, making it the first comprehensive review and change of this law since its enactment in 2012, as it was announced by the Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (Commission) in Singapore.

Some of the key changes include:

  1. a shift away from the consent-centric paradigm of the previous law by adding new exceptions to consent-based processing, including legitimate interests; 
  2. the introduction of a right to data portability; 
  3. new obligations to report data breaches; and 
  4. changes in the sanctions regime to increase penalties for individuals and organizations that breach the law, including prison sentences, and to enhance the enforcement powers of the Commission. 

The Amended Act will only enter into force once the President assents to it and a notification is published in the Government Gazette. Experts expect it to come into force before the end of 2020. 

Below we address the key changes of the Act, specifically (1) new definitions, including “derived personal data,” (2) new exceptions introduced to the rule that consent is required for collecting and otherwise processing personal data, including contractual necessity and legitimate interests, (3) how accountability was enhanced, (4) the introduction of a right to data portability, (5) new requirements to notify data breaches, and (6) the enhanced liability and sanctions regime, including now personal criminal liability for specific offenses, increased fines and an alternative dispute resolution option.  

 

1. “Derived Personal Data”: Newly Defined and Exempted from Correction and Portability Requests

 

The Act was amended to include new definitions, such as “derived personal data,” and a set of definitions that are relevant in the context of the new right to data portability – “user activity data,” “user-provided data,” “data porting request,” and “ongoing relationship.”

“Derived personal data” is akin to “inferred personal data” as defined by the European Data Protection Board (EDPB)[1], and it refers to “personal data about an individual that is derived by an organization in the course of business from other personal data about that individual or another individual in the possession or under the control of the organization.” However, it excludes personal data “derived using any prescribed means or method, such as mathematical averaging and summation,” so further guidance may be needed to fully circumscribe this exception. 

Note that there are two tailored rules for “derived personal data” in the amended Act – in particular, data subjects cannot obtain the correction of an error or omission if the request concerns derived data (see the amended Sixth Schedule redefining exemptions from Section 22 of the PDPA). In addition, similarly to the right to data portability under the EU’s General Data Protection Regulation (GDPR), a porting organization is not required to transmit any derived personal data following a data portability request (see the new Twelfth Schedule).

 

2. New Rules to Define “Deemed Consent” and to Shift from the Consent-Centric Framework of the PDPA

 

The amendments (2.1.) will allow organizations to disclose individuals’ personal data, without their express consent, to other organizations, when it relates to contractual necessity, and is not subject to contrary terms in the contract between the individual and the organization (see amended Section 15). An organization (2.2.) may also obtain “deemed consent” from an individual if it conducts a detailed risk assessment, it informs the individual about the intention to collect or use personal data, and if the individual does not notify the organization that the individual objects to the processing (see new Section 15A). In addition to expanding the meaning of “deemed consent,” the amended PDPA (2.3.) also adds “legitimate interests” and “business improvement purposes” as downright exceptions from obtaining consent for collection, disclosure, or use of personal data. 

2.1. “Deemed Consent by Contractual Necessity” to Allow Data Sharing

Section 15 of the PDPA has been modified to introduce “deemed consent by contractual necessity,” whose purpose is to facilitate data sharing. According to the amended PDPA, an individual who provides personal data to an organization with a view of entering into a contract with that organization, is deemed to consent to the following, where “reasonably necessary” for the conclusion of the contract between them: 

1) the organization’s disclosure of that personal data to a second organization; 

2) the collection and use of that personal data by the second organization; and 

3) the second organization’s disclosure of that personal data to a third organization. 

The third organization should apply the rules as if the original organization had disclosed the personal data provided by the individual to it directly. This allows the disclosure to, and the collection, use and disclosure by, successive organizations of the personal data provided by the individual, where reasonably necessary for the conclusion of the contract between the individual and the original organization. 

This amendment applies retroactively. Data collected within this category prior to the entry into force of these amendments should be treated as if these sections were in force when the personal data was first provided, and had continued in force until the applicable date; allowing organizations to use and share personal data that was collected prior to the effective date of this Act. 

2.2. “Deemed Consent by Notification” (and Risk Assessment)

“Deemed consent” is further expanded to cover a situation where an organization conducts a risk assessment of the processing of personal data over the rights of the individual and informs the individual about the processing that will take place, and of the possibility to object to it (see Section 15A). If the individual does not notify the organization within a determined period of time that they do not consent, then they will have provided valid “deemed consent.” 

In a test similar to the legitimate interests assessment and balancing exercise under the GDPR, the risk assessment for “deemed consent by notification” according to the amended PDPA must: 

1) identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual; 

2) identify and implement reasonable measures to eliminate the adverse effect; 

3) reduce the likelihood that the adverse effect will occur; or

4) mitigate the adverse effect.

In addition, the organization must take reasonable steps to inform the individual about the 1) intention and purpose for which the personal data will be collected, used, or disclosed; and 2) the reasonable period and manner with which the individual can opt out and notify the organization that they do not consent to the proposed collection, use or disclosure of their personal data. 

2.3 New Exceptions from Consent, Including Legitimate Interests & Business Improvement Purposes

The amendments carve out new exceptions for organizations regarding their collection, use, and disclosure practices based on vital interests of the individuals, public interest (from processing publicly available personal data, to processing for artistic or literary purposes, or for archival or historical purposes), legitimate interests, business access transactions, and business improvement purposes (see Section 17 and the new First Schedule). In addition, the amended Act provides for exceptions from consent specifically for using personal data – for example, for research purposes; and exceptions for disclosing personal data – for research purposes as well, or in the public interest (see the new Second Schedule).

Legitimate Interests: Organizations can collect, use, and disclose personal data without the consent of the individual when 1) it is in the legitimate interests of the organization or another person; and 2) the legitimate interests of the organization or other person outweigh any adverse effect on the individual. Before collecting, using or disclosing such personal data, the organization must conduct an assessment to identify any adverse effects that the proposed collection, use or disclosure is likely to have on the individual, and to implement reasonable measures to: 

1) eliminate the adverse effect to reduce the likelihood that it will occur; or 

2) mitigate the adverse effect; and 

3) comply with any prescribed requirements. 

Some legitimate interests are specifically enumerated in the First Schedule, such as recovering a debt from an individual or paying a debt to an individual. Processing of personal data in employment contexts is also specifically mentioned. The organization must provide the individual with reasonable access to information about its collection, use or disclosure of the individual’s personal data.  

Business improvement purposes: Personal data about an individual can also be used by an organization without the individual’s consent for specifically defined business improvement purposes to: 

1) improve or enhance any of the organization’s existing or developing goods or services it provides; 

2) improve or enhance any of the organization’s existing or developing methods or processes for the organization’s operations; 

3) learn about and understand the behavior and preferences of individuals or another individual in relation to the goods or services the organization provides; and 

4) identify any goods or services provided by the organization that may be suitable for the individual or another individual, or to personalize or customize any such goods or services for that individual or another individual. 

This exception is limited by data minimization requirements and by a reasonableness test. Specifically, it only applies if the purpose for which the organization uses personal data about the individual cannot reasonably be achieved without the use of the personal data in an individually identifiable form; as well as if a reasonable person would consider the use of personal data about the individual for that purpose to be appropriate in the circumstances. 

 

3. Enhanced Accountability 

 

The amendments aim to strengthen the accountability of organizations with respect to the processing of personal data. Part III of the PDPA, originally titled “General Rules With Respect to Protection of Personal Data,” is amended to: “General Rules With Respect to Protection of and Accountability For Personal Data.” Most notably, however, are the additional mandatory assessments for “deemed consent by notification”, legitimate interests, and data breaches, that create accountability measures for organizations to implement. Two other requirements further highlight the amendment’s aim to strengthen accountability: 

Preservation of Copies of Personal Data: New Section 22A, which covers access to and correction of personal data, now requires an organization who refuses an individual’s request to provide the individual with their personal data that the organization possesses or controls, to preserve a copy of the personal data concerned. The organization must ensure that the copy of the personal data it preserves is a complete and accurate copy of the personal data concerned (see below).

Protection of Personal Data Extended: Section 24 is amended to extend an organization’s requirements to protect personal data in its possession or under its control. An organization not only must make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal, or similar risks of personal data, but is now also required to make reasonable security arrangements to prevent the loss of any storage or medium device that stores personal data in its possession or under its control. This adds an additional layer of security requirements for organizations to ensure that security measures exist to protect physical devices storing personal data. 

 

4. Introduction of a Right to Data Portability 

 

The amended PDPA introduces a right to data portability, and corresponding obligations (Sections 26F and 26J to Part VIB of the amended PDPA). The declared purpose of these obligations is to provide consumers with greater autonomy to control their personal data and facilitate individuals’ switching services across the innovative and competitive ecosystem (Section 26G). To this end, the amendments introduce a handful of terms such as “data porting request,” “porting organization,” and “receiving organization” to denote the various actors involved in the portability and transfer of data. 

As an overarching matter, the portability requirements apply only to personal data that is in electronic form on the date of the porting request and collected by the porting organization on a date before receiving the porting request. The portability requirements will apply retroactively to data collected before the commencement of the amended Act. 

An individual may request a porting organization to directly transmit applicable data about the individual to a receiving organization. As opposed to the GDPR and California’s Consumer Privacy Act (CCPA), data portability does not include the possibility for the individual to obtain a copy of their personal data in a portable format. The porting organization must comply with the request if the organization has an ongoing relationship with the individual at the time of the request, the request satisfies “prescribed requirements,” and the receiving organization is either constituted under the law of Singapore, or it has a presence in Singapore, regardless of where it stores the data. 

The amendments prohibit transfers of data pursuant to data porting requests if 1) the transmission would likely threaten the safety, or physical or mental health of the individual or a third-party or is otherwise contrary to national interest; 2) the receiving organization is excluded by further regulations; or 3) the Commission directs the porting organization not to transmit the data. 

If a porting organization fails to transfer applicable data under the request, the organization must notify the individual of the refusal within a prescribed time and in accordance with prescribed requirements. These portability requirements do not affect the restrictions on disclosure of personal data under other written laws. 

The amendments regulate instances where transferring applicable data about one individual results in the transmission of personal data about another individual. Under the Act, a porting organization may disclose personal data about a third-party without that person’s consent only if the individual requesting the transfer makes the request in her personal capacity and the request relates to her user activity data or user-provided data. A receiving organization in this context which receives any personal data about a third-party can only use that data for the purpose of providing goods or services to the individual requesting the transfer. 

The amendments clarify that a porting organization that discloses personal information of a third-party through a porting request transfer should not breach any obligation under any written law or contract as to secrecy, other restrictions, or any rules of professional conduct. 

In addition to general portability obligations, porting organizations must preserve a complete and accurate copy of any applicable data specified in a data porting request for a prescribed period of time. Such preservation must occur regardless of whether the organization refused to transmit data for any reason. The Commission may prescribe different periods for different porting organizations or circumstances. 

Finally, the updated provisions stipulate that data portability obligations apply to applicable data regardless of whether a porting organization stores, processes, or transmits data in Singapore or a country or territory outside of Singapore. 

 

5. Mandatory Data Breach Notification Requirements

 

Under the amended law, organizations will need to implement breach notification measures. New Part VIA requires an organization to assess data breaches affecting personal data in its possession or control, and to notify the Commission, as well as the affected individuals, of the occurrence of a notifiable data breach. Data breaches are defined as i) the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data; or ii) the loss of any storage medium or device which stores personal data in circumstances where the unauthorized access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur. 

A notifiable data breach occurs when the breach 1) results in, or is likely to result in, significant harm to an affected individual; or 2) is, or is likely to be, of a significant scale. Further regulatory guidance will be needed to identify thresholds for notification. According to the amended law, a data breach results in significant harm to an individual 1) if the data breach is in relation to any “prescribed personal data or class or personal data” relating to the individual; or 2) in other “prescribed circumstances”. A data breach is not notifiable when the breach relates to the unauthorized access, collection, use, disclosure, copying or modification of personal data within the organization only. 

An organization must conduct a data breach assessment when it has reason to believe that a breach affecting personal data in its possession or control has occurred. The assessment must be conducted in a reasonable and expeditious manner, and should determine whether the data breach is notifiable. Data intermediaries, after conducting an assessment and determining a notifiable data breach occurred, are also required to notify the organization or public agency for whom they are processing the personal data for. 

Once the organization or data intermediary verifies that the breach is notifiable, it has three calendar days to notify the Commission of the breach. It must also, in a reasonable manner, notify each affected individual only if the breach caused, or could likely cause, significant harm to the individual. 

An organization does not need to notify affected individuals of a notifiable data breach after it 1) assesses that the breach is unlikely to cause significant harm to the affected individuals; or 2) had previously implemented any technological measure that renders it unlikely that the notifiable data breach will cause significant harm to the affected individuals. Finally, the Commission or a law enforcement agency can waive the requirement and instruct the organization not to notify individuals affected by the breach for any reason it sees fit. 

 

6. Penalties and Enforcement: Increased Fines, Personal Criminal Liability and Alternative Dispute Resolution 

 

The amended Act imposes new criminal penalties on individuals who mishandle personal information. Under the amendments, an individual may be criminally liable for three separate offenses, related in principle to security breaches and to re-identification of data sets:

  1. knowing or reckless unauthorized disclosure of personal data in the possession of an organization or public agency to another person;
  2. knowing or reckless unauthorized use of personal data in the possession of an organization or public agency that results in a gain for the individual or third party or causes harm to an individual; or
  3. knowing or reckless unauthorized re-identification of anonymized personal data in the possession of an organization or public agency.

Individuals found guilty of each offense could face up to a SGD 5,000 fine or two years imprisonment, or both. A defense exists if an individual can prove that the data in question was publicly available at the time of disclosure, or that inappropriate handling of the information was required under another law or an order of the Court.

Apart from these offenses, the amendments increase the financial penalties on organizations for intentional or negligent breaches of the law. The new regime sets maximum penalties to 10% of an organization’s gross annual turnover in Singapore if its turnover exceeds SGD 10 million or SGD 1 million otherwise, whichever is higher. The old law set a maximum cap of SGD 1 million for infringement. 

In addition, the amendments authorize the Commission to establish alternative dispute resolution mechanisms to handle complaints brought by individuals against an organization by mediation. The Commission may order a dispute resolution without the consent of the individual or the organization. Individuals may also apply for the Commission to review an organization’s refusal or failure to provide access, transmit applicable data pursuant to a data porting request, or a fee imposed in relation to the data porting request. Additionally, the amended Act grants the Commission authority to order an organization or individual to stop collecting or using data or destroy any data in contravention of the Act. 

Finally, under the original version of the PDPA, individuals harmed as a result of an entity violating any provision in Part IV, V or VI had a private right of action for relief in a civil proceeding. The new amendments retain the private right of action, but expand the scope of actionable violations to include Part VIA (data breach notification provisions), VIB (data portability provisions) and Division 3 of Part IX or Part IXA.

7. Conclusions

The changes brought to the Personal Data Protection Act of Singapore are underlined by a shift from a consent-centric legal regime for collecting and processing personal data to accountability of organizations and risk-based processing. This change, however, came as complementary to increasing individuals’ control over their personal data, through the introduction of the new right to data portability, which is also a nod to the influence of EU’s GDPR over data protection and privacy laws around the world.

 

[1] See, for example, the European Data Protection Board Guidelines 8/2020 on the targeting of social media users.

 

This blog is part of a series of overviews of new laws and bills around the world regulating the processing of personal data, coordinated by Gabriela Zanfir-Fortuna, Senior Counsel for Global Privacy ([email protected]).