New Report on Limits of “Consent” in Singapore’s Data Protection Law

Introduction

Today, the Future of Privacy Forum (FPF) and Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the thirteenth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in Singapore, including:

• notice and consent requirements for processing personal data;
• the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
• statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Singapore’s Data Protection Landscape

Singapore’s Personal Data Protection Act 2012 (PDPA), which was passed in November 2012 and significantly reviewed in 2020, with the stated purpose of governing the collection, use, and disclosure of personal data by organizations in a manner that recognizes not only individuals’ right to protection of their personal data but also organizations’ needs to collect, use, and disclose personal data.

The PDPA sets the baseline standard of protection for personal data in Singapore, though organizations which are subject to sector-specific laws and regulations (including in the financial services and medical sectors) must also comply with sector-specific requirements.

The PDPA also establishes a data protection authority, the Personal Data Protection Commission (PDPC) to advance the PDPA’s stated purpose, balancing protection of personal data with use of personal data for legitimate purposes. To that end, the PDPC implements policies relating to personal data protection and issues advisory documents to help organizations to understand and comply with their obligations under the PDPA.

The PDPC is also empowered to enforce the PDPA by, for example, issuing binding directions or requiring payment of a financial penalty. The PDPC is active in enforcement and regularly publishes decisions, which effectively function as a body of case law on personal data protection matters, on its website.

Role and Status of Consent as a Basis for Processing Personal Data in Singapore

Consent has played a key role in the architecture of the PDPA since the PDPA was first enacted in 2012.  The PDPA’s default requirement is an organization may only collect, use, or disclose personal data about an individual (i.e., data subject) only if:

• the organization has obtained the individual’s actual consent (which may be express or implied) for the collection, use, or disclosure of his/her personal data; or
• the individual’s consent can be deemed by law.

However, this default requirement has always been subject to exceptions.

Between 2012 and 2021, the PDPA provided several long lists of exceptions to the consent requirement for collection, use, and disclosure of personal data in the Second, Third, and Fourth Schedules to the PDPA, respectively.

However, major recent amendments to the PDPA, which were passed in 2020 and took effect in 2021, replaced these various exceptions with a consolidated set of provisions allowing for collection, use, and disclosure of personal data without consent.

These provisions are set out in the First Schedule to the PDPA, under the following headings:

• “Vital Interests of Individuals.”
• “Matters affecting the Public.”
• “Legitimate Interests.”
• “Business Asset Transactions.”
• “Business Improvement Purposes.”

Additionally, the amended Second Schedule to the PDPA also provides further exceptions to consent for public interest and research purposes.

The new First and Second Schedules retain many of the old exceptions to consent. However,  a notable introduction was the “legitimate interests” section, which – though borrowing a term from European data protection law – was unique when compared with other major data protection laws internationally. The amended PDPA distinguishes between two categories of legitimate interests:

• The first category is a general, open-ended provision, which is available where collection, use, or disclosure of personal data is in the “legitimate interests” of the organization or another person, and such legitimate interests outweigh any adverse effect on the individual. To rely on this provision, organizations must undertake a risk assessment identifying, and implementing measures to eliminate, reduce the likelihood of, and/or mitigate any adverse effect on the individual that is likely to result from the proposed collection, use, or disclosure of the individual’s personal data.
• The second category is a closed list of exceptions for specific situations in which the PDPA recognizes the existence of a legitimate interest. If the collection, use, or disclosure of personal data falls within any of these situations, then the organization is exempted from the need to obtain consent without having to satisfy any further compliance requirements.

Another notable introduction is the “business improvement purposes” section. This provision allows an organization to share data with a related organization for the following purposes, subject to fulfillment of certain conditions, including, among others, necessity, reasonableness of purpose, and commitment to implement appropriate safeguards:

• improving, enhancing, or developing goods and services or methods and processes;
• learning about and understanding individuals’ behavior and preferences in relation to goods and services; or
• identifying goods or services that may be suitable for individuals or personalizing or customizing any such goods or services for individuals.

The 2020 amendments also expanded the situations in which an individual would be deemed by law to have consented to collection, use, or disclosure of his/her personal data. The amendments added new provisions for deemed consent by contractual necessity and deemed consent by notification. The new provision on deemed consent by notification relies on a similar risk assessment to the legitimate interests provision. Specifically, to rely on this provision, an organization must:

• take reasonable steps to inform the individual of:
  • the organization’s intention to collect, use, or disclose the personal data;
  • the purpose for which the personal data will be collected, used, or disclosed; 
• provide a reasonable period during which the individual may opt-out the proposed collection, use, or disclosure, and a reasonable means to do so; and
• conduct an impact assessment to determine that the proposed collection, use, or disclosure of the personal data is not likely to have an adverse effect on the individual.

Independently of the requirement to obtain consent, the PDPA also restricts collection use, and disclosure of personal data to purposes that a reasonable person would consider appropriate in the circumstances. An organization that wishes to collect, use, or disclose personal data must also notify the individual of this purpose, unless an exception applies.

Finally, regulations to PDPA also establish informed consent as a legal basis for transferring personal data out of Singapore.

By default, the PDPA requires that organizations which seek to transfer personal data out of Singapore must either provide the data with, or apply to the data, a standard of protection that is comparable to that under the PDPA. However, organizations are taken to have satisfied this requirement if they obtain the individual’s consent for the transfer of the individual’s personal data out of Singapore after giving the individual a “reasonable summary in writing of the extent to which the transferred personal data will be protected to a comparable standard.”

Read the previous reports in the series here.

Blog Cover Image by Aditya Chinchure on Unsplash