On 5 October 2020, the Personal Data Protection (Amendment) Bill (“Bill”) was introduced and read for the first time in the Singapore Parliament. The Bill proposes material changes to the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA).
We had previously summarised in our earlier client alert the changes proposed during the public consultation on the Bill (“Consultation Paper”). There have been material changes between the Consultation Paper and the Bill presented in Parliament. For the purposes of this client alert, we have highlighted, in the paragraphs below, a few salient differences.
- The material changes outlined in the Bill will be incorporated into the PDPA after the Bill is passed by the Singapore Parliament and presented to the president for the president’s assent.
- There is provision for different commencement dates for deemed consent for contractual necessity, deemed consent by notification, the revised exemptions for collection, use and disclosure without consent, data portability requests, data breach notifications, and the enhanced financial penalties.
- Businesses should take steps now to consider how the provisions of the Bill may impact their businesses since some of the changes will likely take effect soon.
Please reach out to us should you require any guidance on how the Bill will affect you.
Summary of salient differences
Increased financial penalties and revised enforcement procedures for breaches of the PDPA
The proposal in the Consultation Paper to increase the financial penalty cap for PDPA breaches (up to 10% of an organisation’s gross annual turnover) has largely been retained in the Bill.
The Bill refines the penalty framework by introducing tiered penalties for different offences, and provides clarity on the processes and factors to be taken into account in the Personal Data Protection Commission’s (PDPC) exercise of its enforcement powers.
For instance, the Bill introduces a standard of intentional or negligent contravention of the PDPA before financial penalties may be imposed. In theory, mere noncompliance will only attract directions from the PDPC. Although these standards have been expressly set out in the Bill, it is unclear if this will make a difference in practice. The situations where financial penalties may be imposed currently could also be characterised as intentional or negligent contraventions of the PDPA. The Guide to Active Enforcement states “[g]enerally, financial penalties are reserved only for breaches which the PDPC views as particularly serious in nature.” In assessing the seriousness of the breach, the PDPC already considers:
- whether the organisation had acted deliberately or wilfully
- whether the organisation had known or ought to have known the risk of a serious contravention of the PDPA and failed to take reasonable steps to prevent it
In addition, organisations are given at least 14 days upon receipt of a notice specifying the PDPC’s intent to impose a financial penalty to submit written representations to the PDPC. Furthermore, the factors that the PDPC must take into account in making a determination with respect to the imposition of a financial penalty are expressly set out in the Bill. These factors include:
- the nature, gravity and duration of the noncompliance with the PDPA
- the type and nature of the personal data affected by noncompliance with the PDPA
- whether any financial benefit was gained or financial loss was avoided as a result of noncompliance with the PDPA
- whether there was previous noncompliance with the PDPA
- whether adequate and appropriate measures were implemented to comply with the PDPA despite the noncompliance with the PDPA
- the likely impact of the imposition of the financial penalty
Clarifications to the business improvement exception
The Consultation Paper introduced the much anticipated business improvement exception. The Bill modifies slightly the new ground for processing under Part 2 Division 2 of the Second Schedule and also adds a new exception in Part 5 of the First Schedule, in particular providing that:
- related organisations may share personal data, in certain circumstances, for the purposes of business improvement
- personalisation and customisation of existing goods/services are within scope of the exception
The conditions to rely on the business improvement exception continue to apply, which are as follows:
- The business improvement purpose cannot reasonably be achieved without personal data in an individually identifiable form.
- A reasonable person would consider the purpose to be appropriate.
For intra-group sharing of the data, the relevant group entities must be bound by any contract or binding corporate rules requiring the recipient of the data to implement and maintain appropriate safeguards for the data.
This exception cannot be relied upon to send direct marketing messages.
The new ground for processing under Part 2 Division 2 of the Second Schedule is only applicable for use by the organisation for business improvement purposes. The previous requirement in the Consultation Paper that “the use of the personal data by the organisation does not have any adverse effect on the individual to whom the personal data relates” has been removed.
Expansion of business asset transaction exception
The Bill addresses earlier feedback on the scope of the business asset transaction exception that had not been addressed in the Consultation Paper.
In particular, the Bill clarifies that this exception applies to other similar transactions such as mergers and acquisitions, sale of shares, transfer of controlling power or interests, corporate restructuring and reorganisation where “an interest in an organisation” or amalgamations with or transfers to related corporations are involved.
Retrospective application of deemed consent – contractual necessity
The Consultation Paper introduced the concept of deemed consent by contractual necessity, amongst an expanded deemed consent regime.
Deemed consent by contractual necessity is intended to cover both collection, use and disclosure of personal data conducted by the organisation, and also processing by downstream entities, such as processing that is reasonably necessary for the performance of the contract.
The Bill clarifies the scope of application of this rule on deemed consent. Deemed consent by contractual necessity will cover both relevant activities conducted on or after the date that the Bill comes into effect, and it will also apply retrospectively to personal data provided before those portions of the Bill take effect for contracts that are entered into and continue to be in force on or after the effective date of those portions of the Bill.
Offences related to personal data that individuals may be held accountable for
The Bill will introduce offences that hold individuals accountable for the mishandling of personal data. To address feedback that the language proposed may have a potential “chilling effect” on individuals who handle large volumes of data, the PDPC intends to provide additional guidance in advisory guidelines on the application of these offences. In particular, to address situations where conduct of an individual, in a corporate setting, is authorised and the forms in which such authorisation may take. An individual is not personally liable for actions that were authorised by the organisation.
We also note that the Bill expands on an existing offence that holds officers accountable for corporate offences that have been committed with the consent or connivance of the officer or attributable to neglect of the officer. The Bill expands on the categories of individuals that may be held accountable for corporate actions including “an individual involved in the management of an organisation and in a position to influence the conduct of an organisation in relation to the commission of an offence”.
It is unclear how this may impact data protection officers who have a responsibility for ensuring that the organisation complies with the PDPA. We hope that the PDPC will provide further guidance and clarification on this issue in its proposed advisory guidelines.