On 1 February 2021, certain sections of the Personal Data Protection (Amendment) Act 2020 came into effect as part of a phased implementation.
We had previously summarised in our earlier client alerts the changes proposed during the public consultation (“Consultation Paper“) on the Personal Data Protection (Amendment) Bill (“Bill“), as well as the salient differences between the Consultation Paper and the Bill that was introduced and read in the Singapore Parliament on 5 October 2020. The Bill has since been passed by Parliament on 2 November 2020 (“Act“) and the accompanying guidelines issued in draft form by the Personal Data Protection Commission (PDPC) on 20 November 2020, which we have summarised in another client alert, has since been integrated into the other guidelines issued by the PDPC.
In this client alert, we will further elaborate on some provisions of the Act that came into effect on 1 February 2021.
- The first phase of implementation of the Act introduced changes in key areas such as the system for mandatory data breach notifications, offences for mishandling personal data, and the expansion of the consent framework and related exceptions.
- Businesses should take steps to consider how to implement the provisions of the Act in practice, e.g., implementation of a data breach incident response plan; consider how the expansion of the consent framework and related exceptions may affect business operations in practice; and consequently, consider whether amendments to the privacy policies are required.
Key areas of change taking effect from 1 February 2021
Mandatory data breach notifications
The new mandatory data breach notification regime requires organisations to notify the PDPC of any data breaches that result in or are likely to result in significant harm to whom any personal data affected by a data breach relates to (“affected individuals”), or are of a significant scale, meaning the involvement of personal data of more than 500 affected individuals.
Organisations must also notify affected individuals if the data breach is likely to result in significant harm to them. However, an organisation is exempted from notifying affected individuals where an exception applies, such as where remedial action or technological measures have been taken and the data breach is no longer likely to result in significant harm to the affected individual.
Notifications must be made to the PDPC as soon as is practicable, but in any case no later than three calendar days after the day the organisation made the determination that a data breach should be notified. Notifications to individuals should be made at the same time as notification to the PDPC (to the extent practically possible), if not shortly after.
The Personal Data Protection (Notification of Data Breaches) Regulations 2021 (“Regulations on Data Breach Notifications“) prescribe a list of personal data and classes of personal data that will be deemed to result in significant harm to affected individuals if such data is compromised in a data breach. This includes financial information that is not publicly disclosed, information leading to the identification of a vulnerable individual, information relating to adoption, and specified medical information. Where a data breach affects 500 or more individuals, the PDPC must be notified of the data breach regardless of whether the data breach includes the prescribed list of personal data and classes of personal data.
The Regulations on Data Breach Notifications also provide for a prescribed list of the minimum information that the notification must contain, such as the date on which and circumstances in which the organisation first became aware of the data breach; a chronological account of steps taken by the organisation after the data breach had occurred, including the organisation’s assessment that the data breach is a notifiable one; the number of affected individuals and how they are affected by the data breach, including the personal data and classes of personal data affected; and the potential harm to the affected individuals as a result of the data breach.
Offences for mishandling of personal data
The Act introduces new criminal offences in order to hold individuals accountable for the egregious mishandling of personal data. These offences include: knowing or reckless unauthorised disclosure of personal data; knowing or reckless unauthorised use of personal data for a wrongful gain or wrongful loss to any person; and knowing or reckless unauthorised re-identification of anonymised data. A violation of these offences carries a fine not exceeding SGD 5,000 or imprisonment for a term not exceeding two years, or both. Individuals acting under the authority of the organisation will not be held individually liable.
These individual offences do not detract from the policy position that organisations are primarily accountable for data protection, as organisations remain liable for the actions of their employees in the course of their employment with the organisations. Further, these circumstances are not intended to have conduct in a private dispute be the subject of criminal prosecution under these offences.
The PDPA also provides for several defences for an offence of egregious mishandling of personal data, including instances where the information was publicly available, the conduct was permitted or required under other laws, the conduct was authorised or required by an order of the court, and where the individual reasonably believed that he/she had the legal right to collect, use, or disclose the personal data.
In ensuring accountability, organisations acting on behalf of a public agency are no longer excluded from the main provisions of the PDPA.
Expansion of consent framework and exceptions
New provisions in the Act provide for deemed consent by contractual necessity and deemed consent by notification, which grant organisations new bases upon which consent is deemed to have been given to collect, use, and disclose personal data.
Deemed consent by contractual necessity
This provision allows for the downstream processing of personal data to partners or contractors for the purposes of performing or concluding a contract, and can be of great benefit to organisations.
Deemed consent by notification
Through this provision, organisations are permitted to collect, use, or disclose personal data provided the individual has been notified and given reasonable opportunity to opt out. Reliance on deemed consent by notification is subject to the organisation making an assessment and determination that several conditions are met, whilst taking into consideration the type of personal data involved and the method of collection, use, or disclosure of the personal data. The organisation must conduct an assessment to eliminate and mitigate adverse effects, take reasonable steps to ensure that notification to the individuals is adequate, and provide a reasonable opt-out period.
In addition to the introduction of new forms for deemed consent, other amendments include two exceptions to collecting, using, and disclosing data without an individual’s consent, allowing for greater data use and innovation.
The legitimate interest exception
This exception provides that an organisation may collect, use, or disclose personal data where it is in the legitimate interest of the organisation, or another person, to do so, and where the legitimate interest outweighs any adverse effect on the individual. The onus lies on the organisation to ensure that it complies with additional safeguards to ensure that the interests of individuals are being protected. However, this exception does not allow an organisation to send direct marketing messages to individuals.
Organisations wishing to rely on the legitimate interest exception must disclose this to the individuals whose personal data is being collected, used, and disclosed without consent. Examples of legitimate interests include the purposes of detecting or preventing illegal activities, threats to physical safety and security, and IT and network security; preventing misuse of services; and performing other necessary corporate due diligence.
The business improvement exception
The introduction of this exception permits an organisation to collect, use, or disclose personal data for the relevant purposes of business improvement such as improvement or enhancement of goods or services or methods or processes, and learning and understanding customers’ behaviours and preferences. The exception also permits related organisations to share personal data in certain circumstances, and provided certain safeguards exist.
The consent framework is further expanded with slight changes to the business asset transaction exception, which has been broadened in scope, and the research exemption, which has been eased to allow for innovation. For the research exemption, the use of personal data must have a clear public benefit. In addition, the results of the research will not be used to make any decisions affecting the individual, and research results will not be published in a form that identifies the individual.
With the expansion of the consent framework, explicit reference is made to the accountability of organisations for personal data in its possession or under its control. Further, if an organisation wishes to rely on either deemed consent by notification or the legitimate interests exception, assessments of any likely adverse effects to the individual must be made and reasonable measures must be implemented to eliminate, reduce, or mitigate any adverse effects on individuals. An organisation may wish to refer to the assessment checklist issued by the PDPC for deemed consent by notification and for legitimate interests exception.
Other material changes which took effect on 1 February 2021 include:
a) Voluntary undertakings
The PDPC has enhanced powers to accept and enforce voluntary undertakings from organisations instead of launching a full investigation into an organisation’s breach of PDPA. Organisations that are in breach of any provisions may voluntarily commit to take specified action, publicise the voluntary undertaking, or refrain from taking specified action in relation to the requirements of the PDPA.
b) Alternative dispute resolution
A system of alternative dispute resolution has been established in order to manage data protection complaints. The PDPC is empowered to direct complainants to settle disputes through mediation, without the need to obtain the consent of both parties to the dispute, and to establish dispute resolution schemes for such purposes. The PDPC can also compel witnesses to attend proceedings, and to demand delivery documents and information. Any non-compliance constitutes an offence under the Act.
c) Prohibition on use of dictionary attacks and address-harvesting software
The sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address-harvesting software is now prohibited under the PDPA’s Do Not Call Provisions. Additionally, the Spam Control Act has also been amended to now cover bulk commercial text messages to instant messaging accounts.
Businesses should take steps to consider how to implement the provisions of the Act in practice, e.g., implementation of a data breach incident response plan; consider how the expansion of the consent framework and related exceptions affect business operations in practice; and consequently, consider whether amendments to the privacy policies are required.