Singapore’s Personal Data Protection Act (“PDPA”) is slated for major changes, many are guessing by end-2020. This is the second of a four-part series, which examines the amendments listed in the Personal Data Protection (Amendment) Bill (“Bill”) which: introduce new offences for the egregious mishandling of personal data; expand the concept of deemed consent to include deemed consent by contractual necessity, and by notification; and introduce two new exceptions to the PDPA’s consent requirement – the “legitimate interests exception” and the “business improvement exception”.
——
Read more:
——
Strengthening the accountability of individuals who handle or have access to personal data
A new Part VIIIA will introduce new offences under the PDPA for the egregious mishandling of personal data in the possession or control of an organisation or a public agency. In brief, these offences will apply to individuals who handle or have access to personal data, and who are involved in:1
- knowing or reckless unauthorised disclosure of personal data;
- knowing or reckless unauthorised use of personal data resulting in a gain, harm being caused to an individual, or loss being caused to any person; and
- knowing or reckless re-identification of anonymised data in the possession or control of an organisation or a public agency.
The penalties for each of these offences are a fine of up to SGD 5,000 and/or imprisonment for up to 2 years.
That said, the Ministry of Communications and Information (MCI) and Personal Data Protection Commission (PDPC) said in the Closing Note to the Public Consultation Paper that they intended to clarify in Advisory Guidelines the situations which the new offences were not intended to cover. Such examples include individuals who were authorised as part of their employment to disclose, use, or re-identify the data2 or where cybersecurity specialists and academic researchers re-identify anonymised data as part of their research work and teaching of topics on anonymisation and encryption.3
The PCP also states that these offences were not intended to apply to private disputes where there is recourse under private law, for example where an ex-employee takes an organisation’s customer list when joining a competitor.4
The Bill will also introduce defences to these offences, such as where the information on the identity of the affected person was publicly available, or the conduct was in the reasonable belief that the individual had a legal right to do so.5
Enhancing the PDPA’s framework to enable meaningful consent
In the consultation paper, the MCI and the PDPC said that the framework for the collection, use and disclosure of personal data under the PDPA would be enhanced to enable meaningful consent by individuals.6
Deemed consent
Currently, under section 15(1), an individual is deemed to consent to collection, use, or disclosure of personal data for a purpose if the individual voluntarily provided the personal data for that purpose, and it is reasonable that the individual would voluntarily provide that data.
Section 15(2) says that if an individual gives or is deemed to have given consent to the disclosure of his / her personal data by one organisation to another for a particular purpose, the individual is deemed to consent to the collection, use, or disclosure of his / her personal data for that particular purpose by the other organisation.
The Bill will expand deemed consent to include deemed consent by contractual necessity and by notification.
Deemed consent by contractual necessity
Under a new section 15(3), an individual who provides personal data to an organisation (A) with a view to entering into a contract with A, is, where reasonably necessary for the conclusion of the contract between the individual and A, deemed to consent to:7
(a) the disclosure of the personal data by A to another organisation (B);
(b) the collection and use of the personal data by B; and
(c) the disclosure of the personal data by B to another organisation.
Under a new section 15(6, an individual who enters into a contract with an organisation (A) and provides personal data to A in relation to the contract, is deemed to consent to:8
(a) the disclosure of the personal data by A to another organisation (B), where the disclosure is reasonably necessary:
(i) for the performance of the contract between the individual and A; or
(ii) for the conclusion or performance of a contract between A and B which is entered into at the individual’s request, or which a reasonable person would consider to be in the individual’s interest;
(b) the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in (a); and
(c) the disclosure of the persona data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in (a).
The PCP explained that the intent was to allow for deemed consent where disclosure to, collection by, and the use of personal data by third parties is reasonably necessary for the conclusion or performance of a contract or transaction between an individual and an organisation.9
However, organisations who wish to rely on section 15(3) or (6) need to check and will be subject to any clause in the contract between the individual and organisation A, which specifies or restricts:10
(a) the personal data provided by the individual that A may disclose to B; or
(b) the purposes for which A may disclose the personal data to B.
Deemed consent by notification
Under a new section 15A, and subject to exclusions, an individual will be deemed to have consented to the collection, use, or disclosure of personal data if:11
(a) the organisation, before collecting, using, or disclosing the personal data:
(i) conducts an assessment to determine that the proposed collection, use, or disclosure is not likely to have an adverse effect on the individual;
(ii) take reasonable steps to bring to the individual’s attention: the organisation’s intention to collect, use, or disclose the personal data; the purposes for the collection, use, or disclosure; and a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that s/he does not consent to the proposed collection, use, or disclosure; and
(iii) satisfy any other prescribed requirements;
(b) the individual does not notify the organisation before the expiry of the reasonable period referred to in (a)(iii) that s/he does not consent.
The exclusions are not listed in the Bill, and will be “prescribed”.
In respect of the assessment which the organisation must conduct, the Bill requires the organisation to:
(a) identify any adverse effect which the proposed collection, use, or disclosure for the purpose concerned is likely to have on the individual;
(b) identify and implement reasonable measures to eliminate or mitigate the adverse effect, or reduce the likelihood that the adverse effect will occur; and
(c) comply with any other prescribed requirements.
Before sales and marketing departments get their hopes up, the PCP clarified that organisations may not rely on this approach to obtain consent to send direct marketing messages to individuals.12
Two new exceptions to the consent requirement
The PCP said that two new exceptions to the consent requirement would be introduced to cater to situations where there are larger public or systemic benefits, where obtaining individuals’ consent may not be appropriate.13
Legitimate interests exception
To rely on the “legitimate interests exception”:14
(a) the collection, use, or disclosure of an individual’s personal data must be in the legitimate interests of the organisation or another person, and those legitimate interests must outweigh any adverse effect on the individual;15
(b) the organisation must conduct an assessment before collecting, using, or disclosing the personal data, to determine whether (a) is satisfied; and
(c) the organisation must provide the individual with reasonable access to information about the collection, use, or disclosure.
Examples of what might satisfy (a) above are detecting or preventing illegal activities such as fraud and money laundering, or threats to physical safety and security, or ensuring IT and network security, as well as preventing misuse of services.16
In conducting the assessment mentioned in (b) above, the organisation must:17
(i) identify any adverse effect that the proposed collection, use, or disclosure of an individual’s personal data is likely to have on the individual;
(ii) identify and implement reasonable measures to eliminate or mitigate the adverse effect, or reduce the likelihood that the adverse effect will occur; or
(iii) comply with any other prescribed requirements.
Again, organisations may not rely on this exception to send directing marketing messages to individuals.18
Business improvement exception
This is a new exception which will allow organisations to use personal data without consent for any of these purposes:19
(a) improving or enhancing goods or services provided, or developing new goods or services to be provided, by the organisation;
(b) improving or enhancing methods or processes, or developing new methods or processes, for the organisation’s operations;
(c) learning about and understanding the behaviour and preferences of the individual or another individual, in relation to the goods or services provided by the organisation;
(d) identifying any goods or services provided by the organisation that may be suitable for the individual or another individual, or personalising or customising any such goods or services for the individual or another individual.
However, three conditions must first be satisfied:20
(1) The purpose for which the organisation uses the individual’s personal data cannot be reasonably achieved without the use of the personal data in an individually identifiable form.
(2) A reasonable person would consider the use of the individual’s personal data for that purpose to be appropriate in the circumstances.
(3) The purpose is not for sending direct marketing messages.
Further, where personal data is collected, used, or disclosed within a group of related corporations:21
- the personal data must relate to an individual who is an existing customer of the disclosing corporation, or an existing or prospective customer of the collecting organisation; and
- the related corporation must be bound by any contract or agreement, or binding corporate rules requiring the collecting corporation to implement and maintain appropriate safeguards for the personal data.
1 See sections 48D, E and F in clause 20 of the Bill.
2 See para 25 of the Closing Note.
3 See para 32 of the PCP.
4 See para 33 of the PCP.
5 See section 48D in clause 20 of the Bill, and para 26 of the Closing Note.
6 See para 7b) of the PCP.
7 See clause 6 of the Bill.
8 See clause 6 of the Bill.
9 See para 38a) of the PCP.
10 See clause 6 of the Bill.
11 See clause 7 of the Bill.
12 See para 38b) of the PCP.
13 See para 39 of the PCP.
14 See para 1(1) and (2) of Part 3 on p 66 of the Bill.
15 See clause 8 of the Bill read with clause 31 of the Bill.
16 See para 40a) of the PCP.
17 See para 1(3) of Part 3 on pp 66 – 67 of the Bill.
18 See para 1(4) of Part 3 on p 67 of the Bill.
19 See para 1(1) of Division 2, Part 2, on p 74 of the Bill.
20 See Part 5, on pp 71 – 73 of the Bill.
21 See Part 5, on pp 71 – 73 of the Bill.
