Singapore’s Personal Data Protection Act: A review of the major changes ahead (Part 4)

Darren Grayson Chng, in the fourth and final part of a series, explores the background to forthcoming changes to the Singapore Personal Data Protection Act.

Singapore’s Personal Data Protection Act (“PDPA”) is slated for major changes in 2021. This is the last of a four-part series, which examines the key amendments listed in the Personal Data Protection (Amendment) Bill (“Bill”)”.

------

Read more: 

------

Increasing deterrence and strengthening the effectiveness of PDPC’s enforcement efforts

Increased financial penalty cap

At present, PDPC can direct an organisation in breach of the PDPA to pay a financial penalty of up to SGD 1 million.1 

The Bill will potentially increase the maximum financial penalty to: (a) 10% of the organisation’s annual turnover in Singapore, if its annual turnover in Singapore exceeds SGD 10 million; or (b) in any other case, SGD 1 million.2 

The PCP explained that this higher cap was meant to serve as a stronger deterrent, and to provide PDPC with more flexibility in meting out financial penalties based on the circumstances and seriousness of a breach.3 The new cap would also be closer to the cap prescribed by other jurisdictions.4 

Later on in their Closing Note, MCI and PDPC said that many respondents to the public consultation had expressed concern about the increased financial penalty cap, and some requesting for a sunrise period.5 MCI and PDPC said that they would “take into account the prevailing economic situation in refining the financial penalty framework”.6 

While the Closing Note said that MCI and PDPC intended to set out in the PDPA a non-exhaustive list of factors which PDPC would consider and give weight to, as appropriate, when determining the quantum of financial penalty to impose,7 this list does not seem to have made its way into the Bill introduced in Parliament.

Enforcement of DNC provisions

Currently, breaches of certain DNC provisions are enforced as criminal offences.8 The PDC said that the amendments would put the enforcement of the DNC provisions under the same administrative regime as the data protection provisions.9 This would empower PDPC to issue directions for infringements, and enable PDPC to resolve DNC complaints more efficiently and proportionately.10 

Offence for failure to attend or produce information

The PCP pointed out that at present, PDPC does not have any recourse under the PDPA against organisations which do not reply to PDPC’s notice to produce information or to give a statement.

The Bill will make it an offence for a person who, without reasonable excuse, neglects or refuses to attend before the PDPC or an inspector as required under the PDPA.11  

It will also be an offence for an organisation or person, without reasonable excuse, to neglect or refuse to provide any information or produce any document which the organisation or person is required under the PDPA to provide or produce, to PDPC or an inspector.12 

The penalty for each of these offences is $10,000 in the case of the organisation, and in the case of an individual a fine of up to S$5,000 and/or jail for up to 6 months.

Statutory undertakings

Where PDPC has reasonable grounds to believe that an organisation or person has not, is not, or is likely not to comply with certain provisions of the PDPA, the PDPC may accept a written voluntary undertaking from the organisation or person.13 

The PCP explained that statutory undertakings allow a regulator to apply more flexible and individually tailored approaches to enforcement, and that several jurisdictions offer undertakings as part of their enforcement regime.14  

If the organisation or person fails to comply with their undertaking, PDPC may give the organisation or person any direction which it thinks fit to ensure the compliance of the undertaking, and PDPC can publicise the undertaking and recover its costs and expenses incurred from the organisation or person.15 

Referrals to mediation

A new Part IXC will allow PDPC to refer to mediation under a dispute resolution scheme, an individual’s complaint against an organisation if PDPC is of the opinion that the complaint may more appropriately be resolved by mediation.16 

The Bill will also allow PDPC to direct the complainant and the organisation to attempt to resolve the complaint, without first having to obtain their consent.17 

The PCP explained that these amendments were to enable PDPC to manage the increase in data protection complaints in a sustainable manner.18 

Other amendments to the PDPA

Revisions to the research exception

Currently, if organisations wish to use or disclose personal data for a research purpose (including historical or statistical research), these conditions must first be satisfied: 19

(a) the research purpose cannot reasonably be accomplished unless the personal data is provided in an individually identifiable format;

(b) it is impracticable for the organisation to seek the individual’s consent for the use or disclosure;

(c) the personal data will not be used to contact persons to ask them to participate in the research;

(d) linkage of the personal data to other information is not harmful to the individuals identified by the personal data, and the benefits to be derived from the linkage are clearly in the public interest; and

(e) in respect of disclosure only, the organisation (B) to which the personal data is to be disclosed by the first organisation (A) has signed an agreement to comply with: 

(i) the PDPA;

(ii) A’s policies and procedures relating to the confidentiality of personal data;

(iii) A’s security and confidentiality conditions;

(iv) a requirement to remove or destroy individual identifiers at the earliest reasonable opportunity; and 

(v) a requirement not to use the personal data for any other purpose, or to disclose the personal data in individually identifiable form without A’s express authorisation.

In comparison, the new Second Schedule to the PDPA retains only (a) above, somewhat. Organisations may use or disclose personal data for a research purpose (including historical or statistical research) if:20 

(a) the research purpose cannot reasonably be accomplished unless the personal data is used or disclosed in an individually identifiable form;

(b) there is a clear public benefit to using or disclosing the personal data for the research purpose*;

(c) the results of the research will not be used to make any decision that affects the individual*;

(d) in the event that the research results are published, the organisation publishes them in a form that does not identify the individual; and

(e) in respect of disclosure only, it is impracticable for the organisation to seek the individual’s consent for the disclosure.

*In the public consultation version of the Bill, it was a requirement that the use of the personal data for the research purpose would not have an adverse effect on the individual, and that the results of the research would not be used by the organisation in any way that had an adverse effect on the individual.

The PCP explained that these revisions imposed less stringent restrictions so that organisations can carry out research beyond the purposes of improving business products or services. Examples are research institutes carrying out scientific research and development, educational institutes researching into arts and social science, and organisations carrying out market research to understand potential customer segments.21 

Increased protection from unsolicited marketing messages

The Bill will amend PDPA’s Do Not Call (“DNC”) provisions, and the provisions of the Spam Control Act (“SCA”), in these ways:

  • The SCA will cover electronic messages sent to instant messaging accounts.22 
  • The DNC provisions will prohibit the sending of “applicable messages” to telephone numbers obtained through the use of dictionary attacks and address harvesting software.23 
  • The Bill will impose an obligation on third party checkers engaged by organisations to check the DNC Register(s) on their behalf, to ensure that they provide accurate information to the organisations.24 
  • Organisations will be allowed to send a message to customers without the need to check the DNC Register(s), if the message relates to the subject of their ongoing relationship.25 

Reduced scope of prohibitions against access to user provided and user activity data

Currently, section 21 of the PDPA prohibits an organisation from providing an individual with his / her personal data, or information on how that personal data has been or may have been used or disclosed by the organisation in the past year, if providing the personal data could reasonably be expected to, among other things:

(a) reveal personal data about another individual; or

(b) reveal the identity of an individual (A) who has provided personal data about another individual (B), and A does not consent to the disclosure of his / her identity.

According to PDPC, this has led to implementation challenges for organisation providing access to personal data, where for example they have to remove third parties’ personal data captured in CCTV footage before they can provide an individual with access to the footage.26 

In the circumstances, the Bill will allow organisations to provide access to user activity data and user provided data, regardless of (a) and (b) above. The Bill will state that (a) and (b) above do not apply to any “user data activity” about, or any “user-provided data” from, the individual who made the request despite such data containing another individual’s personal data.27 

In the light of this amendment, two new definitions will be added to the PDPA:28 

  • “user activity data”, in relation to an organisation, is defined as personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation; and
  • “user-provided data”, in relation to an organisation, is defined as personal data provided by an individual to the organisation.

Excluding derived personal data from the Correction Obligation

As a recap, the Bill defines “derived personal data” as personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual, that is in the organisation’s possession or control.29 

In addition to derived personal data being excluded from the Data Portability Obligation (mentioned further above), it will also be excluded from the Correction Obligation where at present and subject to exceptions, an organisation has to correct an error or omission in personal data as soon as practicable upon an individual’s request, and has to send the corrected personal data to every other organisation to which the personal data was disclosed by the first organisation, within a year before the date that the correction was made. 

Darren Grayson Chng is our International Associate Editor for Singapore

------

Notes & references

1. See section 29(2)(d) of the PDPA

2. See clause 24 of the Bill

3. See para 59 of the PCP

4. See para 59 of the PCP

5. See para 7 of the Closing Note

6. See para 8 of the Closing Note

7. See para 9 of the Closing Note

8. Para 55 of the PCP

9. See para 56 of the PCP

10. See para 56 of the PCP

11. See clause 27(b) of the Bill

12. See clause 27(b) of the Bill

13. See clause 23 of the Bill

14. See para 64 – 65 of the PCP

15. See clause 23 of the Bill

16. See clause 23 of the Bill

17. See clause 23 of the Bill

18. See para 68 of the PCP

19. See para 1(i) read with para 2 of the Third Schedule to the PDPA, and para 1(q) read with para 4 of the Fourth Schedule to the PDPA

20. See clause 32 of the Bill

21. See para 42 of the PCP

22. See clause 41 of the Bill

23. See clause 22 of the Bill

24. See clause 19 of the Bill

25. See clause 36 of the Bill

26. See para 74 of the PCP

27. See clause 10 at p 10 of the Bill

28. See clause 2 at p 3 of the Bill

29. See clause 2 at p 2 of the Bill

Published: 2021-01-05T13:00:00

    Please wait...