The Singapore Parliament enacted the Personal Data Protection (Amendment) Bill 2020 on 2 November 2020. Numerous amendments to the Consent Obligation have been made to the Personal Data Protection Act or PDPA. When the Commission announced its enforcement judgment in June 2019 in a case concerning the German European School Singapore (GESS), it made the following points about various sorts of consent clear:
1. Express consent – if an individual expressly consents – or clicks, say, ‘submit’ as the technological equivalent of signing – to something along the lines of ‘I hereby consent to….. ‘
2. Implied consent — In the GESS case, the Commission determined that by annually agreeing to certify compliance with the school’s by-laws, the student’s parent(s) impliedly consented to the by-laws’ provision requiring random drug testing of pupils.
3. Deemed consent – the Commission stated unequivocally in the GESS case that deemed consent under the PDPA is ‘consent by operation of law.’ This means that if the PDPA’s standards are met, consent is granted regardless of an individual’s intention. By contrast, both express and implied consent involve the provision of genuine consent with the purpose to provide it (even while the individual may not be conscious of it in the case of implied consent).
At the moment, the PDPA recognizes two distinct sets of circumstances in which deemed consent applies:
(1) First-party deemed consent – where (a) an individual gives personal data willingly for a purpose and (b) it is reasonable for the individual to provide personal data voluntarily for that purpose.
(2) third party deemed consent – when (a) an individual gives, or is deemed to have given, consent to the disclosure of personal data about the individual by one organization to another organization for a specific purpose and (b) the recipient organization collects, uses, or discloses that personal data for that specific purpose.
Express consent may be granted on an ‘opt-in’ or ‘opt-out’ basis. It would not be considered conceptually viable for an individual to opt-in or opt-out of consent by operation of law – that is, a deemed consent under the PDPA – either the law operates in such a way that permission is obtained, or it does not.
However, as detailed below, the proposed amendments to the PDPA include a deemed consent by notification provision that allows an individual to tell an organization of their refusal to consent. The Commission refers to an individual’s ability to opt-out of deemed consent in the Public Consultation Paper.
Consent by ‘opt-in’ requires an individual to take an affirmative action (such as tick a box). No express consent is given if the subject does nothing. Consent on an ‘opt-out’ basis implies that consent is automatic in the sense that if an individual does nothing (for example, by failing to untick a box), express consent is granted. Many country’s data protection laws outlaw opt-out consent; it is not prohibited under the PDPA, though it is evident from the Commission’s Advisory Guidelines that it is frowned upon.
Consent Obligation: PDPA as a ‘consent-first’ law
The PDPA is a ‘consent-first’ law, which means that consent is always required to collect, use, or disclose personal data, unless an exception applies. The PDPA requires express or implied consent and allows for presumed consent. Its Second, Third, and Fourth Schedules specify exemptions from the requirement for permission of any kind.
Other data protection rules demand the existence of a ‘legitimate basis’ for the collection, use, or disclosure of personal data. At least in some of these instances, such as the General Data Protection Regulation (GDPR), permission is the appropriate legal foundation only if no other alternative exists. Such legislation could be described as ‘consent-first’ laws.
Proposed Changes to the PDPA – expansion of deemed consent
The PDPA recognizes two types of deemed consent: first-party deemed consent and third-party deemed consent. The draft amendment law leaves first-party deemed consent alone but clarifies and, maybe, expands the third party deemed consent.
The Commission notes in its Public Consultation Paper that the proposed permission upgrades are generally similar to actions taken under data protection frameworks in Australia, British Columbia, New Zealand, and the European Union. According to the Commission, these upgrades will also help organizations minimize compliance costs and simplify their use and processing of personal data for business purposes.
In contrast with the European Union’s General Data Protection Regulation (GDPR)
To provide context, some readers may be aware that the GDPR demands that personal data be processed on a ‘lawful basis.’ There are six permissible legal bases, including the following:
1. Where an individual/data subject consents to the use of their personal data for one or more defined purposes.
2. Processing is required to carry out a contract to which the data subject/person is a party or to take steps at the data subject/individual’s request prior to entering into a contract.
Consent is the only legal basis for processing under the PDPA – but the PDPA does not use those terms. Consent may be express or implied by law / considered consent. Naturally, there are exceptions to the requirement for consent.
The proposed amendments to the PDPA are intended to broaden the scope of consent by law / presumed consent operation. They do not constitute additional legal grounds for collecting, using or disclosing personal data.
It’s also worth mentioning that the GDPR’s lawful basis for processing that relates to contracts applies solely to the data subject/individual as one of the contract’s parties and the organization as the other contract’s party. The proposed amendments to the PDPA make reference to three parties:
- The data subject/individual is one of the contract’s parties.
- The organization is the other contract’s party.
- A third party is another organization that is not a contracting party.
Deemed consent to enter into a contract
The first modification pertains to a circumstance in which an individual, (P), sends personal data to an organization, (A), for P to enter into a contract with A. Consent by operation of law / deemed consent is expanded in this case to include the following:
(a) A disclosing personal data to another organization, (B), where the disclosure is reasonably necessary for the conclusion of the contract between P and A.
(b) B’s collection and use of that personal data, where such collection and use are reasonably necessary for the performance of the contract between P and A.
(c) the disclosure of that personal data by B to another organization where the disclosure is reasonably necessary for P and A to enter into a contract.
However, the deemed consent described in paragraph (a) above has no effect on any contractual obligation between P and A that specifies or limits the personal data provided by P that A may share with another organization. Furthermore, the deemed consent described in paragraph (a) above has no effect on any contractual obligation between P and A that defines the purposes for which A may disclose personal data submitted by P to another organization.
Deemed consent to perform a contract
The second alteration concerns a circumstance in which an individual (P) enters into a contract with an organization (A) and supplies A with personal data. Consent by operation of law / presumed consent is enlarged in this situation to include the following:
(a) A disclosing the personal data to another organization, (B) when disclosure is reasonably necessary:
(i) to perform the contract between P and A; or
(ii) for the conclusion or fulfilment of a contract entered into between A and B:
1. upon P’s request; or
2. if a reasonable person believes the contract is in P’s best interests.
(b) B’s acquisition and use of that personal data where such collection and use are reasonably necessary for any of the purposes listed in paragraph (a)
(c) disclosure of that personal data by B to another organization when disclosure is reasonably necessary for any of the purposes listed in paragraph (a).
However, the deemed consent described in paragraph (a) above has no effect on any contractual obligation between P and A that specifies or limits the personal data provided by P that A may share with another organization. Furthermore, the implied consent described in paragraph (a) above has no effect on any contractual obligation between P and A that defines the purposes for which A may disclose personal data submitted by P to another organization.
Deemed consent by notification
Lastly, a concept of ‘deemed consent by notice’ is introduced as a substitute for express consent. Presumably, the Commission intends for deemed consent by notification to apply where obtaining express consent would be unduly burdensome and where the relevant individuals would not be expected to withhold consent in any case – for example, because goods or services purchased by an individual would not function without the collection, use, or disclosure of personal data.
To qualify for ‘deemed consent by notification,’ an organization must conduct the following assessments prior to collecting, using, or disclosing any personal data about an individual: enable the relevant individual to opt-out of the deemed consent; and ensure that the purpose of the collection, use, or disclosure is not a prescribed purpose.
1. The organization must conduct an evaluation to evaluate if the intended collection, use, or disclosure of personal data would have a negative impact on the individual. The organization must indicate any harmful effect on the individual that the proposed collection, use, or disclosure of personal data for the relevant purpose is likely to have. It must then identify and take reasonable actions to eliminate or minimize the harmful effect or to limit the possibility of the bad effect occurring. Additionally, it must adhere to any other conditions that have not yet been mandated.
2. To enable the relevant individual to opt-out of the deemed consent, the organization must take reasonable steps to bring the following information to the individual’s attention:
- the organization’s intention to collect, use, or disclose personal data
- the purpose for which the personal data will be collected, used or disclosed
- a reasonable period within which, and a reasonable method by which, the individual may notify the organization that the individual wishes to opt-out of the deemed consent
3. In order for deemed consent by notice to apply, the individual’s personal data must not be collected, used, or disclosed for any prescribed purpose. Purposes for implied consent by notification have not yet been prescribed.
However, the Commission argues in its Public Consultation Paper that organizations may not depend on supposed consent by notification to get consent to send direct marketing messages to individuals, and so marketing may fairly be expected to become a prescribed purpose in due course.
Individuals are deemed to consent to an organization’s collection, use, or disclosure of personal data about them if (a) the organization has conducted the assessment described above and provided the necessary information to enable the individual to opt-out of the deemed consent; and (b) the individual does not notify the organization before the reasonable period during which the individual may notify the organization that they do not consent.