Key PDPA Amendments 2019/2020 You Should Know

Since the Personal Data Protection Act’s passing in 2012 (PDPA), it has not been amended yet, with only its Data Protection Provisions and Do Not Call (“DNC”) Provisions taking effect on 2 January 2014 and 2 July 2014 respectively. However, the accelerating growth of technological and business landscape in Singapore (e.g. IoT, Artificial Intelligence, and gig economy) has also translated to an increase in the volume of personal data collected.

Hence, it is only timely that the 2012 PDPA provisions be revisited and amended, to adapt its content to the rapidly changing digital economy landscape. This was done on 14 May 2020, when the Personal Data Protection (Amendment) Bill 2020 (“the Bill”) was published for public consultation. Finally, the proposed PDPA amendments 2019/2020 and Spam Control Act were passed in Parliament on 2 November 2020.

These approved changes are meant to address Singapore’s changing digital economy needs and bring the nation’s personal data protection regulations up to date and aligned with international standards (e.g. GDPR).

PRO TIP: Learning about full compliance to the PDPA obligations for your organisation can be overwhelming, especially if you do not know where to begin. We at Privacy Ninja understand this, that is why we have established a comprehensive PDPA course compliance and awareness training. By tapping our consulting services, you are assured that you get subject matter experts as trainers and that you are guided correctly through the various concepts included in the PDPA. Click here to get started.

Also Read: The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases

PDPA Amendments 2019/2020 In 12 Sections

The drafted amendments include, among other things, heftier financial penalties that the Personal Data Protection (“PDPC”) may set for PDPA breaches, required data breach notification to both the PDPC and individuals affected, plus crucial amendments to the consent provisions of the PDPA. Let’s discuss these further below:

Heftier financial penalties

According to the Bill, financial penalties for PDPA breaches in Singapore may increase up to 10 per cent of yearly gross revenue, or S$1 million, whichever of the two is higher.

However, it should be noted that in conjunction with the heavier penalty for data breaches, oraganisations will also be getting more freedom to utilise personal data to innovate under the PDPA amendments 2019/2020.

Obligatory notification on the data breach

The Bill requires organisations to inform the PDPC of a data breach that:

• culminates in, or is likely to culminate, in serious harm to the persons whose data have been compromised; or
• is of a serious scale.

Additionally, it will be mandatory for organisations to inform affected individuals if the data breach can possibly lead to seriously harming them.

In terms of timeline, the PDPC has to be notified in a period of three calendar days at the onset when an organisation evaluates that a breach can be disclosed.

Regulations have also been included to propose the types of personal data that will be deemed likely to result in serious harm to the individuals if compromised in a data breach.

There are exceptions to the notification provisions, in that there is no need to inform the affected individuals if:

• if remedial actions have been taken; or
• if the personal data is subject to technological protection measures such as encryption, in such a way that the breach is not likely to lead to serious harm to the persons whose data has been compromised.

Extended definition of deemed consent

Part of the PDPA amendments 2019/2020 is the expanded description of what deemed consent is, such that in now includes:

• for contractual necessity; that is, where the processing of data is crucial to performing a contract; and
• where the persons have been informed of the objectives of the data processing and given a chance to opt out.

Changes to the exceptions to consent

1. Genuine interests exception – Consent will not be mandatory if the genuine interests of the organisation and the benefit to the public together offset any unfavorable effect on the individual. For instance, where the processed data is utilised for detecting or halting illegal activities or threats to physical safety and security, ensuring cybersecurity, or averting service misuse.
2. Business improvement exception – Consent will not be mandatory if there is a need to: fulfill operational efficiency and service improvements, create or improve products and services, or learn more about the customers of the organisation.
3. Research exception – Consent will not be mandatory if the utilisation of personal data or research results will not cause serious harm to the affected individuals and the results are not published in a way that identifies any person.
4. Business asset transaction exception – the scope has been extended to the personal data of independent contractors, such as Grab drivers for instance, in conjunction with employees, customers, directors, officers and shareholders of the organisation.

Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service

Right to data flexibility

Another feature to the PDPA amendments 2019/2020 is the right to data flexibility among individuals, which gives them the right to request the transmission of their data to another service provider. Exceptions to this obligation will also be provided, similar to those for the access obligation.

If personal data is gathered by an organisation from other personal data in the course of business, this will not be covered by the portability obligation.

Data retiontion

Under the amended provisions, it is mandatory for organisations to preserve personal data requested under an access or porting request for at least 30 calendar days after rejection of the request, or until the person has used up their right to apply to the PDPC for reevaluation of their request or appeal to the Data Protection Appeal Committee, High Court or Court of Appeal, whichever is later.

Direct marketing

Under the enhanced version, the Spam Control Act 2007 will include the bulk sending of commercial text messages to instant messaging accounts. DNC provisions will forbid the sending of specified messages to telephone numbers collected through the utilisation of dictionary attacks and address harvesting software.

The DNC provisions, under the PDPA amendments 2019/2020, will be enforced under the same administrative regime as the other PDPA data protection obligations.

Accountability

There will be express mention of an accountability obligation in the PDPA, so organisations are expected to perform compliance.

Scope amendment

Also subject to the PDPA are organisations acting on behalf of public agencies that are currently exempted.

New offences

New offences have been added under the PDPA amendments 2019/2020. which will hold individuals accountable for flagrant mishandling of personal data on behalf of an organisation or public agency. These are the following:

• any unauthorised sharing of personal data that is performed knowingly or carelessly;
• any unauthorised use of personal data that is performed knowingly or carelessly and results in a wrongful gain or a wrongful loss to any individual; and
• any unauthorised re-identification of anonymised data that is performed knowingly or carelessly.

Public officers are exempted from these provisions, as they are subject to the Public Sector (Governance) Act 2018.

Data breach management

PDPC can use in any act of enforcement the fulfillment of the data breach management plan (which may be the subject of a statutory undertaking) if coupled with mandatory breach notification.

PDPC dispute resolution powers

When it comes to dispute resolution, the PDPC will have the power to approve mediation schemes and direct complainants to deal with data protection disputes via mediation, without needing to secure the approval of both parties.

How Privacy Ninja Can Help You With Full Compliance Of PDPA Amendments 2019/2020

Besides getting trained properly on the amendments, organisations, as mandated by law, must also appoint a Data Protection Officer (DPO) to ensure that the organisation is fulfilling its duties pertaining to data privacy laws. However, for startups and SMEs, hiring or appointing a full time DPO in-house may be difficult due to resource or capability constraints.

Privacy Ninja aims to bridge that gap by offering a DPO-As-A-Service annual model, whereby you can leverage our cybersecurity and data privacy experts to take on your organisation’s DPO operational obligations. To learn more how we can help you achieve full PDPA compliance, click here.