The new PDPA introduces mandatory breach notification, criminal penalties for mishandled data, and a higher cap on penalties for breaches by large organisations.
Singapore has introduced an enhanced PDPA (Personal Data Protection Act), expanding the ability of organisations to use personal data while also increasing accountability for data breaches.
The Personal Data Protection (Amendment) Act 2020 was passed in Parliament on 2 November 2020. Implementation entered its first phase on 1 February 2021.
“The amendments will strengthen organisational accountability and consumer protection, while giving organisations the confidence to harness personal data for innovation,” the PDPC (Personal Data Protection Commission) said.
Breach notification, accountability and penalties
The enhanced PDPA introduces mandatory data breach notification, requiring organisations to notify the PDPC and affected individuals if a data breach is likely to result in significant harm, or if 500 or more individuals are affected.
Also introduced in the enhanced PDPA is an accountability principle, which places explicit accountability for personal data in the hands on the organisation possessing or controlling the data.
The new PDPA also makes it a criminal offence for individuals (including employees) to mishandle personal data or re-identify anonymised information without authorisation. The offence is punishable with a SGD 5,000 and/or imprisonment up to two years.
[Not yet in force] For large organisations with annual turnover exceeding SGD 10 million, the maximum penalty for data breaches has been raised to 10 percent of annual turnover. For other organisations, penalties remain capped at SGD 1 million.
The PDPC may accept and enforce written voluntary undertakings from an organisation in breach, in lieu of a full investigation. Such an undertaking may include a commitment from an organisation to take specified action within a specified time, refrain from taking specified actions, and/or publicise the voluntary undertaking.
The enhanced PDPA also establishes an alternative dispute resolution system, empowering the PDPC to direct data protection complaints to be resolved via mediation, and to establish dispute resolution schemes for such purpose.
Consent framework and exceptions
The deemed consent framework under the enhanced PDPA provides new bases upon which consent may be deemed to have been given. A ‘contractual necessity’ exception allows organisations to disclose personal data to its partners or contractors, if such disclosure is necessary for the performance of a contract with a customer.
A ‘notification’ exception allows organisations to deem that consent has been given if an individual has been notified of the collection, use or disclosure of personal data for a specified purpose, where the individual has not taken any action to opt out.
The enhanced PDPA also allows organisations to collect, use and disclose personal data without consent using a ‘legitimate interests’ or ‘business improvements’ exception. Business entities that form part of a group may use the ‘business improvement’ exception to share data among each other to personalise or customise services for customers, for example.
The use of personal data is also allowed without consent for research purposes under the enhanced PDPA, provided that such use has a clear public benefit and the results of the research will not be published in a form that identifies any individuals.
[Not yet in force] The enhanced PDPA also includes a new right of data portability, allowing individuals to direct an organisation which holds their personal data to transmit said data to a receiving organisation.
Updated advisory guidelines on key concepts in the PDPA are available here.
Updated advisory guidelines on the enforcement of data protection provisions are available here.