MCI and PDPC propose amendments to Personal Data Protection Act 2012 to introduce mandatory breach notification, data portability and increased financial penalties

18 May 2020

From 14 May 2020 to 28 May 2020, the Ministry of Communications and Information (“MCI”) and the Personal Data Protection Commission (“PDPC”) are conducting an online public consultation to seek feedback on the draft Personal Data Protection (Amendment) Bill 2020 (“PDP Bill”), which proposes amendments to the Personal Data Protection Act 2012 (“PDPA”) and related amendments to the Spam Control Act (“SCA”). The consultation builds upon the previous three public consultations conducted by MCI/PDPC between 2017 and 2019.

The proposed amendments cover the following four key areas:

Strengthening accountability of organisations
Enabling meaningful consent for collection, use and disclosure of personal data
Providing greater consumer autonomy over personal data
Strengthening effectiveness of PDPC’s enforcement efforts

These amendments seek to ensure that the PDPA keeps pace with technological advances, new business practices, and global legislative developments relating to the protection of personal data, by strengthening the accountability of and building public trust in organisations which collect, use and/or disclose personal data. In particular, the PDP Bill will introduce enhanced financial penalties for breaches of the PDPA, a mandatory breach notification requirement, as well as a data portability obligation on organisations.

Set out below is a summary of some of the proposed changes.

1. Strengthening accountability of organisations

Insertion of an explicit reference to accountability: Part III of the amended PDPA will contain an explicit reference to accountability, which will make it clearer that organisations are accountable for, and expected to comply with the PDPA in respect of, personal data in their possession or under their control.
Mandatory data breach notification requirement: Organisations will be required to report data breaches if they meet the reporting criteria for notification:

(i) Organisations will be required to inform PDPC and affected individuals if a data breach occurs that results in, or is likely to result, in significant harm to the individuals whose data has been affected by the data breach. PDPC will prescribe categories of data, such as drivers’ licence numbers, NRIC numbers, credit card numbers, etc., which if compromised would likely result in “significant harm” to individuals.

(ii) Organisations will be required to inform PDPC if a data breach is of a significant scale. PDPC has noted that breaches affecting 500 or more individuals would be an appropriate numerical threshold.

Once an organisation has credible grounds to believe that a data breach has occurred, it must take reasonable and expeditious steps to assess whether the data breach meets the criteria for notification. An organisation must document the steps taken to demonstrate that it has acted reasonably and expeditiously, and carried out the assessment in good faith.

If the criteria for notification are met, the organisation must notify (i) all affected individuals as soon as practicable, and (ii) PDPC as soon as practicable, no later than three calendar days after the organisation determines that the breach meets the notification criteria.

The PDP Bill will also introduce exceptions to the mandatory data breach notification requirement. These would include situations where circumstances are such that significant harm is unlikely to occur, e.g. remedial action has been taken by the organisation or technological safeguards are present, or where organisations are instructed by law enforcement agencies or PDPC not to notify individuals.

Introduction of offences relating to the egregious mishandling of personal data: The PDP Bill introduces new offences to hold individuals accountable for the egregious mishandling of personal data in the possession of or under the control of an organisation. Individuals found guilty of the new offences would be liable on conviction to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding two years. However, organisations remain primarily accountable for the protection of personal data, and are liable for their employees’ actions if done in the course of their employment.

2. Enabling meaningful consent for collection, use and disclosure of personal data

Categories of deemed consent to be expanded: To facilitate the use and processing of personal data for business purposes, the concept of “deemed consent” under section 15 of the PDPA will be expanded to cover circumstances where:

(i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or

(ii) individuals have been notified of the purpose of the intended collection, use or disclosure of his/her personal data, are given a reasonable opportunity to opt out, and have not opted out.

New exceptions to the consent requirement: The PDP Bill will introduce two new exceptions to cater to situations where there are larger public or systemic benefits where obtaining individuals’ consent may not be appropriate:

(i) Organisations will be able to collect, use or disclose personal data for where it is in the legitimate interests of the organisation, and the benefit to the public is greater than any adverse effect on individuals. This would include detecting or preventing illegal activity such as fraud or money laundering, threats to physical safety and security, preventing misuse of services etc.

(ii) Organisations will be able to use personal data collected for the purposes of business improvement e.g. operational efficiency and service, developing products/services etc. The use of data for business improvement is pegged to what a reasonable person would consider appropriate in the circumstances.

3. Providing greater consumer autonomy over personal data

Introduction of a data portability obligation: With the new data portability obligation, organisations will be required to transmit an individual’s personal data to another organisation if requested by that individual. The obligation only extends to data which is (i) provided by the individual, or (ii) is data about the individual created in the course of the individual’s use of a product or service. Derived personal data, i.e. data which is derived by the organisation in the course of business from other personal data, is not covered.PDPC will also introduce regulations to govern the data portability obligation, which will provide for:

(i) A “whitelist” of data categories to which the obligation would apply;

(ii) Technical and procedural details to ensure that data is correctly and safely transmitted to receiving organisations in a usable form

(iii) Relevant data porting request models, e.g. a push model (where consumers make the porting request to the organisation giving the data), or a pull model (where consumers make the porting request to the organisation receiving the data);

(iv) Safeguards for individuals e.g. cooling off periods for individuals to withdraw a porting request if they change their mind, blacklists of organisations, etc.

Requirement to preserve personal data following access and/or porting requests: Organisations will be required to preserve personal data requested pursuant to an access or porting request for (i) at least 30 calendar days after rejection of the request, or (ii) until the individual has exhausted his/her right to apply for a reconsideration request to PDPC or to appeal, whichever is later.
Improved controls over unsolicited commercial messages: The PDPA’s Do Not Call Provisions will be amended to prohibit the sending of unsolicited messages to telephone numbers obtained through the use of dictionary attacks or address harvesting software. The SCA will also be amended to cover commercial text messages sent to Instant Messaging accounts, e.g. Telegram, WeChat, WhatsApp and in bulk.

4. Strengthening effectiveness of PDPC enforcement efforts

Increased financial penalty cap: Previously, financial penalties of up to S$1 million could be imposed for data breaches under the PDPA. This will be revised to (i) up to 10% of an organisation’s annual gross turnover in Singapore, or (ii) S$1 million, whichever is higher.
Data breach management plans as statutory undertakings: The implementation of data breach management plans can be the subject of a statutory undertaking, which would encourage organisations to adopt accountable practices. Failure to comply with a statutory undertaking would empower PDPC to investigate the underlying breach, and breaches of undertakings would be enforceable by PDPC directly through the issuance of directions.
Referrals to mediation: PDPC will be empowered to (i) establish mediation schemes, and (ii) where appropriate, direct complainants to resolve disputes via mediation, without the need to secure the consent of parties to the complaint or dispute. Parties who refuse to participate in the mediation scheme when so directed would not be able to seek PDPC’s assistance on a complaint or dispute under the PDPA.

Submission of feedback

The public consultation document and procedures for submission of feedback are available on MCI’s website www.mci.gov.sg from 14 May 2020.

The proposed changes, especially those relating to financial penalties, are significant. We would be pleased to discuss with you the full impact and ramifications that arise from the consultation and the proposed PDP Bill.

If you have any comments on the proposed amendments, or require assistance to submit comments or recommendations, our Contact Partners would also be pleased to assist you in providing feedback. Please note that the deadline for providing feedback to MCI/PDPC is 28 May 2020.

Reference materials

The following materials are available on the MCI website www.mci.gov.sg: