Personal Data Protection (Amendment) Bill passed to introduce mandatory data breach notification, data portability requirement and increased financial penalty cap
On 2 November 2020, the Personal Data Protection (Amendment) Bill (“Bill”) was passed in Parliament, following its introduction on 5 October 2020. The Bill seeks to amend the Personal Data Protection Act 2012 (“PDPA”) for the following main purposes:
- Strengthen the accountability of organisations in respect of the handling and processing of personal data.
- Enhance the legal framework for the collection, use and disclosure of personal data.
- Provide individuals with greater autonomy over their personal data.
- Enhance the enforcement powers of the Personal Data Protection Commission (“PDPC”).
The Ministry of Communications and Information (“MCI”) and PDPC conducted a public consultation on the draft Bill from 14 to 28 May 2020. This followed three public consultations on the key policy positions between 2017 and 2019, and was intended to clarify and finalise the language in the Bill to put the policy positions into effect. Overall, respondents were generally supportive of the draft Bill as the proposed amendments add flexibility and clarity to the PDPA.
While the effective date of the Bill does not appear to have been finalised, it is useful to note that certain parts of the Bill have been determined to be subject to a phased implementation, and the increased financial penalties in the Bill will be applicable no earlier than one year after the Bill comes into force.
Set out below is a summary of some of the key changes under the Bill:
Mandatory data breach notification
There will be a new Part VIA in the amended PDPA which provides for the mandatory data breach notification requirement.
Definition of data breach
A data breach has been defined to mean the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
It may be useful to note that PDPC in a published decision, where an organisation was subject to a ransomware attack which encrypted personal data, determined that such encryption is an “unauthorised modification” of the personal data, since the encryption rendered the personal data inaccessible to the organisation. This was the determination even though backup and restoration practices mitigated the impact of the ransomware on the organisation, such that access was lost for only “approximately 2 days”.
Notifiable data breaches
A data breach is a notifiable data breach if the data breach results in, or is likely to result in, significant harm to an affected individual, or is, or is likely to be, of a significant scale. In his Closing Speech at the second reading of the Bill, the Minister for Communications and Information S Iswaran (“Minister”) mentioned that there are plans to prescribe in regulations, a numerical threshold. According to him, this was something that has been developed through consultation - a numerical threshold of 500 individuals for what constitutes a data breach of a significant scale. This threshold is based on past enforcement cases and other jurisdictions’ practices as well. The regulations will also include the categories of personal data which, if compromised in a data breach, will be considered likely to result in significant harm to individuals, such as identity theft or fraud. One example of such data is full name and confidential financial information.
A data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data only within an organisation is deemed not to be a notifiable data breach.
Duty to conduct assessment of data breach
Where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach. Additionally, a data intermediary processing personal data on behalf of and for the purposes of another organisation or public agency must, without undue delay, notify such other organisation or public agency of the occurrence of the data breach.
Duty to notify occurrence of notifiable data breach
Where an organisation assesses that a data breach is a notifiable data breach, the organisation must notify PDPC as soon as is practicable, but in any case no later than three calendar days after the day the organisation makes that assessment. The organisation must also notify each affected individual affected by a notifiable data breach in any manner that is reasonable in the circumstances.
Exceptions
The Bill will also introduce exceptions to the mandatory data breach notification requirement. These would include situations where circumstances are such that significant harm is unlikely to occur, e.g. remedial action has been taken by the organisation or technological safeguards are present, or where organisations are instructed by prescribed law enforcement agencies or PDPC not to notify individuals.
Introduction of a data portability obligation
There will be a new Part VIB in the amended PDPA to provide for data portability which requires organisations to transmit an individual’s personal data that is in electronic form to another organisation if requested by that individual.
The Minister mentioned in his Opening Speech at the second reading of the Bill that PDPC will work closely with all stakeholders for a phased implementation. Regulations will be issued in the coming months on the categories of data that should be portable, and other technical and consumer protection details.
Increased financial penalty cap
The maximum financial penalty that may be imposed on an organisation whose annual turnover in Singapore exceeds S$10 million is 10% of the annual turnover in Singapore of the organisation. In any other case, the maximum financial penalty is S$1 million.
In his Opening Speech, the Minister stated that the change relating to the increased financial penalty cap for organisations will take effect no earlier than one year after the Bill (which will be the Personal Data Protection (Amendment) Act 2020) comes into force. The Minister also stated that the revised cap will apply to breaches that occur after the effective date.
Insertion of an explicit reference to accountability
The heading to Part III of the amended PDPA will contain an explicit reference to accountability to emphasise that organisations are accountable for, and expected to comply with the PDPA in respect of, personal data in their possession or under their control.
Remove exclusion for agents of Government and criminalise egregious mishandling of personal data
The Bill incorporates the recommendations of the Public Sector Data Security Review Committee in its report of November 2019. First, the Bill removes the current exclusion for agents of Government, thereby making clear that all private sector organisations are subject to the PDPA, even when they are acting on behalf of public agencies.
Second, the Bill strengthens individual accountability for the egregious mishandling of data by setting out new offences for knowing or reckless unauthorised (a) disclosure of personal data; (b) use of personal data that results in personal gain for the offender or another person, or harm or loss to another person; and (c) re-identification of anonymised information. Related amendments will also be made to the Public Sector (Governance) Act and Monetary Authority of Singapore Act to align the public and private sector data regimes.
While the primary responsibility and liability for breaches of the PDPA rest with organisations, these new offences are aimed at individuals who know that their actions are not authorised or who act recklessly. There will be defences to the new offences, such as independent testing of anonymisation deployed in information security systems. Also, these offences should not apply in situations where the conduct is solely in the nature of a private dispute, which should continue to be resolved through civil suits or other forms of dispute resolution.
MCI/PDPC intends to clarify in Advisory Guidelines the situations that the new offences are not intended to cover. These include situations where the individuals are authorised as part of their employment to disclose, use or re-identify the data. The Advisory Guidelines will include further details on conduct that is authorised, and the various forms authorisation may take. For example, conduct that is authorised may be set out in an organisation’s written policies, manuals and handbooks, or an organisation may provide ad-hoc authorisation for a specific action or activity, which should be provided by someone in the organisation who is empowered to do so or who is ostensibly empowered to do so by reason of his/her seniority or position in the organisation.
Categories of deemed consent to be expanded
Section 15 of the PDPA will be amended to introduce deemed consent by contractual necessity. There will also be a new section 15A in the amended PDPA relating to deemed consent by notification.
New exceptions to the consent requirement, expanded business asset transaction exception
The amended PDPA will provide for new exceptions under which an organisation may collect, use and disclose personal data about an individual without the individual’s consent, including the following:
- Where it is in the legitimate interests of the organisation or another person, and the legitimate interests outweigh any adverse effect on the individual. To rely on this exception, organisations must conduct an assessment to eliminate or reduce risks associated with the collection, use or disclosure of personal data, and must be satisfied that the overall benefit of doing so outweighs any residual adverse effect on an individual. To ensure transparency, organisations must disclose when they rely on this exception. One of many potential use cases is anomaly detection in payment systems to prevent fraud or money-laundering.
- Where there are business improvement purposes such as for operational efficiency and service improvements, developing or enhancing products/services and knowing the organisations’ customers. As a safeguard, this exception can be relied upon only for purposes that a reasonable person may consider appropriate in the circumstances, and where the purpose cannot be achieved without the use of the personal data. Recognising this commercial reality, the amended PDPA will allow related corporations to collect and disclose personal data among themselves for the same purposes. There are also additional safeguards for intra-group sharing by requiring related corporations to be bound by a contract, agreement or binding corporate rules to implement and maintain appropriate safeguards for the personal data.
The current exception relating to business asset transactions will be expanded to apply to business asset transactions involving the sale and purchase of shares or other interests in an organisation, whether the interest is in a party to the transaction or of another organisation that is held by a party to the transaction.
Improved controls over unsolicited commercial messages, enforce DNC Provisions under a civil administrative regime
The PDPA’s Do Not Call Provisions (“DNC Provisions”) will be amended to prohibit the sending of unsolicited messages to telephone numbers obtained through the use of dictionary attacks or address harvesting software. The Spam Control Act will also be amended to cover commercial text messages sent to Instant Messaging accounts, e.g. Telegram, WeChat, WhatsApp and in bulk.
The PDPA will also be amended to provide for the enforcement of the DNC Provisions under the same civil administrative regime as the data protection provisions. The maximum financial penalty that may be imposed on an organisation is 5% of annual turnover in Singapore or S$1 million, whichever is higher, and S$200,000 for an individual.
Introduction of voluntary undertakings
The new section 48L in the amended PDPA will introduce voluntary undertakings. The voluntary undertaking may include undertakings to take specified action or refrain from taking specified action in relation to the requirements under the PDPA, as well as to publicise the voluntary undertaking. PDPC may, with the agreement of the organisation or person who gave the voluntary undertaking, vary the terms of any undertaking included or include any additional undertaking.
Referrals to mediation
The new section 48G in the amended PDPA will provide that PDPC may establish or approve one or more dispute resolution schemes for the resolution of complaints by an individual against an organisation by mediation. PDPC may refer such complaints to the dispute resolution scheme without the consent of the individual and the organisation.
Reference materials
The following materials are available on the Parliament website www.parliament.gov.sg and MCI website www.mci.gov.sg:
- MCI press release: Amendments to the Personal Data Protection Act and Spam Control Act passed
- Opening Speech by S Iswaran, Minister for Communications and Information, at the Second Reading of the Personal Data Protection (Amendment) Bill 2020
- Closing Speech by S Iswaran, Minister for Communications and Information, at the Second Reading of the Personal Data Protection (Amendment) Bill 2020
- Infographic - How the enhanced PDPA can help grow your business
- Infographic - How the enhanced PDPA will benefit you
- Personal Data Protection (Amendment) Bill
- Closing note to the public consultation on draft Personal Data Protection (Amendment) Bill including related amendments to the Spam Control Act
