17 December 2020
On 10 December 2020, the Personal Data Protection (Amendment) Act 2020 (“Amendment Act”) was gazetted and will come into operation on a date to be appointed by the Minister for Communications and Information by notification in the Gazette. The Amendment Act will likely come into force in early 2021 with different dates of commencement for different sections, for example in relation to increased financial penalties. For more information, please read our article titled “Expected date of commencement of Personal Data Protection (Amendment) Bill, and preparatory steps for organisations”.
The Amendment Act seeks to amend the Personal Data Protection Act 2012 (“PDPA”) to introduce a mandatory data breach notification requirement and a new data portability obligation. Other key changes include an increased financial penalty cap, insertion of an explicit reference to accountability, expanded categories of deemed consent, new exceptions to the consent requirement, expanded business asset transaction exception and improved controls over unsolicited commercial messages. For more, please read our article titled “Personal Data Protection (Amendment) Bill passed to introduce mandatory data breach notification, data portability requirement and increased financial penalty cap”.
The Personal Data Protection (Amendment) Bill (“Bill”) was passed in Parliament on 2 November 2020, following its introduction on 5 October 2020. A few weeks later on 20 November 2020, the Personal Data Protection Commission (“PDPC”) issued the Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill (“draft Advisory Guidelines”) to provide clarification on key provisions in the Bill relating to the enhanced framework for collection, use and disclosure of personal data (including assessment checklists), mandatory data breach notification, financial penalties and offences for egregious mishandling of personal data. For example, the draft Advisory Guidelines provide that an organisation should take reasonable and expeditious steps to assess whether a data breach is notifiable under the PDPA within 30 calendar days and to document all steps taken in assessing the data breach. The draft Advisory Guidelines also provide that data breaches that meet the criteria of significant scale are those that involve the personal data of 500 or more individuals.
PDPC also set out in the draft Advisory Guidelines a table of factors and past enforcement cases to provide organisations with some reference on how PDPC determines the amount of financial penalty to be imposed.
The draft Advisory Guidelines will be finalised and issued when the amendments to the PDPA come into effect.
- Draft Advisory Guidelines on Key Provisions of the Personal Data Protection (Amendment) Bill
- Annex A: PDPA's Enhanced Framework for the Collection, Use and Disclosure of Personal Data
- Annex B: Assessment Checklist for Deemed Consent by Notification
- Annex C: Assessment Checklist for Legitimate Interests Exception
- Personal Data Protection (Amendment) Act 2020