Law Bites – May 2022
Data protection officers and in-house legal counsel responsible for their organization’s compliance with personal data protection laws have key roles to play in this digital age which has drastically increased the ways in which organizations collect and use personal data.
Personal data protection framework
Personal data is being capitalized in many ways to help businesses improve on innovation and increase their competitiveness. The prevalence of modern technological mediums has also contributed to the volume of digital data being generated and shared. It is undeniable that the data landscape has gone through a transformation, which in turn has spurred a growing concern amongst the public over how their valuable data is being used and protected.
It was against this backdrop that the Personal Data Protection Act was enacted in Singapore in 2012 (“PDPA”). Prior to the passing of the PDPA, legislation governing the protection of personal data was disparate and scattered across specific sectors only (such as the financial and healthcare sectors), whilst there was a vacuum in data protection laws governing other industries.
The PDPA serves as a general data protection framework across all organizations (except those in the public sector) to ensure a baseline standard of protection for individuals’ personal data. The PDPA regulates an organization’s collection, use, and disclosure of personal data in Singapore, and strives to seek a balance between organizations’ need to collect, use and disclose personal data, and the need to protect the personal data of individuals. There are two main arms of the PDPA, one covering data protection and the other covering the Do Not Call registry. Since its inception, there have been a number of amendments to the PDPA across the years, with its most significant passed in 2020 under the Personal Data Protection (Amendment) Act (the “2020 Amendments”), which is taking effect in parts, starting from 2021.
Key developments following from the 2020 Amendments
Accountability: A notable development is the shift towards an accountability approach to be in line with international trends and best practices in data protection laws. There is now a mandatory notification regime under which organizations must notify the Personal Data Protection Commission (PDPC) of data breaches that are of significant scale. Organizations must also notify both the PDPC and affected individuals when data breaches result (or are likely to result) in significant harm to individuals. These measures aim to encourage organizations to establish risk-based internal monitoring and reporting systems to detect data breach incidents.
Further, PDPC now has more flexible enforcement powers which can be tailored to the circumstance of each breach by each errant organization, such as accepting written undertakings from organizations to have in place a data protection management plan. This is intended to allow organizations to implement a remediation plan that rectifies the immediate breach and also addresses systemic shortcomings, thus setting these organizations up to be more accountable in their practices.
Other changes include a higher maximum financial penalty for data breaches by organizations whose annual turnover in Singapore exceeds $10 million, being 10% of such organization’s annual turnover in Singapore. In any other case, the penalty would be up to $1 million. This has been announced to take effect from 1 October 2022.
Data portability: Individuals will also be given greater autonomy over data generated. There will be a new data portability obligation which will allow individuals to request for a copy of their personal data to be transmitted to another organization. This gives them greater choice and control over their personal data and enable switching to new service providers more easily. As at current date, this has not yet come into force.
Recognizing commercial realities: The amendments further strive to accommodate realistic commercial arrangements. In recognizing that numerous layers of contracting and outsourcing are commonly utilized by businesses today, the PDPA has an expanded definition of deemed consent to cater for such scenarios where personal data is passed through multiple layers of contractors for an organization to fulfil a contract with an end customer.
Legitimate purpose ground: The 2020 Amendments also permit organizations to collect and use personal data without first obtaining consent, where such personal data is to be used for legitimate purposes. This change recognizes that consent may not be practically obtained under certain circumstances. However, to rely on this, organizations must first eradicate or mitigate against the risks associated with the collection, use or disclosure of the personal data and satisfy themselves that the overall gains of doing so outweighs any negative effect on an individual. A use case envisaged for this is the detection of fraud or money laundering in payment systems.
The developments to the PDPA are reflective of Singapore’s aspirations to have a data protection regime that the public trusts, whilst providing an environment for companies to thrive in the digital economy. These developments take into account the regulatory approaches adopted in key jurisdictions including Australia, Canada, the European Union and the United Kingdom.
This progressive approach toward data protection would be of long-term benefit to businesses that embrace the intent behind the developments and adopt systems and procedures that will help them to meet their obligations under the PDPA. This does however mean that organizations must ensure they have an adequate understanding of their compliance obligations under law, and following from that, implement appropriate data protection practices and policies suitable for their particular business functions.
JTJB Singapore Office
This update is for general information only and is not intended to constitute legal advice. JTJB has made all reasonable efforts to ensure the information provided is accurate at the time of publication.