Singapore passed amendments to its Personal Data Protection Act (PDPA) on Tuesday, in the first comprehensive review of the Act since its 2012 enactment.
The updated Act aims to strengthen consumer trust through organisational accountability as well as enhance effectiveness of enforcement, consumer autonomy and data use for innovation. Ministers believe it will allow organisations to keep pace with technological changes, and position Singapore as a key player in the digital economy.
The amended PDPA updates, restructures and clarifies exceptions to the consent requirements for use of personal data, or deemed consent provisions, and adds business improvement, new legitimate interests and an updated research exception to this list.
To rely on these legitimate uses of personal data, organisations must conduct a risk assessment and satisfy themselves that the overall benefit of collecting, using or disclosing the data outweighs adverse effect on an individual. They must also disclose when they rely on such an exception.
Under the new rules, deemed consent has been extended to include passing personal data contractors in order to fulfil a contract with the customer, where reasonably necessary.
Organisations may also now use exceptions to utilise personal data for business improvement purposes such as operational efficiency and service improvements; developing or enhancing products or services; and knowing the organisations’ customers. Related corporations can collect and disclose personal data among themselves for these purposes, if bound by a contract, agreement or binding corporate rules.
Additionally, the update revises the previous PDPA research exception to support commercial research and development not immediately fof productisation, for example, institutions carrying out scientific research and development, social sciences research, or market research to identify and understand potential customer segments.
Under “consent by notification”, organisations may notify customers and give a reasonable period to opt out before their data is used for new purposes.
Other key measures include raising the maximum financial penalty for breaching certain parts of the PDPA to 10% of an organisation’s annual turnover in Singapore or S$1million, whichever is higher. It introduces compulsory notification of a significant or harmful data breach, and describes new offences for disclosure or use of personal data, as well as introducing a new data portability obligation – a relatively novel concept in Singapore.
In a speech given at the second reading of the Bill, Mr S. Iswaran, Minister for Communications and Information, referred to the “inherent tension” between protecting consumers’ personal data and allowing them more control and autonomy over it, and supporting legitimate use of data by organisations and the use of data for growth and innovation.
“The proposed amendments seek to strike a judicious balance between them”, he said.
“I would argue that consumers – individuals like you and me – we are not powerless by any stretch of the imagination. We can choose to decide whom to do business with, what data we want to share, whether we want to give consent, and when we want to withdraw that consent. Ultimately, we can decide when to sever the relationship, if that is what we want. So, I think we should not lose sight of that aspect as well. Ultimately, the legislation was be seen in that perspective. It is one part of an overall architecture that will ensure a vibrant digital economy, but also one where data is respected, safeguarded but also used for appropriate purposes.”