Some of the key changes to the Personal Data Protection Act 2012 (“PDPA”) took effect on 1 February 2021. These include a mandatory breach notification regime and new consent exceptions, including an exception which may apply if an organisation has legitimate interests in the collection, use or disclosure of the personal data and the legitimate interests of the organisation or other person outweigh any likely adverse effect to the individual.
The Personal Data Protection (Amendment) Bill was passed by the Singapore Parliament on 2 November 2020, with the changes set to take effect in phases. The first phase of these changes took effect from 1 February 2021.
Changes which have already taken effect as of 1 February 2021
1. Mandatory breach notification
One of the key changes which has now taken effect is the introduction of the mandatory data breach notification requirement. If a data breach is notifiable, the Personal Data Protection Commission (“PDPC”) must be notified. If certain reporting thresholds are met, the affected individuals must also be notified. The new provisions require that:
- once an organisation has grounds to believe that a data breach has occurred, the organisation is to carry out an assessment of the data breach in a reasonable and expeditious manner to determine whether the data breach is a notifiable data breach. Generally, the assessment should be completed within 30 calendar days of when the organisation first became aware that a data breach may have taken place.
- a data breach is notifiable to the PDPC if the data breach: (a) results in, or is likely to result in, significant harm to an affected individual; or (b) is, or is likely to be, of a significant scale (i.e. affecting 500 or more individuals). The organisation must notify the PDPC of the breach as soon as it is practicable to do so and, in any event, no later than 72 hours after establishing that the data breach is notifiable.
- the organisation must also notify affected individuals of the data breach once the organisation has determined that the data breach is likely to result in significant harm to any individuals to whom the information relates, as soon as it is practicable to provide the individuals with the notification. This will allow the affected individuals the opportunity to take steps to protect themselves from the risks of harm or impact resulting from the data breach (e.g. review suspicious account activities, cancel credit cards, and change passwords).
2. New deemed consent and consent exceptions
Consent is required for collecting, using or disclosing an individual’s personal data. The individual must also be notified of the purpose(s) for which an organisation is collecting, using or disclosing the individual’s personal data on or before such collection, use or disclosure of the personal data. Consent may be given expressly or impliedly by individuals. An individual may also be deemed to have given consent under the PDPA in 3 ways: (a) deemed consent by conduct; (b) deemed consent by contractual necessity; or (c) deemed consent by notification, (as the case may be).
In certain circumstances, the amended PDPA also allows an organisation to collect, use and disclose personal data without the individual’s consent. These exceptions may apply when:
- the organisation or another person has a legitimate interest in the collection, use or disclosure of the personal data (i.e. the legitimate interest exception);
- the organisation is a party or prospective party to a business asset transaction with another organisation (i.e. the business asset transaction exception);
- the organisation is using the personal data for the purposes of business improvement (i.e. the business improvement exception); and
- the organisation is using the personal data for the purposes of research (i.e. the research exception).
Changes which will take effect later
The following changes have not yet taken effect as of 1 February 2021, but are expected to become effective in the near future:
3. Increased financial penalties for contravention of PDPA
The maximum penalty imposed on organisations for breaches of certain key obligations under the PDPA will be increased to S$1 million or 10% of the organisation’s annual turnover in Singapore, whichever is higher. The increased financial penalties are expected to take effect on a future date to be notified, and no earlier than 1 February 2022.
4. Right to data portability
The recent amendments have also introduced provisions which require an organisation to, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control to another organisation in accordance with the prescribed requirements in the PDPA. These provisions, which are found under the new Part VIB[1], have yet to come into effect.
For details on the major changes to the PDPA, please refer to our previous e-bulletin “Singapore data privacy law updates 2020” (click here).
[1] Part VIB has not been added to the PDPA because this Part has not come into effect yet.
Disclaimer
Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.