Amendments to the PDPA significantly change Singapore’s data protection landscape, including mandatory data breach notification and criminal offences for mishandling of personal data.

By Farhana Sharmeen, Esther Franks, and Gen Huong Tan

On 1 February 2021, certain sections of the Personal Data Protection (Amendment) Act 2020 (the Act) took effect, implementing the following changes to the Personal Data Protection Act in 2012 (PDPA):

   •  Strengthened enforcement powers for the Personal Data Protection Commission (PDPC)

   •  New criminal offences for individuals for egregious mishandling of personal data

   •  Mandatory data breach notification requirements

   •  New provisions for “deemed” (i.e., implied) consent and exceptions to the PDPA consent requirements, namely the “legitimate interests” exception and “business improvement” exception

Other changes from the Act have yet to take effect but are expected to be introduced in phases. These include:

  • Increased financial penalties for companies in breach of the PDPA
  • A new right of data portability for individuals

Background

The Act was passed in November 2020, and is the first comprehensive overhaul of Singapore data privacy law since the enactment of the PDPA. It follows a public consultation in May 2020 by the Ministry of Communications and Information and the PDPC.

Key amendments in effect as of 1 February 2021

New criminal offences for individuals

Individuals may be criminally prosecuted in certain limited circumstances for the egregious mishandling of personal data, including:

  • The knowing or reckless unauthorised disclosure of personal data
  • The knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person
  • The knowing or reckless unauthorised re-identification of anonymised information

Individuals found guilty of any of these offences are subject to a fine not exceeding S$5,000 or to imprisonment for a term not exceeding two years, or both.

Mandatory data breach notification

Organisations are required to take steps to assess whether a data breach is notifiable under the PDPA, and will be required to notify the PDPC of a data breach that meets either one of the two following criteria.

The first criteria is if the data breach results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach relates. The Personal Data Protection (Notification of Data Breaches) Regulations 2021 prescribe certain types of personal data that, if compromised in a data breach, shall be deemed to result in significant harm to affected individuals.

The second criteria is if the data breach is of “a significant scale”, which is prescribed as a data breach that affects 500 or more individuals.

Once an organisation has determined that a notifiable breach has occurred, it shall notify the PDPC as soon as practicable and no later than three calendar days after the day it determines that the breach meets the notification requirements.

The organisation must also notify affected individuals, if the data breach is likely to result in significant harm to them. If affected individuals also need to be notified, an organisation must do so as soon as practicable. Notifications to the PDPC and affected individuals do not need to be simultaneous. However, the PDPC must be notified before or at the same time as affected individuals are notified.

If a data breach is discovered by a data intermediary, the intermediary is required to notify the organisation without undue delay from the time the intermediary has credible grounds to believe that a data breach has occurred.

Consent exceptions

Deemed consent

The concept of “deemed consent” is expanded to include circumstances in which either of the following apply:

  • The collection, use, or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction (also referred to as “deemed consent by contractual necessity”)
  • Individuals have been notified of the purpose of the intended collection, use, or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out (also referred to as “deemed consent by notification”)

Legitimate interests and business improvement

In certain circumstances, organisations will be able to rely on the following two new exceptions to collect, use or disclose personal data.

Legitimate interests: This exception requires the organisation to assess any likely adverse effects to individuals, and implement measures to mitigate those identified adverse effects. Organisations must also determine whether the benefit to the public (or any section thereof) outweighs any likely residual adverse effect to the individual, and disclose the organisation’s reliance on “legitimate interests” to collect, use, or disclose personal data.

Business improvement purposes: This exception will allow related organisations to use properly obtained personal data without consent for the following purposes: (a) improving, enhancing, or developing new goods or services; (b) improving, enhancing, or developing new methods or processes for business operations in relation to the organisations’ goods and services; (c) learning or understanding behaviour and preferences of individuals; or (d) identifying goods or services that may be suitable for individuals or personalising or customising any such goods or services for individuals.

Incoming changes that have yet to take effect

Higher maximum financial penalties

Financial penalties that organisations may face for violations of the PDPA shall be increased to up to 10% of annual gross turnover in Singapore or S$1 million, whichever is higher. The revision of financial penalties aligns the PDPA with similar penalty mechanisms in other jurisdictions, notably the EU and Australia, and in other local laws such as the Competition Act.

According to the PDPC’s Advisory Guidelines on Enforcement of Data Protection Provisions, these increased financial penalties will only take effect at a later date, which will be no earlier than 1 February 2022.

Data portability

A new data portability obligation will allow individuals to request a copy of their personal data to be transmitted in a commonly used machine-readable format to another organisation, enabling consumers to switch to new service providers more easily.

Next steps

Organisations should review their internal policies and procedures to ensure they are adequately prepared for the new PDPA provisions. In particular, data breach and security incident plans should be updated to reflect the new requirements on mandatory data breach notification, and to appropriately identify both the prescribed categories of personal data and the thresholds for informing the PDPC and/or affected individuals.

Latham & Watkins will continue to track developments closely and provide regular updates on potential changes to the PDPA.