Earlier this month, the Personal Data Protection (Amendment) Bill was read for the first time in Singapore’s Parliament. As we reported previously, in May 2020, Singapore’s Ministry of Communications and Information (“MCI”) and Personal Data Protection Commission (“PDPC”) launched an online public consultation on a draft bill which proposed long-awaited amendments to Singapore’s Personal Data Protection Act 2012 (the “PDPA”), including mandatory data breach notification obligations.
The MCI and PDPC have now released a statement highlighting amendments to the Bill made in response to feedback from the public consultation, including an increase in possible fines for breaches of the new law from 1% to 10% of annual turnover in Singapore, although still subject to an overall cap of S$1 million. We cover the main changes here:
1) Increased Financial Penalty Cap:
Currently, the PDPC can impose fines up to S$1 million for violations of the Act. The original draft bill proposed increased maximum penalties of up to the greater of 1% of annual gross turnover in Singapore or S$1 million. The Bill now goes a step further and proposes a maximum financial penalty of the greater of 10% of annual gross turnover in Singapore, or S$1 million. The higher cap is intended to be a stronger deterrent, improve organisations’ accountability and provide the PDPC with increased flexibility to ensure fines reflect the seriousness of a breach. Notably, the cap remains significantly below the GDPR maximum fine of the higher of €20 million (roughly S$ 31,175,000) or 4% of annual worldwide turnover.
2) Business Improvement as a new basis for processing personal data:
The original draft bill proposed business improvement (i.e. to allow companies to process personal data in order to improve operational efficiency and improve their products and services) as an alternative to consent as a basis for processing personal data.
The Bill clarifies that the business improvement exception could only be relied upon by organisations within the same corporate group, and that the processing of personal data under that exception would have to satisfy the following conditions:
- The purpose of the data processing must not be reasonably achievable without the use of personal data in an individually identifiable form;
- The purpose must not be sending direct marketing messages;
- The processing of personal data for the relevant business improvement purpose must be such that a reasonable person would consider it to be appropriate in the circumstances;
- The disclosing and receiving organisations must be bound by a contract, agreement or corporate rules that require the receiving organisation to implement and maintain appropriate safeguards; and
- The personal data collected or disclosed must relate to an existing customer of the disclosing organisation and be an existing or prospective customer of the receiving organisation.
3) Data Portability Right:
The Bill proposes to introduce the right for individuals to request an organisation to transmit a copy of their personal data to another organisation, like under the GDPR. This would, for example, help individuals switch between service providers. The data portability obligation would apply to requests from individuals who have an existing, direct relationship with organisations which have a presence in Singapore.
In a schedule to the Bill, the MCI and PDPC clarify the circumstances under which an organisation would not be required to port data. The porting organisation would not be required to transmit any of the following data:
- opinion data kept to evaluate an individual or organisation;
- any documents relating to prosecution, investigation or proceedings if such proceedings have not completed;
- any personal data subject to legal privilege;
- any personal data which would reveal confidential commercial information; and
- derived personal data.
The porting organisation would also not be required to transmit any applicable data in the following circumstances:
- the request will unreasonably interfere with the porting organisation because of repetitious or systematic requests;
- the burden or expense is disproportionate to the individual’s interests.;
- the data is trivial, does not exist or cannot be found; or
- the request is frivolous or vexatious.
Companies subject to the Bill when it comes into force may want to examine their current policies and procedures for dealing with individual rights requests to ensure they are able to field portability requests in the future.
4) Offences for mishandling personal data:
The Bill proposes new offences to hold individuals accountable for egregious mishandling of personal data. The proposed offences are for knowing or reckless unauthorised disclosure, use of personal data for personal gain or to cause harm to another person, and re-identification of anonymised data. A person convicted of such offences would be liable on conviction to a fine not exceeding $5,000 or to imprisonment not exceeding two years or to both.
Feedback from the public consultation highlighted that the original draft bill was too broad and raised concerns about these offences deterring individuals from taking on roles which handle high volumes of data. In new advisory guidelines, the MCI and PDPC intend to clarify that the new offences are not intended to cover situations where the individuals are authorised as part of their employment to disclose, use or re-identify the data.
5) Business Asset Transactions:
The Bill allows parties contemplating a business asset transaction to share personal data of employees, customers, contractors, directors, officers, and shareholders of the target organisation. Feedback from the public consultation requested that this exception to consent as the basis for processing data goes beyond the current scope (the sale of assets only) to include other similar corporate transactions, including transfers, amalgamations, joint ventures, mergers and acquisitions, disposals of assets or transfers of control. This exception was included in the Bill and will also apply to companies in the same corporate group.
The Bill represents a significant shift in Singaporean data protection law, drawing inspiration from approaches taken in other major jurisdictions, while trying to balance businesses’ interests in processing personal data against the need to establish a credible enforcement regime to encourage compliance and protect individuals’ rights.
The Bill will come into force after further readings in Parliament and upon the President’s assent, which is expected to be before the end of 2020.