Stiffer penalties for data breaches, more opportunities for legitimate uses of data as Parliament passes changes to PDPA
SINGAPORE: Parliament passed changes to the Personal Data Protection Act (PDPA) on Monday (Nov 2), including an amendment that allows organisations to use data without consent in more cases as well as stiffer penalties for data breaches.
Under the PDPA's "exceptions to the consent requirement", organisations can now use, collect or disclose data for legitimate interests, business improvement and broader research and development, Communications and Information Minister S Iswaran told Parliament before the Bill was passed.
This includes to prevent fraud, improve products or conduct market research to understand potential customer segments. Current consent exceptions include investigations and responding to emergencies.
The amended PDPA will also allow organisations to share data with different contractors to fulfil contracts under "deemed consent", including consent by notification.
Mr Iswaran said these changes "accommodate modern commercial arrangements and essential purposes such as security, and support business innovation".
But some Members of Parliament from both sides of the aisle expressed concern at the changes, arguing that they favoured organisations over individuals or could lead to uninformed or unintended consent.
Mr Iswaran said the use of data under consent exceptions or deemed consent will come with safeguards, including clear limits on how the data can be used and getting organisations to conduct risk assessments.
"Currently, the PDPA recognises organisations’ need to use personal data for legitimate purposes, and accommodates them through exceptions to the consent requirement, or as deemed consent," he said.
"For all other purposes, organisations have to obtain consent from the individual."
When it comes to sending direct marketing messages, organisations would still need to get express consent, he added.
The amended PDPA also comes with stiffer fines for data breaches, and makes it compulsory for organisations to report breaches of a certain scale and severity to the Personal Data Protection Commission (PDPC).
Companies with an annual turnover exceeding S$10 million can now be fined up to 10 per cent of its annual turnover in Singapore. The maximum fine was previously S$1 million.
While MPs generally welcomed these changes, they questioned the amendments related to consent.
Under deemed consent by notification, Workers' Party MP Louis Chua noted that organisations can now collect personal data as long as it has taken "reasonable" steps to inform individuals, and ensure it is not likely to have an "adverse effect" on them.
"This system reduces the power of individuals relative to organisations who have the power to determine if their collection, use, and disclosure of personal data have any adverse effects on the individuals," the Sengkang GRC MP said.
As for the consent exceptions, Tampines GRC MP Desmond Choo pointed out that "legitimate interests" are viewed from an organisation's perspective.
"This inadvertently encompasses a subjective determination on the part of the organisation in assessing whether their legitimate interests outweigh potential adverse effects on an individual," he said.
Mr Iswaran said organisations can use data without consent for legitimate interests like anomaly detection in payment systems to prevent fraud or money laundering.
"To rely on this exception, organisations must conduct an assessment to eliminate or reduce risks associated with the collection, use or disclosure of personal data, and must be satisfied that the overall benefit of doing so outweighs any residual adverse effect on an individual," he said.
"To ensure transparency, organisations must disclose when they rely on this exception."
Mr Iswaran said the PDPC can require organisations to produce these assessments for review.
"It will also issue detailed guidance on the legitimate interest exception and how to identify adverse effect, which generally refers to any physical harm, harassment, serious alarm or distress to an individual," he added.
Organisations can also use data without consent for business improvement purposes, including operational efficiency and service improvements, developing or enhancing products or services, and knowing the organisations’ customers, Mr Iswaran said.
"As a safeguard, this exception can be relied upon only for purposes that a reasonable person may consider appropriate in the circumstances, and where the purpose cannot be achieved without the use of the personal data," he said.
Mr Iswaran noted that businesses have asked for this exception to also apply to entities within a group, as they may consolidate corporate or administrative functions, or concentrate research and development expertise in a single unit that supports the entire group.
As such, the amended PDPA allows related corporations to collect and disclose personal data among themselves for the same purposes, but with "clearly defined limits", the minister said.
"The Bill provides for additional safeguards for intra-group sharing by requiring related corporations to be bound by a contract, agreement or binding corporate rules to implement and maintain appropriate safeguards for the personal data," he added.
RESEARCH AND DEVELOPMENT
Organisations can also use data without consent to support commercial research and development that is not immediately directed at productisation, Mr Iswaran said.
"This could apply to research institutes carrying out scientific research and development, educational institutes embarking on social sciences research, and organisations conducting market research to identify and understand potential customer segments," he said.
This will come with similar safeguards as data used under the business improvement exception, he added.
DEEMED CONSENT FOR CONTRACTUAL PERFORMANCE
As for fulfilling contracts under deemed consent, Mr Iswaran said that multiple layers of contracting and outsourcing are common in modern commercial arrangements.
One scenario would be when a customer provides his address when ordering an item from an online retailer. The online retailer will now be able to share his address with other logistics partners through deemed consent so the item can be successfully delivered.
"Crucially, organisations relying on deemed consent for contractual necessity can only collect, use and disclose personal data where it is reasonably necessary to fulfil the contract with the individual," Mr Iswaran said.
In addition, the amended PDPA has expanded the deemed consent regime to include notification.
"Under this provision, organisations may notify their customers of the new purpose and provide a reasonable period for them to opt out," Mr Iswaran said.
"Before doing so, organisations must conduct a risk assessment and conclude that the collection, use or disclosure of personal data in this manner will not likely have an adverse effect on the individual."
Individuals may withdraw their consent even after the opt-out period, he added.
Ultimately, Mr Iswaran believes the PDPA amendments will strengthen consumer trust with greater accountability for the protection of personal data.
"It will give greater certainty for organisations to use data for legitimate business purposes with the requisite safeguards, and it will ultimately enhance Singapore’s status as an important node in the global network of data flows and digital transactions," he said.