Proposed Changes to Singapore’s Data Protection Act
Changes to Consent Requirement
- The current PDPA requires organizations to obtain consent from individuals for the collection, use and disclosure of their personal information. However, given the volume of data being collected and the potential benefits from analyzing these data, the PDPC proposes not requiring consent in certain circumstances.
- First, if it is impractical for the organization to obtain consent and the collection, use and disclosure of personal data is not expected in any way to have an adverse effect on the individual, the PDPC proposes allowing organizations to provide appropriate notification (Notification of Purpose) in lieu of consent. Prior to relying on this approach, the organizations must conduct a risk and impact assessment and implement measures to mitigate such risks.
- Second, the PDPC proposes broadening the existing limited, express exceptions where organizations can collect, use or disclose personal data without consent. The PDPC proposes creating a catch-all “Legal or Business Purpose” exception to consent where (1) it is not desirable or appropriate to obtain the individual’s consent and (2) the benefits to the public generally or to a subset of the public “clearly outweigh” any adverse effect or risks to the individual. For example, this exception may apply if organizations would like to share personal data in order to detect and prevent fraudulent activity. As with the “Notification of Purpose” exception, organizations must conduct a risk assessment.
Mandatory Data Breach Notification
- The PDPC proposes modifying the existing voluntary approach to data breach notification. Consistent with international best practices, the PDPC proposes requiring mandatory data breach notification as follows.
- If there is any risk of impact or harm to the affected individuals, organizations must notify them and the PDPC.
- Even if the breach does not pose any risk of impact or harm to the affected individuals, organizations must still notify the PDPC where the scale of the data breach is significant (i.e., involving 500 or more individuals).
- If required to notify, organizations must notify the PDPC within 72 hours and affected individuals as soon as practicable.
- Data intermediaries must notify their client organizations of a breach immediately, regardless of the risk of harm or scale of the breach.
- The proposed changes would operate concurrently with any breach notification requirements under existing laws or regulations.
The public comment period ended on October 5. More details can be found at the website of the PDPC (https://www.pdpc.gov.sg/).
You might also like
On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.
AIInternationalPolicyUK
On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule). The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.
Communications PrivacyCybersecurityData BreachesFCCRegulation
In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.