On November 2, 2020, Singapore’s legislature finally approved amendments to the Personal Data Protection Act (PDPA). The changes become law once a government gazette is passed (possibly before the end of 2020). If you operate in Singapore, handle Singapore data, or maintain a server in Singapore, it is crucial that you have protocols in place to guide employees on what to do when a data breach occurs and consider doing a data breach tabletop exercise. (We have organized a number of these drills for clients in preparation for breach notification requirements in Australia and now Singapore.)
NEW mandatory data breach notification requirement
- Organizations are now required to notify the Personal Data Protection Commission (PDPC), within three calendar days after the data breach is assessed to be notifiable, of breaches that result in or are likely to result in significant harm to the affected individuals or are of a significant scale (more than 500 affected individuals).
- While the term “assessed to be notifiable” seems to give leeway in terms of determining the deadline for notification, it was noted during the public consultation process that “unreasonable delay in assessing or notification of data breaches will be a breach of the data breach notification requirement” and that the organization is required to make the assessment once it has “credible grounds to believe that a data breach has occurred.” It is therefore necessary to document steps taken once the company is aware of the breach to justify the time taken to do this assessment.
- Organizations are also required to notify the affected individuals as soon as practicable.
- Companies with an annual turnover in Singapore exceeding S$10 million can now be fined up to 10% of this turnover.
Expanded scope of “deemed consent”
- Consent to the processing of personal data will now be deemed to have been obtained based on
- contractual necessity: where the data processing is reasonably necessary to perform a contract; or
- notification and opt-out: where reasonable steps have been taken to notify individuals of the purpose of the data processing and they are given a reasonable period of time to opt out. To rely on this ground, organizations are required to first conduct a risk and impact assessment to determine that processing is unlikely to have an adverse effect on the individuals.
NEW consent exceptions
- New: “Legitimate interests” exception
- An organization may collect, use, or disclose personal data without consent where the legitimate interests of the organization and the benefit to the public (or any section thereof) together outweigh any adverse effect on the affected individual; for example, data is processed for the purposes of detecting or preventing illegal activities or threats to physical safety and security.
- Organizations must conduct a risk and impact assessment and disclose their reliance on this exception. Note similarities to the General Data Protection Regulation. It is possible these changes are to position Singapore to apply for adequacy with the European Union.
- New: “Business improvements” exception
- An organization may use personal data without consent where it needs to (i) know more about its customers, including prospective customers; (ii) carry out operational efficiency and service improvements; or (iii) develop or enhance products/services (e.g., for use in algorithms to provide tailored suggestions to customers).
- The following condition must be met, among others: The use of the personal data must be what a reasonable person would consider appropriate in the circumstances.
- A new data portability right is available to data subjects to request the transmission of their data to another service provider.
- An obligation on organizations to preserve a complete and accurate copy of a data subject’s personal data for a prescribed period after a data subject’s access or porting request is refused.
- “Do Not Call” provisions will prohibit the sending of specific messages to telephone numbers obtained through the use of dictionary attacks and address-harvesting software.
- New offenses have been introduced to hold individuals accountable for egregious mishandling of personal data on behalf of an organization or public agency. There will now be personal liability for unauthorized disclosure, improper use, and/or unauthorized reidentification of anonymized information.
WHAT YOU SHOULD DO:
- There is no indication that a transition period will be afforded.
- Data privacy policies and procedures need to be reviewed/aligned/revised as soon as possible to ensure compliance. The sequence of notifications to the PDPC and to affected data subjects should be clearly set out.
- Carry out data breach drills or tabletop exercises.
- Review agreements with data intermediaries regarding breach escalation and remediation.
- Review and align privacy clauses to determine whether existing reliance on consent can benefit from the new consent exceptions. If so, processes and procedures should be simplified.
- Conduct PDPA training for employees and highlight the possibility of personal liability for failure to act in accordance with the company’s data protection policies and procedures and social media policies.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.