Singapore amends proposed data protection law

0
358
Singapore personal data protection law

Keeping up with fast-paced technology developments and global regulatory trends, Singapore introduced the Personal Data Protection (Amendment) Bill for the first time in the Singapore parliament on 5 October 2020. The bill proposes material changes to the Personal Data Protection Act 2012 (PDPA). There have been material changes between the consultation paper and the bill presented in parliament, and a few salient differences are highlighted below.

Increased financial penalties and revised enforcement procedures

The proposal in the consultation paper to increase the financial penalty cap for PDPA breaches (up to 10% of an organisation’s gross annual turnover) has largely been retained in the bill.

The bill refines the penalty framework by introducing tiered penalties for different offences and provides clarity on the processes and factors to be taken into account in the Personal Data Protection Commission’s (PDPC) exercise of its enforcement powers.

For instance, the bill introduces a standard of intentional or negligent contravention of the PDPA before financial penalties may be imposed. In theory, non-compliance will only attract directions from the PDPC, and although these standards have been expressly set out in the bill, it is unclear if this will make a difference in practice.

The situations where financial penalties may be imposed currently could also be characterised as intentional or negligent contraventions of the PDPA. The Guide to Active Enforcement states: “Generally, financial penalties are reserved only for breaches that the PDPC views as particularly serious in nature.” In assessing the seriousness of the breach, the PDPC already considers:

  • Whether the organisation acted deliberately or wilfully; and
  • Whether the organisation knew or ought to have known about the risk of a serious contravention of the PDPA, and failed to take reasonable steps to prevent it.

In addition, organisations are given at least 14 days, upon receipt of a notice specifying the PDPC’s intent to impose a financial penalty, to submit written representations to the PDPC. The factors that the PDPC must take into account in making a determination with respect to the imposition of a financial penalty are expressly set out in the bill. These factors include:

  • The nature, gravity and duration of the non-compliance with the PDPA;
  • The type and nature of the personal data affected by non-compliance with the PDPA;
  • Whether any financial benefit was gained, or financial loss was avoided, as a result of non-compliance with the PDPA;
  • Whether there was previous non-compliance with the PDPA;
  • Whether adequate and appropriate measures were implemented to comply with the PDPA, despite the non-compliance; and
  • The likely impact of the imposition of the financial penalty.

Clarifications to the business improvement exception

The consultation paper introduced the much-anticipated business improvement exception. The bill modifies slightly the new ground for processing under part 2, division 2 of the second schedule, and also adds a new exception in part 5 of the first schedule, in particular providing that:

  • Related organisations may share personal data, in certain circumstances, for the purposes of business improvement; and
  • Personalisation and customisation of existing goods and services are within scope of the exception.

The conditions to rely on the business improvement exception continue to apply, which are as follows:

  • The business improvement purpose cannot reasonably be achieved without personal data in an individually identifiable form; and
  • A reasonable person would consider the purpose to be appropriate.

For intra-group sharing of the data, the relevant group entities must be bound by any contract or binding corporate rules requiring the recipient of the data to implement and maintain appropriate safeguards for the data.

This exception cannot be relied upon to send direct marketing messages.

The new ground for processing under part 2 division 2 of the second schedule is only applicable for use by the organisation for business improvement purposes. The previous requirement in the consultation paper that “the use of the personal data by the organisation does not have any adverse effect on the individual to whom the personal data relates” has been removed.

Expansion of business asset transaction exception

The bill addresses earlier feedback on the scope of the business asset transaction exception that had not been addressed in the consultation paper.

In particular, the bill clarifies that this exception applies to other similar transactions such as M&A, sale of shares, transfer of controlling power or interests, corporate restructuring and reorganisation where “an interest in an organisation”, or amalgamations with, or transfers to, related corporations are involved.

Retrospective application of deemed consent-contractual necessity

The consultation paper introduced the concept of deemed consent by contractual necessity, among an expanded deemed-consent regime.

Deemed consent by contractual necessity is intended to cover both collection, use and disclosure of personal data conducted by the organisation, and also processing by downstream entities, such as processing, which is reasonably necessary for the performance of the contract.

The bill clarifies the scope of application of this rule on deemed consent. Deemed consent by contractual necessity will cover both relevant activities conducted on or after the date that the bill comes into effect, and will also apply retrospectively to personal data provided before those portions of the bill take effect for contracts that are entered into, and continue to be in force, on or after the effective date of those portions of the bill.

Offences related to personal data for which individuals may be held accountable

The bill will introduce offences that hold individuals accountable for the mishandling of personal data. To address feedback that the language proposed may have a potential “chilling effect” on individuals who handle large volumes of data, the PDPC intends to provide additional guidance on advisory guidelines for the application of these offences, and, in particular, to address situations where conduct of an individual in a corporate setting is authorised, and the forms in which such authorisation may take. An individual is not personally liable for actions that were authorised by the organisation.

The bill expands on an existing offence that holds officers accountable for corporate offences that have been committed with the consent or connivance of the officer, or that are attributable to neglect of the officer. The bill expands on the categories of individuals that may be held accountable for corporate actions including, “an individual involved in the management of an organisation and in a position to influence the conduct of an organisation in relation to the commission of an offence”.

It is unclear how this may impact data protection officers who have a responsibility for ensuring that the organisation complies with the PDPA. Hopefully, the PDPC will provide further guidance and clarification on this issue in its proposed advisory guidelines.

Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by emailing John McGuinness at john.mcguinness@bakermckenzie.com