Bill to strengthen Singapore data protection laws tabled

Out-Law News | 07 Oct 2020 | 3:30 pm | 3 min. read

Data protection laws in Singapore are to be updated, with businesses set to face new obligations around the notification of data breaches and stiffer financial penalties for non-compliance.

The Personal Data Protection (Amendment) Bill, read for the first time in Singapore's parliament on 5 October, contains a raft of further changes, including proposed new rules around consent to the processing of personal data, new data portability requirements designed to "provide individuals with greater autonomy and control over their personal data", and the introduction of a range of new offences.

Reform of the existing Personal Data Protection Act, which was introduced into Singapore law in 2012, has been anticipated for some time. The legislative amendments have been tabled following a public joint consultation on proposals for reform earlier this year by The Ministry of Communications and Information and the Personal Data Protection Commission (PDPC).

Tan Bryan

Bryan Tan

Partner

Organisations are to be held accountable for the personal data held by them and will face enforcement if they fail to do so. We expect organisations to ramp up breach notification plans and to consider cyber-insurance.

Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, the law firm behind Out-Law, said: "The amendments reflect the themes of accountability, enforcement, consent and control".

"Organisations are to be held accountable for the personal data held by them and will face enforcement if they fail to do so. We expect organisations to ramp up breach notification plans and to consider cyber-insurance. On the flipside, organisations can look forward to the refinements of the consent requirement," he said.

Among the most striking new provisions proposed are proposals which would require organisations to notify certain data breaches to the PDPC. Mandatory notification of personal data breaches is already provided for in data protection laws in other jurisdictions, most notably perhaps in the EU's General Data Protection Regulation (GDPR). The Singapore proposals on notification of data breaches are similar but contain some differences.

Under the proposed amendments, organisations would be under a new duty to assess, "in a reasonable and expeditious manner", whether a data breach is a 'notifiable data breach' – that being one which would need to be reported to the PDPC. A breach would be considered notifiable if it "results in, or is likely to result in, significant harm to an affected individual; or is, or is likely to be, of a significant scale".

Generally, organisations must notify the PDPC within three days of a breach being assessed as being notifiable. Data intermediaries would be obliged to notify organisations that a data breach has occurred, and it would be up to those other organisations to assess whether the breach is notifiable.

Breaches would not need to be notified even if they have been assessed as being notifiable if an organisation "takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; or had implemented, prior to the occurrence of the notifiable data breach, and technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual".

Organisations would be able to write to the PDPC to ask for the notification requirements to be waived, and the PDPC would have the power to waive the requirements "subject to conditions that the Commission thinks fit".

Another major change proposed would be the introduction of the new concept of 'deemed consent'. The proposals outline circumstances in which businesses would be free to collect, use or disclose the personal data of individuals if they have met various requirements around transparency of their planned activities, including taking reasonable steps to notify individuals of the purposes of that processing.

However, businesses would only be able to rely on deemed consent as a lawful basis for processing personal data if they have first assessed that their planned data processing is not likely to have an adverse effect on the individual concerned and only after "a reasonable period" of time has passed in which it did not receive an objection to the planned processing from the individual.

Further changes planned include proposed new prohibitions adopted from the Spam Control Act on the use of dictionary attacks and address-harvesting software, in an effort to curb the use of technology in facilitating spam messaging and unsolicited marketing. A new obligation of data portability has also been introduced.

New offences of unauthorised disclosure of personal data, improper use of personal data, and unauthorised re-identification of anonymised information would also be introduced, with potential criminal penalties including imprisonment of up to two years and a maximum fine of S$5,000 ($3,679).

The Bill also makes provision for the PDPC to be able to refer data protection disputes to mediation to be resolved, and envisages a new framework for issuing fines for intentional or negligent contraventions of the legislation. Under the plans, SMEs would continue to face a maximum potential fine of S$1 million ($740,000), but organisations with annual turnover in Singapore exceeding S$10 million ($7.36m) could be fined up to 10% of that turnover for certain breaches. For other types of infringement, businesses with annual turnover in Singapore that exceeds S$20m per annum ($14.72m) could be fined up to 5% of that turnover.