Singapore updates personal data protection law

Out-Law News | 04 Nov 2020 | 11:08 am | 1 min. read

Singapore has updated its Personal Data Protection Act (PDPA) to allow local businesses to use consumer data without consent in advance for some purposes.

The PDPA became law in Singapore law in 2012. The legislative amendments have been tabled following a public joint consultation on proposals for reform earlier this year by The Ministry of Communications and Information and the Personal Data Protection Commission (PDPC).

Parliament passed the amendments to the PDPA on Monday. Under the PDPA's "exceptions to the consent requirement", personal data can be used, collected or disclosed without consent by business for anomaly detection in payment systems for preventing fraud or money laundering; improving products, or conducting market research. The amended PDPA will allow organisation to share data with different contractors in order to fulfil contracts under "deemed consent", including consent by notification.

Companies responsible for data breaches will face stiffer financial penalties. Companies with an annual turnover in Singapore exceeding S$10 million can now be fined up to 10% of their turnover. The maximum fine was previously S$1 million which is still retained for companies with an annual turnover in Singapore of less than S$10 million.

The use of data under consent exceptions or deemed consent will come with safeguards, including limits on how the data can be used and getting organisations to conduct risk assessments that the proposed use is not likely to have an adverse effect on the individual. Organisations must disclose when they rely on this exception. Detailed guidance about the legitimate interest exception and how to identify adverse effects will soon issued. Adverse effect means any physical harm, harassment, serious alarm or distress to an individual.

Data can be used without consent for business improvement purposes, including operational efficiency and service improvements, developing or enhancing products or services, and knowing the organisations’ customers. Organisations can also use data without consent to support commercial research and development that is not immediately directed at productisation. The amended PDPA allows related corporations to collect and disclose personal data among themselves for the same purposes with "clearly defined limits" such as binding corporate rules.

Alternatively, organisations may obtain deemed consent by conducting an adverse effect assessment and notifying their customers of the new purpose and provide a reasonable period for them to opt out. Individuals may withdraw their consent even after the opt-out period.