The new Personal Data Protection (Amendment) Bill 2020 (Bill) was passed on November 2, 2020.
With this Bill, Singapore is seeking to strengthen the accountability of organisations by introducing mandatory notification requirements for data breaches, as well as stiffer penalties for organisations and personal liability for certain offences relating to the mishandling of personal data.
But the same time, this Bill will also give organisations more leverage in the use of personal data in the fast growing digital economy by expanding the instances where personal data can be used without consent, and introducing data portability.
Accountability is here to stay
It will be compulsory for organisations to report breaches of a certain severity and scale to the Personal Data Protection Commission (PDPC). Additionally, individuals, in most cases employees, will also be held accountable for egregious mishandling of personal data. The proposed penalty for these offences is a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years or both.
Last but not least, companies with an annual turnover of over SGD$10million could be fined for data breaches up to 10% of its annual turnover in Singapore or S$1 million, whichever is higher – the previous maximum was SGD$1million.
Consent can be modular if proper safeguards are in place
Two new exceptions have been included in the consent requirement and organizations may now collect, use and disclose personal data for legitimate interests (with some safeguards) and for specific business improvement purposes, such as improving the goods or services provided by the organisation or conducting market research to understand potential customer segments.
Furthermore, the scope of “deemed consent” has been expanded to cover the collection and use of personal data to execute contracts. What is known as “consent by notification” has also been introduced, this is expands consent to cases where the individual has been notified of the purpose of use of his/her personal data and given the possibility to opt out.
Data portability is the new buzzword
Finally, the Bill introduces the right to data portability whereby an organisation must, at the request of an individual, transmit his or her personal data that is in the organisation’s possession or under its control to another organisation in a commonly used machine-readable format. This will allow consumers to switch to new services more easily and at the same time it will also support the development of new and innovative services or applications as organisations will have more access to data.
This Bill is the first comprehensive review of the PDPA since its 2012 enactment and it is expected to allow organisations to keep pace with technological changes, and position Singapore as a key player in the digital economy, therefore, organisations need ensure compliance with this Bill. The financial and reputational consequences for non-compliance with the new requirements will not outweigh the efforts that should be placed by organisations to ensure that they have an adequate data protection framework in place that will allow them to reap the benefits of this new piece of legislation and avoid enforcement action.
For more information on the PDPA and how it can affect your business, contact Alpadis Group