Navigating the Road Ahead: Insights into the Policy Rationale of the PDP (Amendment) Bill 2020

On 2 November 2020, the Personal Data Protection (Amendment) Bill 2020 (“Bill”) was passed in Parliament. The Bill is the culmination of the first comprehensive review of the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”) since its enactment in 2012. Its introduction followed four public consultations, the most recent of which was on the draft of the Bill which was conducted by the Ministry of Communications and Information and the Personal Data Protection Commission (“PDPC”) between 14 and 28 May 2020.

The Bill introduces a number of significant amendments to the PDPA which are to be welcomed by both individuals and organisations. The amendments strengthen the protection of personal data and rights of individual under the PDPA while enhancing the ability of organisations to innovate and make use of personal data for legitimate purposes. In brief, the Bill aims to strengthen consumer trust through organisational accountability, enhance consumer autonomy, support data use for innovation and ensure effective enforcement of the PDPA. As part of this, the Bill also provides for certain related amendments to the Spam Control Act (Cap. 311A). In our view, these changes strike a good balance in addressing the rights and needs of individuals and organisations.

The public consultation paper on the draft Bill (“Public Consultation Paper”), closing note to the public consultation (“Closing Note”) and second reading speech for the Bill in Parliament (“Second Reading Speech”) provide us with a number of insights into the policy thinking that underlies the amendments to the PDPA in the Bill. In this article, we focus on 4 significant provisions in the Bill which have been clarified in the Closing Note.

During the Second Reading Speech, Mr S Iswaran, the Minister for Communications and Information, noted that there have been profound changes in the data landscape since the PDPA was enacted in 2012. The variety and volume of data collected by organisations has grown at an unprecedented rate and data is regarded as a key asset in the digital economy. In particular, data analytics can provide organisations with valuable insights that inform their decisions and power innovation, for example, in enhancing products and services and enabling emerging technologies such as artificial intelligence.

As such, the proposed amendments to the PDPA are a step towards ensuring that Singapore’s legislative and regulatory regime is “fit for purpose” for a digital economy with a complex data landscape.

First, the Bill introduces a new exception to consent where organisations will be allowed to use personal data without consent for certain business improvement purposes. These include: (i) for improving or enhancing any goods or services provided, or developing new goods or services to be provided; (ii) for improving or enhancing the methods or processes, or developing new methods or processes; (iii) for learning about and understanding the behaviour and preferences of customers in relation to the goods or services; and (iv) for identifying any goods or services that may be suitable for customers or personalising or customising any such goods and services for customers.

In order for organisations to rely on the business improvement exception to use personal data without consent, they must satisfy certain conditions, namely:

• the purpose cannot reasonably be achieved without the use of the personal data in an individually identifiable form;
• the purpose is what a reasonable person would consider appropriate in the circumstances; and
• the purpose is not for sending direct marketing messages.

In the Closing Note, the PDPC notes there was strong support for the proposed exception and a request that it also apply to entities within a group, e.g. in the context of structuring of common administrative functions and centralising research and development. Accordingly, the Bill now provides that the business improvement exception will apply in a group context, subject to the following additional conditions:

• the personal data collected or disclosed must relate to an individual who is an existing customer of the disclosing corporation, and an existing or prospective customer of the collecting corporation; and
• the related corporations must be bound by a contract or binding corporate rules requiring the collecting corporation to implement and maintain appropriate safeguards for the personal data.

The conditions listed above at [7] and [8] are, in our opinion, effective measures to prevent the abuse and misuse of this new Business Improvement Exception. With these safeguards in place, organisations will only be able to use personal data within an organisation or a group of related companies, with clearly defined limits. Notably, organisations will not be able to use personal data to send direct marketing messages under this Business Improvement Exception.

We note that the introduction of this business improvement exception is part of the move to expand the consent regime under the PDPA. Unlike the EU General Data Protection Regulation (“GDPR”) which provides six legal bases for processing the personal data, Singapore has adopted a consent-based regime in the PDPA, with the exceptions to consent providing alternative bases for collection, use and disclosure of personal data by organisations. As such, this new exception to consent affords greater flexibility to organisations seeking to use data for business innovation.

Secondly, the Bill introduces a new data portability obligation which requires an organisation to transmit, at the request of an individual, their personal data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format.

While a number of exceptions to the new data portability obligation were stated in the consultation paper, some responses to the public consultation highlighted that the exceptions were not stated in the draft Bill itself, and there were requests that they be included in the Bill.

The Bill now expressly provides for exceptions to the data portability obligation in a new Twelfth Schedule. First, the new Twelfth Schedule sets out, under Part 1, the types of applicable data (i.e., personal data subject to the Data Portability Obligation) that a porting organisation need not transmit, including (but not limited to) opinion data kept solely for evaluative purposes, and personal data which is subject to legal privilege. The new Twelfth Schedule also provides for various “excluded circumstances” under which an organisation is not required to transmit applicable data under the data portability obligation. These include (but are not  limited to) where transmitting the applicable data would unreasonably interfere with the operations of the porting organisation because of the repetitious or systematic nature of the data porting request, or where the data porting request is frivolous or vexatious.

In our view, this is a welcome change which provides greater clarity to organisations and reduces their uncertainty in complying with the new data portability obligation. It also balances the needs of organisations, which enable them to retain any competitive edge they have over their competitors, whilst also ensuring that an individual who wishes to port his data to another organisation is able to do so efficiently.

Thirdly, the Bill introduces an increase in the maximum financial penalty for contraventions of the PDPA from S$1 million to (i) up to 10% of an organisation’s annual turnover; or (ii) S$1 million, whichever is higher.

The Closing Note indicates that approximately a third of all respondents to the public consultation were concerned with the increase in the financial penalty cap. Some respondents also requested that the Bill make it clear that the reference to an organisation’s annual turnover refers to its annual turnover in Singapore. This has accordingly been made explicit in the Bill.

The rationale for the increase in financial penalty was to strengthen the PDPC’s enforcement powers. We note that this move to increase the quantum of the financial penalty is also aligned with the positions taken in other jurisdictions – most prominently, the revenue-based financial penalty that may be imposed under the EU GDPR. Under the EU GDPR, data controllers and processors may face penalties of up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, for certain contraventions. The Closing Note also clarifies that regardless of the financial penalty cap, PDPC will continue to be circumspect and be guided by the facts of the case and other relevant factors in determining the financial penalty to the imposed.

In our opinion, the increase in financial penalty cap under the PDPA is a welcome move as it would not only sharpen the PDPC’s teeth but also send the signal that Singapore takes data protection seriously, thereby increasing consumer confidence in the data protection regime as a whole.

Finally, the Bill introduces new offences for individuals in relation to egregious mishandling of personal data in the possession, or under the control, of an organisation or a public agency. The new offences relate to certain unauthorised use or disclosure of personal data or re-identification of anonymised data.

Some members of the public were concerned about a “chilling effect” the new offences may have on individuals handling personal data, and sought further clarification on the exceptions to the new offences. The Closing Note indicates that PDPC will be issuing subsequent advisory guidelines, setting out the situations that the new offences are not intended to cover. This would include situations where individuals are authorised as part of their employment to disclose, use or re-identify the data.

The Bill also provides for an additional defence in relation to unauthorised re-identification of anonymised data, where it is done for purposes such as testing the effectiveness of the anonymisation of personal data and testing the systems and processes to safeguard the integrity and confidentiality of the anonymised information.

Up to the present, the enforcement of the PDPA has been largely focused on organisations. The introduction of criminal offences for individuals who egregiously mishandle personal data is part of the clear shift towards enhancing accountability, and brings the PDPA in line with similar offences under the Public Sector (Governance) Act 2018 (Act 5 of 2018).

The Closing Note and Bill have addressed a number of significant issues raised in the responses to the public consultation on the draft Bill. We hope that the changes will foster a culture of accountability and respect for individuals’ personal data, across all industries and sectors, and strengthen Singapore’s position as a trusted hub for business.