- AS OF 21 JAN 2021 - SINGAPORE DAILY COVID CASES: 19 NEW CASES, 4 IN COMMUNITY AND 15 IMPORTED CASES
- Complete Guide To EDG Strategic Brand And Marketing Development Grant - What Are Claimable?
- What Are Special Purpose Acquisition Companies (SPACs) and What Do You Need To Know
- Risk Management: Insurance Coverage for Business Premises – What You Need to Know
- Uncertain Times Still Ahead for 2021 – SME Loans Available Under Enterprise Singapore
- The Maybank Momentum Grant for Singapore Non-Profits
- Giving Back To Society: Cycling Without Age – Helping The Elderly Feel The Wind In Their Hair
- Risk Management: Understanding Product Liability and Product Liability Insurance
- Guide to Google Ads Grant for Non-Profit Organisations
- New MOM Requirements for Employees on Work Permit, Training Work Permit and S Pass Holders Entering Into Singapore From 1st Jan 2021
Amendments to PDPA Necessarily a Mixed Bag for Personal Data Protection
Last week, Singapore netizens suffered from two massive data breaches involving their personal details including names, e-mail addresses and phone numbers.
Personal data from potentially 2.8 million Eatigo accounts were illegally assessed in a data breach, of which around 400,000 of them belonged to Singapore users.
Meanwhile, personal information from 1.1 million RedMart accounts was stolen from e-commerce platform Lazada.
The personal information obtained from both these data breaches have since been put up for sale.
It seems apparent that private companies must do more to ensure their customer’s personal data is secure and used responsibly.
Soon after the emergence of these news, Parliament passed changes to the Personal Data Protection Act (PDPA) on 2 November 2020. These changes crucially included stiffer penalties that companies must face for data breaches.
However, it also greatly increases the remit under which companies may use, collect, or disclose data without consent.
The amended PDPA makes it compulsory for organisations to report breaches of a certain scale and severity to the Personal Data Protection Commission (PDPC).
A “numerical threshold of 500 individuals” will constitute a data breach of a significant scale. A breach is categorised as serious if it is likely to result in significant harm to individuals through identity theft or fraud, including the leaking of their full names and other confidential financial information.
The amended PDPA also imposes a higher fine for companies who have suffered a data breach. Whereas previously the maximum fine was S$1 million, companies with an annual turnover exceeding S$10 million can now be fined up to 10 per cent of its annual turnover in Singapore.
Amendments Related to Consent
However, under the PDPA's "exceptions to the consent requirement", the criteria have been expanded to include legitimate interests, business improvement and broader research and development. Previously, the only exceptions allowed were for investigations and responding to emergencies.
The amended PDPA will also allow organisations to share data with different contractors to fulfil contracts under "deemed consent", including consent by notification.
Organisations can now use data without consent for legitimate interests like anomaly detection in payment systems to prevent fraud or money laundering.
To do so, they must conduct an assessment to eliminate or reduce risks associated with the collection, use or disclosure of personal data, and must be satisfied that “the overall benefit of doing so outweighs any residual adverse effect on an individual”.
Reliance on this exception must also be disclosed to the authorities, who can require these companies to produce their assessments for review.
Organisations can also now use data without consent for business improvement purposes, including operational efficiency and service improvements, developing or enhancing products or services, and knowing the organisations’ customers.
Communications and Information Minister S Iswaran said that as a safeguard, this exception can be relied upon only for purposes that a reasonable person may consider appropriate in the circumstances, and where the purpose cannot be achieved without the use of the personal data.
In addition, to facilitate better corporate or administrative functions as well as to concentrate research and development expertise, related corporations will be allowed to collect and disclose personal data among themselves for the same purposes.
These corporations must be bound by a contract, agreement or binding corporate rules to implement and maintain appropriate safeguards for the personal data.
Research and Development
Organisations can also use data without consent to support commercial research and development that is not immediately directed at productisation, with similar safeguards put in place as that for data used under the business improvement exception.
This exception applies to research institutes carrying out scientific research and development, educational institutes embarking on social sciences research, and organisations conducting market research to identify and understand potential customer segments.
While Mr Iswaran believes the ultimately PDPA amendments will strengthen consumer trust with greater accountability for the protection of personal data, consumers worrying about personal privacy surrounding their digital data might be forgiven for thinking they are receiving mixed messages.
A host of concerns were raised in Parliament prior to the amendments being passed. These include the point that it is the organisations, rather than individuals themselves, who determine whether the former’s use and disclosure of personal data have any adverse effects on the latter. While this determination must be reasonably made, an element of subjectivity is still in play and would skew in favour of the organisations.
Moreover, the PDPA does not apply to public sector agencies, which are instead subject to a different set of laws under the Public Sector (Governance) Act.
Ultimately, these changes have been passed in Parliament, indicating that our elected MPs have deemed any issues raised to have been sufficiently addressed. We would certainly not deign to question the legitimacy of Parliamentary process.
However, it should not be controversial to point out that increasing the scope for organisations to use, collect, and disclose consumers’ data without consent would naturally increase the risk of misuse and intrusion on personal privacy.
This has been done for the sake of business expedience. We should also take into account the fact that we are, to a certain extent, beholden to how companies around the world are allowed to make use of and store digital data, given the obviously global nature of the Internet. Deviating too much from these accepted practises would create more problems.
So the government may have taken steps which are arguably necessary, and have had to find a balance between individual protection and business expedience. But there is indubitable danger to the individual and one’s personal privacy. That is simply the reality in this modern world.