Amendments to PDPA Necessarily a Mixed Bag for Personal Data Protection

Viewed by 5,282 Smart Towkays


This article was written on 11 November 2020 and updated on 9 April 2021 to reflect the Facebook data breach on 5 April 2021

Last week, Singapore netizens suffered from two massive data breaches involving their personal details including names, e-mail addresses and phone numbers.

Personal data from potentially
2.8 million Eatigo accounts were illegally assessed in a data breach, of which around 400,000 of them belonged to Singapore users.

personal information from 1.1 million RedMart accounts was stolen from e-commerce platform Lazada.

The personal information obtained from both these data breaches have since been put up for sale.

It seems apparent that private companies must do more to ensure their customer’s personal data is secure and used responsibly.

Soon after the emergence of these news, Parliament passed changes to the Personal Data Protection Act (PDPA) on 2 November 2020. These changes crucially included stiffer penalties that companies must face for data breaches.

However, it also greatly increases the remit under which companies may use, collect, or disclose data without consent.

Stiffer Penalties

The amended PDPA makes it compulsory for organisations to report breaches of a certain scale and severity to the Personal Data Protection Commission (PDPC).

A “numerical threshold of 500 individuals” will constitute a data breach of a significant scale. A breach is categorised as serious if it is likely to result in significant harm to individuals through identity theft or fraud, including the leaking of their full names and other confidential financial information.

The amended PDPA also imposes a higher fine for companies who have suffered a data breach. Whereas previously the maximum fine was S$1 million, companies with an annual turnover exceeding S$10 million can now be fined up to 10 per cent of its annual turnover in Singapore.

Amendments Related to Consent

However, under the PDPA's "exceptions to the consent requirement", the criteria have been expanded to include legitimate interests, business improvement and broader research and development. Previously, the only exceptions allowed were for investigations and responding to emergencies.

The amended PDPA will also allow organisations to share data with different contractors to fulfil contracts under "deemed consent", including consent by notification.

Legitimate Interests

Organisations can now use data without consent for legitimate interests like anomaly detection in payment systems to prevent fraud or money laundering.

To do so, they must conduct an assessment to eliminate or reduce risks associated with the collection, use or disclosure of personal data, and must be satisfied that “the overall benefit of doing so outweighs any residual adverse effect on an individual”.

Reliance on this exception must also be disclosed to the authorities, who can require these companies to produce their assessments for review.

Business Improvement

Organisations can also now use data without consent for business improvement purposes, including operational efficiency and service improvements, developing or enhancing products or services, and knowing the organisations’ customers.

Communications and Information Minister S Iswaran said that as a safeguard, this exception can be relied upon only for purposes that a reasonable person may consider appropriate in the circumstances, and where the purpose cannot be achieved without the use of the personal data.

In addition, to facilitate better corporate or administrative functions as well as to concentrate research and development expertise, related corporations will be allowed to collect and disclose personal data among themselves for the same purposes.

These corporations must be bound by a contract, agreement or binding corporate rules to implement and maintain appropriate safeguards for the personal data.

Research and Development

Organisations can also use data without consent to support commercial research and development that is not immediately directed at productisation, with similar safeguards put in place as that for data used under the business improvement exception.

This exception applies to research institutes carrying out scientific research and development, educational institutes embarking on social sciences research, and organisations conducting market research to identify and understand potential customer segments.

Concerns Raised

While Mr Iswaran believes the ultimately PDPA amendments will strengthen consumer trust with greater accountability for the protection of personal data, consumers worrying about personal privacy surrounding their digital data might be forgiven for thinking they are receiving mixed messages.

A host of concerns were raised in Parliament prior to the amendments being passed. These include the point that it is the organisations, rather than individuals themselves, who determine whether the former’s use and disclosure of personal data have any adverse effects on the latter. While this determination must be reasonably made, an element of subjectivity is still in play and would skew in favour of the organisations.

Moreover, the PDPA does not apply to public sector agencies, which are instead subject to a different set of laws under the Public Sector (Governance) Act.

Ultimately, these changes have been passed in Parliament, indicating that our elected MPs have deemed any issues raised to have been sufficiently addressed. We would certainly not deign to question the legitimacy of Parliamentary process.

However, it should not be controversial to point out that increasing the scope for organisations to use, collect, and disclose consumers’ data without consent would naturally increase the risk of misuse and intrusion on personal privacy.

This has been done for the sake of business expedience. We should also take into account the fact that we are, to a certain extent, beholden to how companies around the world are allowed to make use of and store digital data, given the obviously global nature of the Internet. Deviating too much from these accepted practises would create more problems.

So the government may have taken steps which are arguably necessary, and have had to find a balance between individual protection and business expedience. But there is indubitable danger to the individual and one’s personal privacy. That is simply the reality in this modern world.

Read also: Corporate Income Tax Filing Season 2020: 6 Things SMEs Need To Know
Read also:
 Countries That Singaporeans Can Travel To Amidst COVID-19 Restrictions


Not sure whether your company can be qualified for bank loans or alternative lending? Try our A.I assisted loan, and Smart Towkay team will send you a lending report within 24 hours' time. With the lending report, we aggregate and recommend the highest chance of approval be it with BANKS / FINANCIAL INSTITUTIONS or Alternative lenders like Peer to Peer Lenders or even B2B lender!

Got a Question?
WhatsApp Us, Our Friendly Team will get back to you asap :)
Share with us your thoughts by leaving a comment below!

Stay updated with the latest business news and help one another become Smarter Towkays. Subscribe to our Newsletter now!

UPDATED AS OF 17 Apr 2024
Lowest Business Banking Facilities
Lowest SME Working Capital Loan (WCL) Rate
Per year
Lowest Business Term Loan Rate
Per year
Lowest Home Loan Rate
Per year
Lowest P2P Biz Loan Rate
Per month
Lowest Commercial Property Rate
Per year

Find the Best Loans, Insurance & Credit Cards

Get Our Weekly Newsletter

We value your privacy. We never share your email with 3rd parties. Unsubscribe at any time.