The history of data protection legislation, in my view, comprises three generations:
- The earliest generation focuses on common law and sectoral self-regulation. It’s a bit of the wild west, with various ideas and strands all over the place.
- The EU’s Data Protection Directive, way back in 1995, represents the next generation. Its key innovation is comprehensive national legislation. Its foundations are based on OECD recommendations and revolve around consent, notification, purpose limitation, etc.
- The third and latest generation, of course, belongs to the GDPR in 2018. Its key innovations are lawful purposes, protection of children, the right to be forgotten, the right to object to automated processing, etc.
Singapore’s PDPA was enacted in 2012. It sits between the EU’s Data Protection Directive and the GDPR. As such, it retains many well-established and familiar features but very few of the innovations used in the GDPR.
One of these artefacts concerns what the PDPA calls the “consent obligation”. The consent obligation requires the consent of a data object before an organisation can process personal data. Unfortunately, reality does not work out like that. As is consistent with experience, data subjects in Singapore don’t “consent” much substantively, and the exception swallows the rule. Other laws, the exceptions in the schedules of the PDPA and “reasonable” requirement all qualify the consent obligation.
Instead of looking to the GDPR, the latest amendments to the PDPA “double down” on the consent obligation. Sure, the schedules will undergo some housekeeping and streamlining. Deemed consent is expanded. Two new exceptions are introduced — legitimate interests and business improvement. (Curiously “legitimate interests”; sounds like one of the legal bases in the GDPR.)
Given the Law Reform Committee’s view that the PDPA is sound, the consent obligation will be with us for a long time.
A flow chart to understand the Consent Obligation#
As I shown above, I am not a big fan of this convoluted consent obligation. I like the legal bases in the GDPR more. They are easier to explain, and the exceptions don’t control the rule. By conceding that consent is unable to explain user rights fully, the GDPR accords better to reality.
Nevertheless, I am going to try to explain the Consent Obligation, including the new amendments. So, we are going to play a game! Let’s play “so you want to collect personal data in Singapore”.
Highlights of changes#
As I summarised above, there are several new exceptions to the consent obligation. Here are some highlights.
Deemed consent has grown with two new situations. They are expansive and encompass many cases where it’s evident that organisations should have sought consent. The appropriate notification situation also enables organisations to use another method of obtaining consent, which may be considered less confrontational.
The PDPA will also feature a new general exception for legitimate interests. The one in the PDPA looks similar to the one in the GDPR. It also requires organisations to do a cost-benefit analysis in the form of a data protection impact analysis.
Here is another one: using personal data for business improvement. As this only applies to use, you must have collected the personal data through other means. This applies very much for data and customer analytics. You might have already collected data from your customers or operations, and this allows you to make more uses of it without worrying about the PDPA.
The changes to the consent obligation are very business-friendly. Should an organisation be excited to employ these exceptions?
Given the hit or miss nature in PDPC decisions when exceptions are considered, if you can plan for it, you wouldn’t rely on any of these exceptions.
So while it’s heartening to see the movement from openness to accountability, these new changes represent a step back. Hopefully I wouldn’t need to add several more pages to the next version of my flow chart.