Making sense of the latest PDPA amendments to the Consent Obligation
I consider the new amendments to the Consent Obligation under the PDPA with a flow chart.
This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!
The history of data protection legislation, in my view, comprises three generations:
- The earliest generation focuses on common law and sectoral self-regulation. It’s a bit of the wild west, with various ideas and strands all over the place.
- The EU’s Data Protection Directive, way back in 1995, represents the next generation. Its key innovation is comprehensive national legislation. Its foundations are based on OECD recommendations and revolve around consent, notification, purpose limitation, etc.
- The third and latest generation, of course, belongs to the GDPR in 2018. Its key innovations are lawful purposes, protection of children, the right to be forgotten, the right to object to automated processing, etc.
Singapore’s PDPA was enacted in 2012. It sits between the EU’s Data Protection Directive and the GDPR. As such, it retains many well-established and familiar features but very few of the innovations used in the GDPR.
One of these artefacts concerns what the PDPA calls the “consent obligation”. The consent obligation requires the consent of a data object before an organisation can process personal data. Unfortunately, reality does not work out like that. As is consistent with experience, data subjects in Singapore don’t “consent” much substantively, and the exception swallows the rule. Other laws, the exceptions in the schedules of the PDPA and the “reasonable” requirement all qualify the consent obligation.
Instead of looking to the GDPR, the latest amendments to the PDPA “double down” on the consent obligation. Sure, the schedules will undergo some housekeeping and streamlining. Deemed consent is expanded. Two new exceptions are introduced — legitimate interests and business improvement. (Curiously “legitimate interests”; sounds like one of the legal bases in the GDPR.)
Given the Law Reform Committee’s view that the PDPA is sound, the consent obligation will be with us for a long time.
A flow chart to understand the Consent Obligation
As I showed above, I am not a big fan of this convoluted consent obligation. I like the legal bases of the GDPR more. They are easier to explain, and the exceptions don’t control the rule. By conceding that consent is unable to explain user rights fully, the GDPR accords better to reality.
Nevertheless, I am going to try to explain the Consent Obligation, including the new amendments. So, we are going to play a game! Let’s play “so you want to collect personal data in Singapore".