Love.Law.Robots. by Ang Hou Fu

ConsentObligation

Feature image

Like most people, I hate to be wrong. But if I got things right all the time, I’d be a judge, not a blog writer.

More than a year ago, I highlighted the only case on the Personal Data Protection Act I am aware of that has reached the High Court. It was a “rare sighting” of a private action under the Personal Data Protection Act (PDPA).

In the post, I concluded that the right of private action was “meaningless” because the High Court held that you cannot claim “distress and loss of control”. That was, after all, what most people face when their privacy is breached. Even so, I thought that individuals going after companies for a breach was too much for one person to bear. That case, after all, concerned a rich, disgruntled data subject facing an intransigent data controller.

The case had gone on appeal to the Court of Appeal, which is understandable, given that the PDPA has never been before the highest court of the land, so clearly there are interesting and novel legal questions to be heard.

Furthermore, the Attorney General’s Chambers (AGC) also participated in the appeal. This is noteworthy because it intervened in essentially a private action. However, as mentioned above, the questions are novel, so the drafters of the PDPA should have a say.

The AGC's submissions largely echoed what I accepted in my previous post. This was essentially how we expected to read the legislation. This included accepting the general belief that emotional distress is not claimable under law.

Well, the Court of Appeal has spoken, and I was wrong.

The Court of Appeal held that “distress and loss of control” can be the subject of a right to private action. This was different from the common law, which generally does not regard emotional distress as actionable. (You can’t make a claim against another person for making you feel sad; such is “the vicissitudes of life”.)

What do I read from this? The Court probably abhors meaningless rights. As noted in my previous article, following the lines of the Government and the High Court’s judgement, the private action was not useful to anyone who had their privacy breached.

With the Court of Appeal’s pronouncement, the right to private action has more life in it. However, it’s still probably impracticable to exercise. Not only does a claimant have to bear the costs and stress of litigation, but it also depends on the actions of the respondent. In the instant case, the respondent explicitly (and inexplicably) refused to undertake not to use data without consent. The private action would be wholly unnecessary if everyone acted reasonably.

It was surprising to me that the Government’s position was not accepted by the Court of Appeal. The big picture is that there will always be some uncertainty about how the Court would read a piece of legislation in a dispute. This might make the Government’s recent insistence that only Parliament can decide what is marriage more understandable.

For now, until the Court of Appeal says so, maybe we shouldn’t be too confident when we make predictions on what the law is.

#Law #Singapore #SupremeCourtSingapore #AGC #ConsentObligation #Enforcement #Government #Judgements #Lawyers #Legislation #News #PersonalDataProtectionAct #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

This post is part of a series relating to the amendments to the Personal Data Protection Act in Singapore in 2020. Check out the main post for more articles!

Introduction

The history of data protection legislation, in my view, comprises three generations:

  • The earliest generation focuses on common law and sectoral self-regulation. It’s a bit of the wild west, with various ideas and strands all over the place.
  • The EU’s Data Protection Directive, way back in 1995, represents the next generation. Its key innovation is comprehensive national legislation. Its foundations are based on OECD recommendations and revolve around consent, notification, purpose limitation, etc.
  • The third and latest generation, of course, belongs to the GDPR in 2018. Its key innovations are lawful purposes, protection of children, the right to be forgotten, the right to object to automated processing, etc.

Singapore’s PDPA was enacted in 2012. It sits between the EU’s Data Protection Directive and the GDPR. As such, it retains many well-established and familiar features but very few of the innovations used in the GDPR.

One of these artefacts concerns what the PDPA calls the “consent obligation”. The consent obligation requires the consent of a data object before an organisation can process personal data. Unfortunately, reality does not work out like that. As is consistent with experience, data subjects in Singapore don’t “consent” much substantively, and the exception swallows the rule. Other laws, the exceptions in the schedules of the PDPA and the “reasonable” requirement all qualify the consent obligation.

Instead of looking to the GDPR, the latest amendments to the PDPA “double down” on the consent obligation. Sure, the schedules will undergo some housekeeping and streamlining. Deemed consent is expanded. Two new exceptions are introduced — legitimate interests and business improvement. (Curiously “legitimate interests”; sounds like one of the legal bases in the GDPR.)

Given the Law Reform Committee’s view that the PDPA is sound, the consent obligation will be with us for a long time.

As I showed above, I am not a big fan of this convoluted consent obligation. I like the legal bases of the GDPR more. They are easier to explain, and the exceptions don’t control the rule. By conceding that consent is unable to explain user rights fully, the GDPR accords better to reality.

Nevertheless, I am going to try to explain the Consent Obligation, including the new amendments. So, we are going to play a game! Let’s play “ so you want to collect personal data in Singapore “.

So you want to process personal data Contains all the flowcharts in this post. So you want to process personal data.pdf 217 KB download-circle

Highlights of changes

As I summarized above, there are several new exceptions to the consent obligation. Here are some highlights.

Deemed consent has expanded.

Deemed consent has grown with two new situations. They are expansive and encompass many cases where it’s evident that organisations should have sought consent. The appropriate notification situation also enables organisations to use another method of obtaining consent, which may be considered less confrontational.

A new legitimate interests exception.

The PDPA will also feature a new general exception for legitimate interests. The one in the PDPA looks similar to the one in the GDPR. It also requires organisations to do a cost-benefit analysis in the form of a data protection impact analysis.

Here is another one: using personal data for business improvement. As this only applies to use, you must have collected the personal data through other means. This applies very much to data and customer analytics. You might have already collected data from your customers or operations, and this allows you to make more use of it without worrying about the PDPA.

Conclusion

The changes to the consent obligation are very business-friendly. Should an organisation be excited to employ these exceptions?

If you have been very much at the top of your privacy game, you probably would not need any of these exceptions. Your privacy policy would already have included using personal data for data analytics or business improvement. You would not be needing any “deemed consent” because, in line with best practices, you would have already been upfront and direct with your data subject.

Given the hit or miss nature of PDPC decisions when exceptions are considered, if you can plan for it, you wouldn’t rely on any of these exceptions.

So while it’s heartening to see the movement from openness to accountability, these new changes represent a step back. Hopefully, I wouldn’t need to add several more pages to the next version of my flow chart.

#Privacy #Singapore ##PDPAAmendment2020 #ConsentObligation #GDPR

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu

Feature image

Update 31/5/2021: As of 1 February 2021, the revised (or updated as they call it) PDPA has been enacted substantially. The post has been updated to highlight areas which are still not effective as of May 2021.

I thought the break in the PDPC’s monthly release of decisions since March was due to office closure from COVID-19. Here is a new excuse. After what seems like an eternity of consultations, we have the text of the Amendment Bill. This will be the first substantial revision of Singapore’s Personal Data Protection Act.

Here is a summary of what I believe are the key points.

Mandatory Data Breach Notification is here

A vast majority of enforcement decisions from the PDPC concern data breaches. A vast majority of public reporting also concerns data breaches. Data breaches are the biggest source of liability for companies. However, enforcement action and liability depended on complaints. It is a bit like see no evil, hear no evil.

If organisations were required to report data breaches, this would greatly increase their exposure. For many organisations who merely comply with the minimum requirements of the PDPA, they will need to introduce new policies and processes to address what to do in a data breach.

Organisations working on behalf of public agencies no longer exempted

Following the data breaches in public health and questions regarding the private and public divide in the PDPA, the PDPA now covers organisations working on behalf of public agencies. More organisations will be included under the PDPA since the government is much involved in Singaporean’s lives through private companies. Together with a push from the government, this means that more organisations will be accountable under the PDPA.

Here’s another (underreported) change following from the debacles. The Amendment bill now introducesoffences for private-sector employees who mishandle information. This tracks the Public Sector Governance Act, which covered public sector employees.

The PDPA gets PersonalThoughts, stories and ideas.Love.Law.Robots.Houfu

Voluntary Undertakings now part of PDPC’s enforcement

I have always been very sceptical of the use and the focus on financial penalties. When the PDPA first came out, the headline number of $1 million was a pretty big deal. The GDPR already provides penalties that are way higher than that. Furthermore, in practice, hardly any organisation got a six-figure penalty. Singhealth remains an outlier. If your goal is to not pay a high penalty, you will hire better lawyers, not data protection officers.

Therefore I am excited about voluntary undertakings, as they are the teeth of the accountability principle. There have been very few decisions which apply this uncommon enforcement method. Hopefully, as has been the case with anti-corruption in the US, a focus on entrenching good practices is encouraged. At the very least, such enforcement will encourage the hiring and involvement of data protection officers.

Oh, and by the way, the amendment increases the penalties that the PDPC can impose. It has now increased to 10% of the organisation’s annual gross turnover or $1 million, which ever is higher. As I mentioned, all this is rather theoretical given the enforcement standards so far. [ Update: This is one of the changes which are not effective as of 1 February 2021, presumably due to COVID. Quite frankly the pudding is in the enforcement, not how high it can go.]

Will Increased Penalties Lead to Greater Compliance With the PDPA?When the GDPR made its star turn in 2018, the jaw-dropping penalties drew a lot of attention. Up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater, was at stake. Several companies scrambled to get their houses in order.Love.Law.Robots.Houfu

Given the “lawful purposes” approach followed by the GDPR, the increased emphasis on consent under the Amendment Bill seems quaint. “Deemed” consent will be expanded to new situations. You can argue that “deemed consent” is fictitious consent, whereby organisations just tick a few action boxes to do what they want.

Making sense of the latest PDPA amendments to the Consent ObligationI consider the new amendments to the Consent Obligation under the PDPA with a flow chart.Love.Law.Robots.Houfu

Do note that a “lawful purpose” features in the amendment bill. “Legitimate interest” is termed as an “exception” here. There is a balancing effort between what the organisation would like, and the risk and benefit to the public and individual. Is this a peek in the curtain? Will the “legitimate interest” exception swallow consent?

In any case, the PDPA still relies on consent, huge exceptions and “reasonableness”. This bill does not bring the PDPA to the 21st century. Singapore risks being left behind against other countries which adopted GDPR like laws.

Data Portability

Data portability allows individuals to request an organisation to transmit a copy of their personal data to another organisation. It now gets its own section in the PDPA.

As a bit of a geek, of course I am very excited about “data portability”. However, implementation matters, and I am not sure organisations are motivated enough to put up the structures that will make this work. My developer experience playing with bank APIs have not been positive.

[ Update: This is one of the changes which are not effective as of 1 February 2021.]

Conclusion

I don’t think I have covered all the changes in detail. Some changes need their own space, so I would be writing new posts and updating this one. Passing the act will still require some more time. Did anything else catch your eye?

[ Update : The act was passed and the provisions noted here are substantially effective]

#Privacy #Singapore #Features #ConsentObligation #DataBreach #DataPortability #Enforcement #Government #LegitimateExpectations #Notification #OpennessObligation #Penalties #PersonalDataProtectionAct #PersonalDataProtectionCommission #Undertakings

Author Portrait Love.Law.Robots. – A blog by Ang Hou Fu