I thought the break in the PDPC’s monthly release of decisions since March was due to office closure from COVID-19. Here is a new excuse. After what seems like an eternity of consultations, we have the text of the Amendment Bill. This will be the first substantial revision of Singapore’s Personal Data Protection Act.
Here is a summary of what I believe are the key points.
Mandatory Data Breach Notification is here
A vast majority of enforcement decisions from the PDPC concern data breaches. A vast majority of public reporting also concerns data breaches. Data breaches are the biggest source of liability for companies. However, enforcement action and liability depended on complaints. It is a bit like see no evil, hear no evil.
If organisations were required to report and assess data breaches, this would greatly increase their exposure. For many organisations who merely comply with the minimum requirements of the PDPA, they will need to introduce new policies and processes to address what to do in a data breach.
Organisations working on behalf of public agencies no longer exempted
Following the data breaches in public health and questions regarding the private and public divide in the PDPA, the PDPA now covers organisations working on behalf of public agencies. More organisations will be included under the PDPA since the government is much involved in Singaporean’s lives through private companies. Together with a push from the government, this means that more organisations will be accountable under the PDPA.
Here’s another (underreported) change following from the debacles. The Amendment bill now introduces offences for private-sector employees who mishandle information. This tracks the Public Sector Governance Act, which covered public sector employees.
Voluntary Undertakings now part of PDPC’s enforcement
I have always been very sceptical of the use and the focus on financial penalties. When the PDPA first came out, the headline number of $1 million was a pretty big deal. The GDPR already provides penalties that are way higher than that. Furthermore, in practice, hardly any organisation got a six-figure penalty. Singhealth remains an outlier. If your goal is to not pay too high penalty, you will hire better lawyers, not data protection officers.
Therefore I am excited about voluntary undertakings, as they are the teeth of the accountability principle. There have been very few decisions which apply this uncommon enforcement method. Hopefully, as has been the case with anti-corruption in the US, a focus on entrenching good practices is encouraged. At the very least, such enforcement will encourage the hiring and involvement of data protection officers.
Oh, and by the way, the amendment increases the penalties that can be dealt with by the PDPC. It has now increased to 10% of the organisation’s annual gross turnover or $1 million, which ever is higher. As I mentioned, all this is rather theoretical given the enforcement standards so far.
The PDPA doubles down on Consent, with an eye on “legitimate expectations”
Given the “lawful purposes” approach followed by the GDPR, the increased emphasis on consent under the Amendment Bill seems quaint. “Deemed” consent will be expanded to new situations. You can argue that “deemed consent” is fictitious consent, whereby organisations just tick a few action boxes to do what they want.
Do note that a “lawful purpose” features in the amendment bill. “Legitimate interest” is termed as an “exception” here. There is a balancing effort between what the organisation would like, and the risk and benefit to the public and individual. Is this a peek in the curtain? Will the “legitimate interest” exception swallow consent?
In any case, the PDPA still relies on consent, huge exceptions and “reasonableness”. This bill does not bring the PDPA to the 21st century. Singapore risks being left behind against other countries which adopted GDPR like laws.
Data portability allows individuals to request an organisation to transmit a copy of their personal data to another organisation. It now gets its own section in the PDPA.
As a bit of a geek, of course I am very excited about “data portability”. However, implementation matters, and I am not sure organisations are motivated enough to put up the structures that will make this work. My developer experience playing with bank APIs have not been positive.
I don’t think I have covered all the changes in detail. Some changes need their own space, so I would be writing new posts and updating this one. Passing the act will still require some more time. Did anything else catch your eye? Let me know in comments!