Singapore Makes Significant Changes to Data Privacy Legislation
Countries all over the globe have been changing their data privacy landscape to account for the information protection required in the digital age. Organizations are handling large amounts of personal data gathered from numerous sources. This will only increase as more apps, communication platforms, and websites deploying more targeted advertising emerge. To avoid mishandling of sensitive information and give consumers more control, privacy reform has been trending. Now Singapore has made the list, as major amendments to the Personal Data Protection Act (PDPA) passed in November 2020 and has completely refocused the country’s data privacy priorities.
The amendments makes Singapore’s PDPA stack up to stricter legislation like that in the EU, Brazil, and California where serious penalties can result from violations. As with all the new privacy laws, Singapore is focusing on making sure organizations extend appropriate care when collecting, using, and disclosing personal data. The PDPA’s reach is not contained to Singapore and can apply to organizations located in other countries that handle Singapore consumer data. It is crucial for those affected by these revisions to monitor effective dates and make appropriate internal changes in order to remain compliant.
On February 1, 2021, the first batch of amendments to the PDPA became effective. Here are some key provisions:
Consent: Organizations have always been required to get consent before collecting, using, and disclosing personal data. The 2021 amendments added two new categories of deemed consent. The first is for contractual necessity where disclosure to others is necessary to contract performance. The EU’s General Data Protection Regulation (GDPR) allows for the same via statutory justification. The second is when an organization reviews the situation and finds that data usage will likely not have an adverse effect or there is mitigation. Here, deemed consent results when the organization provides notification and gives the individual a reasonable time to respond and reject, which never happens. The amendments also added two consent exceptions for legitimate interests that outweigh any potential adverse effects and business improvements that are reasonable and cannot be completed without processing the personal data.
Data Breaches: There is now mandatory data breach notification to the Personal Data Protection Commission (PDPC) for when the breach causes harm or compromises the data of many consumers. Anyone who will likely be harmed by the breach must have direct notification from the organization. There is guidance about which types of personal data will result in significant harm when subject to a data breach, like credit card information. There is also guidance about notification timeline and substance. Recently, the HMI Institute of Health Sciences and ST Logistics (both third party vendors) were fined S$35,000 and S$8,000 respectively, after two separate malware incidents in 2019 led to the breach of personal data of thousands of personnel from the Ministry of Defense and the Singapore Armed Forces. These fines were given even though there was no evidence any data was actually leaked.
New Criminal Offenses: If personal data is mishandled, the offending party may have to pay a fine of S$5,000 or face prison time up to 2 years. Knowingly or recklessly disclosing, using, and re-identifying anonymous data can result in these criminal punishments. There are also new offenses for dictionary attacks and address-harvesting software. Additionally, Singapore’s Spam Control Act will be revised to cover popular messaging platforms like WhatsApp in order to stop unsolicited messages.
Private Right of Action: If an individual is harmed because an organization violated the PDPA, they can now file a lawsuit for civil damages. This is also available under the GDPR and other privacy regulations. Recently, a Singapore High Court was faced with the first lawsuit on this issue where the plaintiff was seeking damages for emotional distress and loss of control over their personal data. The court took a narrower interpretation of the PDPA’s private right of action and found it did not exist in this case because the plaintiff did not show any physical or financial loss (Bellingham Alex v Reed Michael  SGHC 125). Absent a statutory definition of what constitutes sufficient loss to sue, the judge refused to allow a broader interpretation and decreed that the PDPA does not protect a consumer’s fundamental or absolute right to privacy. Instead, it was meant to make Singapore a more attractive business hub by ensuring organizations do not misuse personal data. This is a significant ruling that consumers need to be aware of when deciding to sue.
PDPC Authority: Some increased powers the Commission now enjoys include the ability to compel mediation without party consent and compel attendance or document production via subpoena for an investigation.
This list highlights some of the biggest privacy shifts in Singapore, but there are more changes brought by current and future amendments that all organizations handling personal data of Singapore consumers should familiarize themselves with to remain compliant. In February 2022, penalties for non-compliance are expected to rise up to 10% of annual turnover or $1 million – whichever amount is higher. A provision granting the right to data portability should also take effect at this time. These are two significant changes that require proactive measures before enactment. Reviewing the amendments in their entirety is necessary for adequate preparation.
Ways to Prepare
By now, organizations doing business on a global scale should be familiar with what generally needs to be done when a new privacy law enters the arena. Updating policies and procedures, executing global privacy compliance plans, monitoring new regulatory developments, conducting employee training, data mapping, and creating internal compliance roles needs to be on the checklist. For organizations subject to other privacy laws, a lot of the legwork should already be done but there will still be new Singapore-specific considerations when tweaking privacy compliance plans. This should include making comparison charts for compliance efforts already deployed for other laws and that needed for the PDPA, creating or updating data protection plans to align with the new mandatory breach notification requirements, and initiating data protection impact assessments in light of changes like the expansion of deemed consent. A helpful resource for compliance will be the PDPA advisory guidelines, which sheds light on how the PDPC will handle alleged violations and guide internal policymaking decisions for organizations. After the increased penalties become effective, it is crucial to monitor how strictly the PDPC interprets violations and levies fines for non-compliance.
If you enjoyed this blog, please consider reading Coming Soon: Canada’s New Privacy Law – What You Need to Know