Introduction
This article explains how the Personal Data Protection (Amendment) Act 2020[1] (the “Amendment”) benefits the user in three areas: customer experience, safeguards, and transparency.
Firstly, the Amendment improves the customer experience in two ways:
(1) deemed consent by contractual necessity eliminates the hassle of clicking multiple checkboxes to express the user’s consent to the sharing of his personal data with sub-contractors;[2]
(2) the Amendment facilitates the transfer of user data from one platform to another, thereby ensuring a personalised experience for the consumer and spurring the development of novel services.[3]
Secondly, users enjoy stronger safeguards from data breaches because data cannot be ported at the expense of the user, and the enhanced penalties encourage organisations to strengthen their internal governance to manage users’ personal data more safely.[4]
Thirdly, users enjoy greater transparency because they will receive timely notifications about data breaches from businesses.[5]
Customer Experience
A. Convenient transactions
After the Amendment,[6] the user is deemed to have given his consent for the disclosure of personal data to third party organisations where it is reasonably necessary for the performance of a contract between the user and the organisation.[7]
For example, an online shopper can now consent to the collection of his personal data by the online retailer once, avoiding the hassle of agreeing to multiple checkboxes to express his consent to the disclosure of his personal data to the retailer’s delivery and payment subcontractors.[8]
B. Data Porting
By providing customers with the right to request for their data to be transmitted to another organisation, the data porting obligation improves customer experience by providing data to organisations to improve their goods and services and by spurring competition.[9] The Amendment to the PDPA facilitates the porting of applicable data of individuals to organisations that have a commercial relationship with those individuals.[10] The applicable data typically relates to individuals’ user activity data or user-provided data.[11] Hence, by giving businesses access to such data, they would be able to tailor their goods and services to their customers.
Secondly, since customers are no longer locked into a single service provider, the playing field for service providers becomes more equitable towards new players, thereby spurring the development of substitute as well as novel services.
Safeguards
A. Data Porting
However, in recognising the infancy of data porting in Singapore,[12] the Amendment has placed two guidelines on data porting to ensure personal data remains protected.
Firstly, the amended PDPA prohibits the porting of data if the porting organisation reasonably expects adverse consequences.[13] Such adverse consequences include whether the porting of data threatens the well-being of individuals or is against the national interest.[14] For instance, data porting may be prohibited to safeguard the well-being of an individual with compulsive buying disorder because data porting makes online shopping more addictive by improving algorithms that generate online advertisements.[15]
Secondly, organisations are not required to port the user’s data if porting would be disproportionate to the individual’s interests.[16]
B. Protection of Personal Data
The Amendment adds an additional requirement for organisations to ensure that security measures exist to protect physical storage devices.[17]
First, organisations must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks of personal data.[18]
Second, organisations are also now required to make reasonable security arrangements to prevent the loss of any storage or medium device that stores personal data in its possession or under its control.[19]
C. Enhanced Penalties
Generally, any contravention of the PDPA will result in a financial penalty of up to $1 million.[20] However, in recognising that organisations that are privy to personal data are normally wealthy organisations or individuals, the Amendment has increased the $1 million threshold for certain situations.[21]
Specifically, if the annual turnover of an organisation exceeds $10 million, the maximum penalty that can be imposed will be 10% of its annual turnover while if the annual turnover of an individual exceeds $20 million, the maximum penalty that can be imposed will be 5% of that individual’s annual turnover.[22] Moreover, even a negligent contravention of the PDPA will attract financial penalties, further cementing the deterrent effect of mishandling personal data.[23]
In addition to the enhanced financial penalties, certain contraventions of the PDPA may even lead to imprisonment. The Amendment has made it an offence for unauthorised use or disclosure of personal data, or unauthorised re-identification of anonymised information.[24] The amended PDPA also penalises organisations for the circulation of false requests for data porting on behalf of the individual.[25]
Transparency
A. Notifiable Data Breaches
Users will now be notified of any data breaches that put them at risk of significant harm.[26] Some potential categories of data which will be considered likely to subject the user to significant harm are as follows:
Timely notifications empower the user to protect his data because they provide clear steps he can take to prevent the data from being abused such as changing his password.[29]
Conclusion
In conclusion, the amended PDPA provides organisations with options to access customer data apart from the existing consent-based ones, thereby allowing them to provide better customer service to users.
At the same time, users can be reassured that the greater accessibility of their data is accompanied by a more stringent set of guidelines to enforce accountability on the part of organisations.
Footnotes
[1] Personal Data Protection (Amendment) Act 2020 (No.40 of 2020) (“PDPAA”).
[2] Singapore Parliamentary Debates, Official Report (2 November 2020) vol 95; Sitting No 11 (S Iswaran, The Minister for Communications and Information).
[3] Ibid.
[4] Ibid.
[5] Ibid.
[6] PDPAA, supra n 1.
[7] Id, at s 6.
[8] Singapore Parliamentary Debates, Official Report (2 November 2020) vol 95; Sitting No 11 (Jasmine Tan Soon Neo, MP for East Coast GRC).
[9] Singapore Parliamentary Debates, Official Report (2 November 2020) vol 95; Sitting No 11 (Jasmine Tan Soon Neo, MP for East Coast GRC).
[10] PDPAA, supra n 1, at s 14.
[11] Ibid.
[12] Singapore Parliamentary Debates, Official Report (2 November 2020) vol 95; Sitting No 11 (Louis N Kok Kwang, MP for Nee Soon GRC).
[13] PDPAA, supra n 1, at s 14.
[14] Ibid.
[15] Singapore Parliamentary Debates, Official Report (2 November 2020) vol 95; Sitting No 11 (Chua Kheng Wee Louis, MP for Sengkang GRC).
[16] PDPAA, supra n 1, at s 39.
[17] PDPAA, supra n 1, at s 12.
[18] Ibid.
[19] Ibid.
[20] Id, at s 23.
[21] Ibid.
[22] Id, at s 24.
[23] Id, at s 23.
[24] Id, at s 21.
[25] Id, at s 27.
[26] PDPAA, supra n 1, at s 13.
[27] Public Data Protection Commission website <https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Draft-AG-on-Key-Provisions/Draft-Advisory-Guidelines-on-Key-Provisions-of-the-PDP-(Amendment)-Bill-(20-Nov-2020).pdf?la=en> (accessed 28 December 2020).
[28] Ibid.
[29] Public Data Protection Commission website <https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-to-Managing-Data-Breaches-2-0.pdf?la=en> (accessed 24 January 2021).
This article is written by An Ye Qi and Ng Jing Jie – Year 1 LL.B. students, Yong Pung How School of Law, Singapore Management University – from SMU Lexicon; and edited by Petrissia Teo from Asia Law Network.
This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practicing lawyer in your jurisdiction. No individual who is a member, partner, shareholder or consultant of, in or to any constituent part of Interstellar Group Pte. Ltd. accepts or assumes responsibility, or has any liability, to any person in respect of this article.