Joint Press Release by MCI and PDPC

MCI AND PDPC LAUNCH ONLINE PUBLIC CONSULTATION ON PERSONAL DATA PROTECTION (AMENDMENT) BILL 2020

The Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) today launched an online public consultation on the proposed amendments to the Personal Data Protection Act (PDPA) and related amendments to the Spam Control Act (SCA). These proposed amendments aim to strengthen public trust, enhance business competitiveness, and provide greater organisational accountability and assurance to consumers, in support of Singapore’s Digital Economy.

2. This is the first comprehensive review since the enactment of the PDPA in 2012 to ensure that it continues to keep pace with technological advances, new business models and global developments in data protection legislation. The key proposed amendments include the introduction of a mandatory breach notification requirement, enhancement to the framework for the collection, use and disclosure of personal data, and the strengthening of PDPC’s enforcement powers. They also incorporate recommendations from the Public Sector Data Security Review Committee to ensure the accountability of third parties handling Government personal data and introduce offences for egregious mishandling of personal data.

3. MCI/PDPC held three public consultations1 on the key policy proposals between 2017 and 2019, and has taken into consideration the feedback received for the proposed amendments to the PDPA and the SCA. This public consultation seeks feedback on the draft Personal Data Protection (Amendment) Bill, which includes related amendments to the SCA.

4. PDPC’s Deputy Commissioner, Mr Yeong Zee Kin, said, “Our daily activities in an increasingly connected and competitive Digital Economy generate a large amount of data – including in recent weeks when many interactions have shifted online. Organisations that wish to thrive in this dynamic and evolving environment must move beyond traditional ‘check box’ compliance-based approach to adopt an accountability approach. To help organisations in their journey towards accountability, we have introduced a number of tools for organisations to adopt responsible data protection measures. The public’s trust in organisations’ management of their data is especially important when digital services such as e-commerce are becoming increasingly prevalent. The amendments which MCI/PDPC are introducing to the PDPA will support our organisations’ efforts as they transform and grow in the Digital Economy to better serve consumers.” 

Public Consultation

5. The key amendments that MCI/PDPC are inviting feedback on include: 

a) Accountability of organisations

  • Mandatory data breach notification requirement: Organisations will be required to notify PDPC of a data breach that results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach relates to (“affected individuals”); or (ii) is of a significant scale. Organisations will also be required to notify the affected individuals if the data breach is likely to result in significant harm to them. 

b) Meaningful consent 

  • Expand deemed consent: To facilitate the use and processing of personal data for reasonable business purposes, the concept of ‘deemed consent’ will be expanded to cover circumstances where: i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or ii) where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out.

  • New exceptions for legitimate interests and business improvement: To cater to situations where there are larger public or systemic benefits where obtaining individuals’ consent may not be appropriate, organisations will be able to collect, use or disclose personal data for legitimate interests.  MCI/PDPC will also make it clearer that organisations can use personal data properly collected for business improvement purposes.   

c) Consumer autonomy

  • Data portability: With the new Data Portability Obligation, individuals will be able to request for a copy of their personal data to be transmitted to another organisation. This will enable consumers to switch to new service providers more easily. It will also support the development of new and innovative services/applications as organisations can have more access to data. 
  • Expanded protection from unsolicited messages: Sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address harvesting software will be prohibited under the PDPA’s Do Not Call Provisions. The SCA will also be amended to cover commercial text messages sent to Instant Messaging accounts and in bulk.

d) Effectiveness of PDPC’s enforcement

  • Enhanced enforcement powers: To serve as a stronger deterrent, financial penalties for organisations that breach the PDPA will be increased to up to 10% of their annual turnover or S$1 million, whichever is higher2

6. The public consultation document and procedures for submission of feedback are available on MCI’s website https://www.mci.gov.sg/public-consultations/open from 14 May 2020. All submissions shall reach MCI/PDPC no later than 28 May 2020, 5pm.


Annex A: Public Consultation Document
Annex B: Personal Data Protection (Amendment) Bill 2020


--------------------------------------------------------------------------------------------------------------------------
1  Three public consultations on MCI/PDPC’s key proposals for the review of the PDPA and SCA were conducted between 2017 and 2019. In these public consultations, MCI/PDPC proposed to introduce, amongst others, (i) deemed consent by notification; (ii) ‘legitimate interests’ exception to consent for collecting, using and disclosing personal data; (iii) mandatory data breach notification; (iv) Data Portability Obligation; and (v) an exception to consent for the use of personal data for ‘business improvement’ purposes. The review also considered the SCA, which was enacted in 2007 to combat spam, with the view to ensuring a technology-neutral approach towards regulating unsolicited commercial electronic (i.e. email and text) messages sent in bulk. 
2  Companies are currently liable for financial penalties of up to S$1 million. 

Opening Speech by Mrs Josephine Teo, Minister for Communications and Information, at the Official Opening of the National Integrated Centre for Evaluation, on 18 May 2022 Speeches Cyber Security 18 May 22
Speech by Dr Janil Puthucheary, Senior Minister of State for Communications and Information, at the MOU Signing between Singapore Women in Tech and Polytechnics and launch of Cross-Polytechnic Girls in Tech Committee, on 13 May 2022 Speeches Infocomm Media 13 May 22
Opening Address by Dr Janil Puthucheary, Senior Minister of State for Communications and Information, at Inaugural Association of Information Security Professionals (AISP) Internet-of-Things (IOT) Innovation Day 2022 Speeches Infocomm Media 11 May 22
MCI response to PQ on Tracking of Local Companies which Experienced Cyber Attacks over Past Two Years and Measure to Equip Companies with Capabilities to Enhance Cyber Resilience Parliament QAs Cyber Security 09 May 22
MCI response to PQ on Annual Projected Growth of Freelancers in Infocomms Technology and Media Industries from 2022 to 2025 Parliament QAs Infocomm Media 09 May 22
MCI response to PQ on Number of Overseas Scam Calls Reported in 2021 and 2022 and Viability of Call Blocking Option for Users Parliament QAs Cyber Security 09 May 22