Joint Press Release by MCI and PDPC
MCI AND PDPC LAUNCH ONLINE PUBLIC CONSULTATION ON
PERSONAL DATA PROTECTION (AMENDMENT) BILL 2020
The Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) today launched an online public consultation on the proposed amendments to the Personal Data Protection Act (PDPA) and related amendments to the Spam Control Act (SCA). These proposed amendments aim to strengthen public trust, enhance business competitiveness, and provide greater organisational accountability and assurance to consumers, in support of Singapore’s Digital Economy.
2. This is the first comprehensive review since the enactment of the PDPA in 2012 to ensure that it continues to keep pace with technological advances, new business models and global developments in data protection legislation. The key proposed amendments include the introduction of a mandatory breach notification requirement, enhancement to the framework for the collection, use and disclosure of personal data, and the strengthening of PDPC’s enforcement powers. They also incorporate recommendations from the Public Sector Data Security Review Committee to ensure the accountability of third parties handling Government personal data and introduce offences for egregious mishandling of personal data.
3. MCI/PDPC held three public consultations1 on the key policy proposals between 2017 and 2019, and has taken into consideration the feedback received for the proposed amendments to the PDPA and the SCA. This public consultation seeks feedback on the draft Personal Data Protection (Amendment) Bill, which includes related amendments to the SCA.
4. PDPC’s Deputy Commissioner, Mr Yeong Zee Kin, said, “Our daily activities in an increasingly connected and competitive Digital Economy generate a large amount of data – including in recent weeks when many interactions have shifted online. Organisations that wish to thrive in this dynamic and evolving environment must move beyond traditional ‘check box’ compliance-based approach to adopt an accountability approach. To help organisations in their journey towards accountability, we have introduced a number of tools for organisations to adopt responsible data protection measures. The public’s trust in organisations’ management of their data is especially important when digital services such as e-commerce are becoming increasingly prevalent. The amendments which MCI/PDPC are introducing to the PDPA will support our organisations’ efforts as they transform and grow in the Digital Economy to better serve consumers.”
5. The key amendments that MCI/PDPC are inviting feedback on include:
a) Accountability of organisations
- Mandatory data breach notification requirement: Organisations will be required to notify PDPC of a data breach that results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach relates to (“affected individuals”); or (ii) is of a significant scale. Organisations will also be required to notify the affected individuals if the data breach is likely to result in significant harm to them.
b) Meaningful consent
- Expand deemed consent: To facilitate the use and processing of personal data for reasonable business purposes, the concept of ‘deemed consent’ will be expanded to cover circumstances where: i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or ii) where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out.
- New exceptions for legitimate interests and business improvement: To cater to situations where there are larger public or systemic benefits where obtaining individuals’ consent may not be appropriate, organisations will be able to collect, use or disclose personal data for legitimate interests. MCI/PDPC will also make it clearer that organisations can use personal data properly collected for business improvement purposes.
c) Consumer autonomy
- Data portability: With the new Data Portability Obligation, individuals will be able to request for a copy of their personal data to be transmitted to another organisation. This will enable consumers to switch to new service providers more easily. It will also support the development of new and innovative services/applications as organisations can have more access to data.
- Expanded protection from unsolicited messages: Sending of unsolicited messages to telephone numbers through the use of dictionary attacks and address harvesting software will be prohibited under the PDPA’s Do Not Call Provisions. The SCA will also be amended to cover commercial text messages sent to Instant Messaging accounts and in bulk.
d) Effectiveness of PDPC’s enforcement
- Enhanced enforcement powers: To serve as a stronger deterrent, financial penalties for organisations that breach the PDPA will be increased to up to 10% of their annual turnover or S$1 million, whichever is higher2.
6. The public consultation document and procedures for submission of feedback are available on MCI’s website https://www.mci.gov.sg/public-consultations/open from 14 May 2020. All submissions shall reach MCI/PDPC no later than 28 May 2020, 5pm.
Annex A: Public Consultation Document
Annex B: Personal Data Protection (Amendment) Bill 2020
1 Three public consultations on MCI/PDPC’s key proposals for the review of the PDPA and SCA were conducted between 2017 and 2019. In these public consultations, MCI/PDPC proposed to introduce, amongst others, (i) deemed consent by notification; (ii) ‘legitimate interests’ exception to consent for collecting, using and disclosing personal data; (iii) mandatory data breach notification; (iv) Data Portability Obligation; and (v) an exception to consent for the use of personal data for ‘business improvement’ purposes. The review also considered the SCA, which was enacted in 2007 to combat spam, with the view to ensuring a technology-neutral approach towards regulating unsolicited commercial electronic (i.e. email and text) messages sent in bulk.
2 Companies are currently liable for financial penalties of up to S$1 million.