Singapore updates data protection law to exclude user consent for 'legitimate' business purposes
Singapore has updated its Personal Data Protection Act (PDPA) to allow local businesses to use consumer data without prior consent for some purposes, such as business improvement and research. The amendments also allow for harsher financial penalties to be meted out for data breaches, above the previous cap of SG$1 million.
The changes were passed in Parliament on Monday, some eight years after the legislation was introduced in October 2012. The Act is administered by the Personal Data Protection Commission (PDPC).
In his speech discussing the amendments, Singapore's Communications and Information Minister S. Iswaran said data was a key economic asset in the digital economy as it provides valuable insights that inform businesses and generate efficiencies.
It will also empower innovation and enhance products, and will be a critical resource for emerging technologies such as artificial intelligence (AI) that hold transformative potential, Iswaran said.
Singapore's regulatory architecture, therefore, must evolve and keep pace with these shifts, he noted. Pointing to efforts in establishing digital economy agreements, he said such initiatives positioned the Asian nation as "a key node in the global network of digital flow and transactions".
The amendments to the PDPA are also aimed at ensuring its legislation regime is "fit for purpose" for a digital economy with a complex data landscape, he said, adding that laws must be built on trust. Consumers must have confidence their personal data is secure and used responsibly, even as they benefit from digital opportunities and data-driven services, the minister added.
Companies also need certainty to harness personal data for legitimate business purposes with the requisite safeguards and accountability, Iswaran said.
He noted that the amendments sought to strike a balance to maximise the benefit and minimise the risk of collecting and using personal data.
Amongst the key changes is the "exceptions to the consent" requirement, which now allows businesses to use, collect, and disclose data for "legitimate purposes", business improvement, and a wider scope of research and development. In addition to existing consent exceptions that include for the purposes of investigations and responding to emergencies, these also now include efforts to combat fraud, enhance products and services, and carry out market research to understand potential customer segments.
In addition, further amendments defined under "deemed consent" to PDPA will now permit organisations to share data with external contractors for the purpose of fulfilling customer contracts. This caters to "modern commercial arrangements" and essential purposes including security, he said.
Businesses will also be able to use data without consent to facilitate research and development (R&D) that might not yet be marked for productisation.
Iswaran explained that this could apply to research institutes running scientific R&D or educational institutes taking on social sciences research, as well as enterprises carrying out market research to identify and understand potential customer segments.
All other purposes outside of "deemed" and "exceptions" to consent, such as direct marketing messages, will still require prior consent from consumers.
Organisations that experience data breaches and face potential financial penalties, now might have to fork out heftier sums under an amendment that allows for fines of up to 10% of a company's annual turnover, or SG$1 million ($735,490), whichever is higher. Financial penalties previously were capped at SG$1 million.
Amendments have also been introduced to give consumers greater autonomy over data generated by their use of services and more control over how they receive commercial communications.
A new data portability obligation allows individuals to request for copy of their data to be transmitted to another organisation. This is expected to spur competition and benefit consumers by encouraging the development of substitute or normal services.
Because it was a relatively new concept in Singapore, Iswaran said data portability would be rolled out in phases. He said more details would be announced at a later stage, including the categories of data that should be portable as well as other technical and consumer protection guidelines.
Several Members of Parliament expressed concerns that the amendments, specifically with regards to exceptions and deemed consent, were too broad and might be abused by organisations.
"Legitimate interests", for instance, could be viewed from an organisation's perspective and its assessment subjective when considering whether these interests outweighed potential adverse effects on an individual, which was a requirement outlined in the amendment.
In response, Iswaran said the use of data under deemed or exception to consent would be tagged with safeguards, such as requiring companies to perform risk assessments in determining what was "legitimate" and putting clear limits on how the data could be used.
"[To tap the exceptions consent], organisations must conduct an assessment to eliminate or reduce risks associated with the collection, use, or disclosure of personal data, and must be satisfied that the overall benefit of doing so outweighs any residual adverse effect on an individual," he said, adding that the PDPC would outlined guidelines on how companies should carry out the risk assessment.
He added that individuals could still withdraw consent even after the opt-out period.
In summing up the objectives of the amendments, the minister said a "delicate balance" was critical because overcorrecting would result in an erosion of consumer trust, while going the other direction would shackle businesses and diminish the benefits on innovation and economy the government hoped to achieve.
Noting that legislation is not "panacea" and cannot eliminate the risk of data breaches, Iswaran said Singapore must remain nimble and interoperable.
Laws must be complemented with good practices and these must evolve over time, he added. He urged the need for everyone to play a role and take responsibility for maintaining the security and usability of the country's data regime.
He said the government formulated and enforced the rules as part of efforts to adapt to changing market conditions to ensure Singapore remains relevant amidst new digital requirements. Businesses, too, should recognise it is in their own interests to support a robust data regime and differentiate themselves with their data policy.
Consumers should also assume responsibility for their own data and, ultimately, have the choice of opting out anytime.
According to the minister, the PDPC last year investigated 185 cases involving data breaches and issued 58 decisions. It ordered 39 organisations to pay SG$1.7 million in penalties, including the highest fines of SG$750,000 and SG$250,000, which were meted out to Integrated Health Information Systems and Singapore Health Services, respectively.
RELATED COVERAGE
- Singapore updates guidelines on data breach notification and accountability
- Singapore opens up access to citizen data to facilitate business transactions
- Singapore sets up committee to review public sector data security, but stands firm on PDPA exemption
- Singapore must be tougher on firms that treat security as value-add service
- Singapore touts open platforms in smart nation drive, acknowledges need to do better in security
- Cyber accounts for 26% of all crimes in Singapore
- Most Singapore firms still can't keep up with security patches