Understanding PDPA in a technologically advanced world

Understanding PDPA in a technologically advanced world
09 Mar 2021

Understanding PDPA in a technologically advanced world

The debate around data privacy and user transparency around the world is not new. If only, it has shined an unforgiving light on the consequences of a technologically advanced world, the recent being the backlash against instant chat platform WhatsApp for sharing data with parent company Facebook following a privacy update. Despite the global resistance and race to adopt safer options like Telegram and Signal, WhatsApp has chosen to go ahead with the move.  

Such privacy concerns have taken local netizens by storm too, made apparent by the issues that emerged around the use of data from the contact tracking app TraceTogether for criminal investigations. In early January 2021, Minister of State for Home Affairs Desmond Tan disclosed that data collected by TraceTogether is treated like any other data under Singapore's jurisdiction, which the police can leverage for criminal purposes. This led to public outcry and debate in parliament on the application of the Personal Data Protection Act (PDPA) on the use of TraceTogether data, prompting a bill that limits its use to only serious criminal investigations. This move was critical in assuring Singaporeans that the authorities respected the sensitivity of their personal data.

Alongside the inevitably of data privacy becoming a point of debate in today’s society is the level of awareness consumers have and their proactiveness in protecting themselves. With the PDPA governing provisions around personal data protection in Singapore, established and enforced by the Personal Data Protection Commission (PDPC), it is essential to dissect and make clear its roles, developments and lessons that can be gleaned as we strive for sturdier protection.

What is the PDPA?

Enacted on 20 November 2012, the PDPA is a framework set up to protect and enforce consumer privacy in ways that do not compromise the flexibility necessary for the success of innovative and data-driven applications and business models. Since its establishment, there has been a rapid acceleration in the role and adoption of information technology in the day-to-day life of Singaporeans, from cloud computing to data analytics. During which, the PDPA and its provisions become exceptionally critical to safeguarding public interests. Furthermore, breaches in essential sectors like healthcare and transport, alongside a series of data hacks across industries, reiterate the need for more secure systems and greater accountability within organisations. This calls for consistent reviewing of new technologies, their potential and consequences, and the amending of provisions to keep the law relevant.

What do the new PDPA amendments cover as of 1 February 2021

Recent amendments to the Act were instrumental in strengthening the effectiveness and efficacy of the law. A quick summary can be found below:

1. Mandatory data breach notification

Should there be a data breach, the impacted organisation must inform the PDPC and affected individuals on:

  1. the harm caused
  2. the likelihood of harm
  3. the scale of impact

2. Individual offences on the mishandling of data

Individuals will be found liable for mishandling of data by way of:

  1. reckless unauthorised disclosures
  2. use for illicit or wrongful means
  3. re-identification of anonymised data

The offences comprise fines not exceeding S$5,000 or jail for not more than two years, or both.

3. Expanded consent framework

To fully optimise the use of technologies, disclosure of data is often required with contingencies in place. To allow room for business innovation, the amendments expand the consent framework by introducing categories of deemed consent by way of:

  1. Contractual necessity: the disclosure of individual data to partners if it is necessary for the performance of the contract to the customer
  2. Notification: the organisation - only after assessing whether the collection, use and disclosure of data will adversely affect the individual - provides notification to the individual on the same with sufficient time to opt out AND the individual does not opt out

Exceptions to consent requirement:

  1. When there is a legitimate interest in collecting, using or disclosing personal data without consent, provided all assessments for adverse effects are made
  2. When there is a business improvement purpose, by way of operational efficiencies, enhancement of services/products and comprehending customer behaviours/preferences

In addition, the exceptions pertaining to research now require a clear public benefit; otherwise, the exception will not apply.

More changes to be expected

More changes to the PDPA will be rolled out in the coming months:

  1. Organisations to face increased financial penalties, which include up to 10% of annual turnover in Singapore should revenue exceed S$10 million, or S$1 million, whichever is higher.
  2. Individuals will have the right to data portability so organisations will have to hand over data in control to another organisation whenever requested.

Lessons to learn as we progress

As we understand the role of the PDPA and the amendments, a few key lessons are good to note:

  1. Given the newer challenges posed by the increasingly technology-savvy world, laws will have to change. This is essential to address unknown and unexpected consequences.
  2. Organisations will need to remain at the forefront of data security. This entails not just policies for safeguarding customer data but also ensuring employees are trained to effectively identify potential breaches and address them to the relevant organisational authorities. This will therefore aid in seamless notification to the PDPC.
  3. Organisations leveraging expanded consent framework must enact relevant measures to ensure there is no mistrust among consumers. This can include carefully and clearly worded terms in contracts, notifications and other material provided to the individual.
  4. As technologies can impact societies beyond borders, global governments must encourage information sharing to effectively design, implement, and reform protection systems and regulations. Such interoperability allows industry players, government agencies and lawmakers to consult as a global team and achieve the best outcomes for a host of similar issues.

If you need more guidance around the provisions of the PDPA for your business, our lawyers in Singapore can assist you. Book a consultation with us.

For more information, please contact our Business Development Manager, Ricky Soetikno, at [email protected].