Webinar Invitation: Proposed Amendments to the Personal Data Protection Act 2012 (PDPA)

Webinar Invitation: Proposed Amendments to the Personal Data Protection Act 2012 (PDPA)
22 May 2020


The Ministry of Communications and Information (“MCI”) and the Personal Data Protection Commission (“PDPC”) in Singapore have recently reviewed the PDPA to ensure it keeps pace with regulatory developments in personal data protection. A public consultation paper on the draft Personal Data Protection (Amendment) Bill ("Draft Bill") was issued on 14 May 2020 to gather feedback from the public on several proposed amendments to the PDPA.

Eversheds Harry Elias LLP will be holding a webinar to discuss these proposed amendments. In our webinar, we will also be having our network of experts from selected countries such as Malaysia, Indonesia, and the Philippines to share their views on how topics such as mandatory data breach reporting and data portability are managed in their jurisdictions. We will also comment on the differences between the proposed mandatory data breach reporting amendments with that of the EU’s General Data Protection Regulation.

Summary of PDPA Proposed Amendments

The proposed amendments to the PDPA fall into 4 general categories.

1. Strengthening Accountability

To emphasize that organisations are accountable for personal data in their possession or under their control, and are expected to be able to demonstrate compliance, a Mandatory Data Breach Notification Requirement has been proposed.

Under this requirement, organisations will need to notify PDPC of a data breach that (i) results in, or is likely to result, in significant harm to the individuals to whom any personal data affected by a data breach relates; or (ii) is of a significant scale. Organisations will also need to notify affected individuals if the data breach is likely to result in significant harm to them.

2. Enabling Meaningful Consent

To ensure meaningful consent by individuals and accountability requirements to safeguard individuals’ interests, it is proposed that "Deemed Consent" under s 15 of the PDPA be expanded to include:

  1. Deemed consent by Contractual Necessity, where consent is deemed to be given if it is reasonably necessary for the conclusion or performance of a contract/transaction.
  2. Deemed consent by Notification, where the organization provides appropriate notification to the individual and the individual did not opt-out.

Organisations may also collect, use, or disclose personal data without the individual's consent if it falls under either of the following exceptions:

  1. Legitimate interests exception.
  2. Business improvement exception.
  3. Research exception

3. Increasing Consumer Autonomy

A new Data Portability Obligation will be introduced to allow an individual to request that an organisation transmit his/her personal data in its organization’s possession or control to another organisation. This allows individuals to switch to new service providers more easily and spurs organisations to develop innovative data-driven applications that will benefit consumers and support the growth of the Digital Economy.

There will also be expanded Protection from Unsolicited Commercial Messages where the use of dictionary attacks and address harvesting software will be prohibited under the Do Not Call (DNC) Provisions. Further, the Spam Control Act will be amended to cover commercial text messages sent to Instant Messaging accounts and in bulk.

4. Strengthening the Effectiveness of Enforcement

For data breaches, PDPC has increased the financial penalty to (i) up to 10% of an organization’s annual gross turnover in Singapore; or (ii) S$1 million, whichever is higher.


With the introduction of these proposed amendments, what are the potential consequences and implications on an organization’s business? What are some measures that organisations should take to adapt to and comply with the new requirements and standards?

How do Singapore's potential new requirements and standards differ from that of the EU's General Data Protection Regulation (GDPR)? How do they compare with those of Malaysia, Indonesia, and the Philippines? How should organisations with cross-border concerns design their personal data protection policies in accordance with the relevant jurisdiction's requirements and standards?

Eversheds Harry Elias LLP invites you to a webinar on 11 June 2020 (Thursday), 2 – 3 pm, where we can discuss with you the following:

  • A brief overview of the new PDPA amendments and how it will impact your organisation;
  • Comparison of the proposed mandatory data breach notification obligation and the new range of penalties with EU’s GDPR;
  • Comments from our experts from Malaysia, Indonesia, and the Philippines on the proposed amendments; and 
  • Updating your data breach - cybersecurity policies to comply with the new legal framework for mandatory data breach reporting.


Please register here to indicate your interest. Only registered participants will be admitted to the webinar. Additional speakers may be included from other jurisdictions. Slots are limited up to 100 participants. 


K. K. Lim

Head, Cybersecurity, Privacy & Data Protection, Eversheds Harry Elias


T: +65 94566191

KK heads the firm’s Cybersecurity, Privacy and Data Protection Practice Group. He has more than 25 years of experience in technology advisory and commercial matters, with a focus in representing clients and advising matters involving privacy and data protection, cybersecurity, mobile security, audit, and compliance advisory.

Janice Lee

Foreign Legal Associate, Eversheds Harry Elias


+65 6361 9821

For more information, please contact our Business Development Manager, Ricky Soetikno at rickysoetikno@eversheds-harryelias.com