Webinar Invitation: Proposed Amendments to the Personal Data Protection Act 2012 (PDPA)

Webinar Invitation: Proposed Amendments to the Personal Data Protection Act 2012 (PDPA)
08 Jun 2020


The Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC) in Singapore have recently reviewed the PDPA to ensure it keeps pace with regulatory developments in personal data protection. A public consultation paper on the draft Personal Data Protection (Amendment) Bill (Draft Bill) was issued on 14 May 2020 to gather feedback from the public on several proposed amendments to the PDPA.

Eversheds Harry Elias LLP will be holding a webinar to discuss these proposed amendments. In our webinar, we will also be having our network of experts from selected countries such as Indonesia, Malaysia and the Philippines to share their views on how topics such as mandatory data breach reporting and data portability are managed in their jurisdictions. We will also comment on the differences between the proposed mandatory data breach reporting amendments with that of the EU’s General Data Protection Regulation.

Summary of PDPA Proposed Amendments

The proposed amendments to the PDPA fall into 4 general categories.

1. Strengthening Accountability

To emphasize that organisations are accountable for personal data in their possession or under their control, and are expected to be able to demonstrate compliance, a Mandatory Data Breach Notification Requirement has been proposed.

Under this requirement, organisations will need to notify PDPC of a data breach that (i) results in, or is likely to result, in significant harm to the individuals to whom any personal data affected by a data breach relates; or (ii) is of a significant scale. Organisations will also need to notify affected individuals if the data breach is likely to result in significant harm to them.

2. Enabling Meaningful Consent

To ensure meaningful consent by individuals and accountability requirements to safeguard individuals’ interests, it is proposed that "Deemed Consent" under s 15 of the PDPA be expanded to include:

  1. Deemed consent by Contractual Necessity, where consent is deemed to be given if it is reasonably necessary for the conclusion or performance of a contract/transaction.
  2. Deemed consent by Notification, where the organization provides appropriate notification to the individual and the individual did not opt-out.

Organisations may also collect, use, or disclose personal data without the individual's consent if it falls under either of the following exceptions:

  1. Legitimate interests exception.
  2. Business improvement exception.
  3. Research exception.

3. Increasing Consumer Autonomy

A new Data Portability Obligation will be introduced to allow an individual to request that an organisation transmit his/her personal data in its organization’s possession or control to another organisation. This allows individuals to switch to new service providers more easily and spurs organisations to develop innovative data-driven applications that will benefit consumers and support the growth of the Digital Economy.

There will also be expanded Protection from Unsolicited Commercial Messages where the use of dictionary attacks and address harvesting software will be prohibited under the Do Not Call (DNC) Provisions. Further, the Spam Control Act will be amended to cover commercial text messages sent to Instant Messaging accounts and in bulk.

4. Strengthening the Effectiveness of Enforcement

For data breaches, PDPC has increased the financial penalty to (i) up to 10% of an organization’s annual gross turnover in Singapore; or (ii) S$1 million, whichever is higher.



With the introduction of these proposed amendments, what are the potential consequences and implications on an organization’s business? What are some measures that organisations should take to adapt to and comply with the new requirements and standards?

How do Singapore's potential new requirements on data breach notification differ from that of the EU's General Data Protection Regulation (GDPR)? How do they compare with those of Indonesia, Malaysia and the Philippines? How should organisations with cross-border concerns design their personal data protection policies in accordance with the relevant jurisdiction's requirements and standards?

Eversheds Harry Elias LLP invites you to a webinar on 11 June 2020 (Thursday), 2 – 3 pm, where we can discuss with you the following:

  • A brief overview of the new PDPA amendments and how it will impact your organisation;
  • Comparison of the proposed mandatory data breach notification obligation and the new range of penalties with EU’s GDPR;
  • Comments from our experts from Indonesia, Malaysia and the Philippines on the proposed amendments; and
  • Updating your data breach - cybersecurity policies to comply with the new legal framework for mandatory data breach reporting. 


Please register here. Only registered participants will be admitted to the webinar. Slots are limited up to 100 participants.


K. K. Lim

Head, Cybersecurity, Privacy & Data Protection, Eversheds Harry Elias


KK heads the firm’s Cybersecurity, Privacy and Data Protection Practice Group. He has more than 25 years of experience in technology advisory and commercial matters, with a focus in representing clients and advising matters involving privacy and data protection, cybersecurity, mobile security, audit, and compliance advisory.

Janice Lee

Foreign Counsel, Eversheds Harry Elias


A multi-qualified international arbitration counsel, Janice represents clients in their cross-border disputes involving M&A, construction and energy. She is particularly well-versed in SIAC and ICC arbitrations and specialises in complex, high-value disputes across multiple jurisdictions. Having practised for several years in the Philippines, Janice has specific experience in dealing with Southeast Asian clients with respect to their business concerns and regulatory needs, and representing multinational clients in complex commercial and public interest disputes.

Abadi Abi Tisnadisastra

Founding Partner, AKSET Law


Abi’s practice covers a broad range of corporate areas, including mergers & acquisitions, joint ventures, financing, capital markets and foreign investment. In past years, he has been involved in numerous acquisitions and investments in companies from a broad range of industries including banking, financial services, information technology and mobile payments, healthcare, construction, and real estate. He has a particular focus on financial services and information technology.

Suaran Singh

Partner, LAW Partnership


Suaran is a Partner in the Intellectual Property and Technology Practice Group. Suaran has extensive experience in all aspects of IP matters, information technology law, commercial law and personal data protection law. In addition, he regularly advices on legal matters in the fields of entertainment, media and communications. Suaran has been recognised as an “Up and Coming IP Lawyer Malaysia” in 2016, by Chambers Asia and is ranked Band 3 on the Chambers Asia-Pacific 2017.

JJ Disini

Managing Partner, Disini Law


JJ is one of the leading information and technology law experts in the Philippines today. His areas of expertise are litigation, intellectual property, licensing, privacy and data security, copyright, trademark registrations and technology transactions. He has represented local and foreign clients in corporate, project finance, securities, foreign investment, technology, and telecommunications, among others.



Formed in 1988, Harry Elias Partnership LLP has merged with Eversheds Sutherland in 2017 to be part of the international firm with a global reach supported by 69 offices. Eversheds Harry Elias LLP’s cybersecurity, privacy and data protection practice are present and/or worked with similar experts throughout the ASEAN region.

For more information, please contact our Business Development Manager, Ricky Soetikno at rickysoetikno@eversheds-harryelias.com