Singapore updates data protection law to exclude user consent for ‘legitimate’ business purposes
Singapore has updated its Personal Data Protection Act (PDPA) to allow local businesses to use consumer data without prior consent for some purposes, such as business improvement and research. The amendments also allow for harsher financial penalties to be meted out for data breaches, above the previous cap of SG$1 million.
The changes were passed in parliament Monday, some 12 years after the legislation was introduced in October 2012. The Act is administered by the Personal Data Protection Commission (PDPC).
In his speech discussing the amendments, Singapore’s Communications and Information Minister S. Iswaran said data was a key economic asset in the digital economy, providing valuable insights that informed businesses and generating efficiencies.
It also empowered innovation and enhanced products, and was a critical resource for emerging technologies such as artificial intelligence (AI) that held transformative potential, Iswaran said.
Singapore’s regulatory architecture, therefore, must evolve and keep pace with these shifts, he noted. Pointing to efforts in establishing digital economy agreements, he said such initiatives positioned the Asian nation as “a key node in the global network of digital flow and transactions”.
The amendments to the PDPA would ensure its legislation regime was “fit for purpose” for a digital economy with a complex data landscape, he said, adding that this must be built on trust. Consumers must have confidence their personal data would be secure and used responsibly, even as they benefitted from digital opportunities and data-driven services, the minister said.
Companies also needed certainty to harness personal data for legitimate business purposes with the requisite safeguards and accountability, Iswaran said.
He noted that the amendments sought to strike a balance to maximise the benefit and minimise the risk of collecting and using personal data.
Amongst the key changes is the “exceptions to the consent” requirement, which now allows businesses to use, collect, and disclose data for “legitimate purposes”, business improvement, and a wider scope of research and development. In addition to existing consent exceptions that include for the purposes of investigations and responding to emergencies, these also now include efforts to combat fraud, enhance products and services, and carry out market research to understand potential customer segments.
In addition, further amendments defined under “deemed consent” to PDPA now would permit organisations to share data with external contractors for the purpose of fulfilling customer contracts. This catered to “modern commercial arrangements” and essential purposes including security, he said.
Businesses also would be able to use data without consent to facilitate research and development (R&D) that might not yet be marked for productisation.
Iswaran explained that this could apply to research institutes running scientific R&D or educational institutes taking on social sciences research, as well as enterprises carrying out market research to identify and understand potential customer segments.
All other purposes outside of “deemed” and “exceptions” to consent, such as direct marketing messages, still would require prior consent from consumers.
Organisations that experienced data breaches and faced potential financial penalties, now might have to fork out heftier sums under an amendment that allowed for fines of up to 10% of a company’s annual turnover, or SG$1 million ($735,490), whichever was higher. Financial penalties previously were capped at SG$1 million.
Amendments also had been introduced to give consumers greater autonomy over data generated by their use of services an dmore control over how they received commercial communications.
A new data portability obligation would allow individuals to request for copy of their data to be transmitted to another organisation. This was expected to spur competition and benefit consumers by encouraging the development of substitute or normal services.
Because it was a relatively new concept in Singapore, Iswaran said data portability would be rolled out in phases. More details would be announced at a later stage, including the categories of data that should be portable as well as other technical and consumer protection guidelines.
Several Members of Parliament expressed concerns that the amendments, specifically with regards to exceptions and deemed consent, would be too broad and might be abused by organisations.
“Legitimate interests”, for instance, could be viewed from an organisation’s perspective and its assessment subjective when considering whether these interests outweighed potential adverse effects on an individual, which was a requirement outlined in the amendment.
In response, Iswaran said the use of data under deemed or exception to consent would be tagged with safeguards, such as requiring companies to perform risk assessments in determining what was “legitimate” and putting clear limits on how the data could be used.
“[To tap the exceptions consent], organisations must conduct an assessment to eliminate or reduce risks associated with the collection, use, or disclosure of personal data, and must be satisfied that the overall benefit of doing so outweighs any residual adverse effect on an individual,” he said, adding that the PDPC would outlined guidelines on how companies should carry out the risk assessment.
He added that individuals still could withdraw consent even after the opt-out period.
In summing up the objectives of the amendments, the minister said a “delicate balance” was critical because overcorrecting would result in an erosion of consumer trust, while going the other direction would shackle businesses and diminish the benefits on innovation and economy the government hoped to achieve.
Noting that legislations were not “panacea” and could not eliminate the risk of data breaches, Iswaran said Singapore must remain nimble and interoperable
Laws must be complemented with good practices and these must evolve over time, he added. He urged the need for everyone to play a role and take responsibility for maintaining the security and usability of the country’s data regime.
He said the government formulated and enforced rules, and aimed to adapt to changing market conditions to ensure Singapore remained relevant amidst new digital requirements. Businesses, too, should recognise it was in their own interests to support a robust data regime and differentiate themselves with their data policy.
Consumers also should assume responsibility for their own data and, ultimately, had the choice of opting out anytime.
According to the minister, the PDPC last year investigated 185 cases involving data breaches and issued 58 decisions. It ordered 39 organisations to pay SG$1.7 million in penalties, including the highest fines of SG$750,000 and SG$250,000, which were meted out to Integrated Health Information Systems and Singapore Health Services, respectively.
