Some of the key changes to the Personal Data Protection Act 2012 (“PDPA”) took effect on 1 February 2021. These include a mandatory breach notification regime and new consent exceptions, including an exception which may apply if an organisation has legitimate interests in the collection, use or disclosure of the personal data and the legitimate interests of the organisation or other person outweigh any likely adverse effect to the individual.
The Personal Data Protection (Amendment) Bill was passed by the Singapore Parliament on 2 November 2020, with the changes set to take effect in phases. The first phase of these changes took effect from 1 February 2021.
Changes which have already taken effect as of 1 February 2021
- Mandatory breach notification
One of the key changes which has now taken effect is the introduction of the mandatory data breach notification requirement. If a data breach is notifiable, the Personal Data Protection Commission (“PDPC”) must be notified. If certain reporting thresholds are met, the affected individuals must also be notified.
- New deemed consent and consent exceptions
Consent is required for collecting, using or disclosing an individual’s personal data. The individual must also be notified of the purpose(s) for which an organisation is collecting, using or disclosing the individual’s personal data on or before such collection, use or disclosure of the personal data. Consent may be given expressly or impliedly by individuals. An individual may also be deemed to have given consent under the PDPA in 3 ways: (a) deemed consent by conduct; (b) deemed consent by contractual necessity; or (c) deemed consent by notification, (as the case may be).
The following changes have not yet taken effect as of 1 February 2021, but are expected to become effective in the near future:
- Increased financial penalties for contravention of PDPA
The maximum penalty imposed on organisations for breaches of certain key obligations under the PDPA will be increased to S$1 million or 10% of the organisation’s annual turnover in Singapore, whichever is higher. The increased financial penalties are expected to take effect on a future date to be notified, and no earlier than 1 February 2022.
- Right to data portability
The recent amendments have also introduced provisions which require an organisation to, at the request of an individual, transmit an individual’s personal data that is in the organisation’s possession or under its control to another organisation in accordance with the prescribed requirements in the PDPA. These provisions, which are found under the new Part VIB, have yet to come into effect.