Earlier this month, the Personal Data Protection (Amendment) Bill was read for the first time in Singapore’s Parliament. As we reported previously, in May 2020, Singapore’s Ministry of Communications and Information (“MCI”) and Personal Data Protection Commission (“PDPC”) launched an online public consultation on a draft bill which proposed long-awaited amendments to Singapore’s Personal Data Protection Act 2012 (the “PDPA”), including mandatory data breach notification obligations.

The MCI and PDPC have now released a statement highlighting amendments to the Bill made in response to feedback from the public consultation, including an increase in possible fines for breaches of the new law from 1% to 10% of annual turnover in Singapore, although still subject to an overall cap of S$1 million.  We cover the main changes here:

1) Increased Financial Penalty Cap:

Currently, the PDPC can impose fines up to S$1 million for violations of the Act. The original draft bill proposed increased maximum penalties of up to the greater of 1% of annual gross turnover in Singapore or S$1 million. The Bill now goes a step further and proposes a maximum financial penalty of the greater of 10% of annual gross turnover in Singapore, or S$1 million. The higher cap is intended to be a stronger deterrent, improve organisations’ accountability and provide the PDPC with increased flexibility to ensure fines reflect the seriousness of a breach. Notably, the cap remains significantly below the GDPR maximum fine of the higher of €20 million (roughly S$ 31,175,000) or 4% of annual worldwide turnover.

2) Business Improvement as a new basis for processing personal data:

The original draft bill proposed business improvement (i.e. to allow companies to process personal data in order to improve operational efficiency and improve their products and services) as an alternative to consent as a basis for processing personal data.

The Bill clarifies that the business improvement exception could only be relied upon by organisations within the same corporate group, and that the processing of personal data under that exception would have to satisfy the following conditions:

  • The purpose of the data processing must not be reasonably achievable without the use of personal data in an individually identifiable form;
  • The purpose must not be sending direct marketing messages;
  • The processing of personal data for the relevant business improvement purpose must be such that a reasonable person would consider it to be appropriate in the circumstances;
  • The disclosing and receiving organisations must be bound by a contract, agreement or corporate rules that require the receiving organisation to implement and maintain appropriate safeguards; and
  • The personal data collected or disclosed must relate to an existing customer of the disclosing organisation and be an existing or prospective customer of the receiving organisation.

3) Data Portability Right:

The Bill proposes to introduce the right for individuals to request an organisation to transmit a copy of their personal data to another organisation, like under the GDPR. This would, for example, help individuals switch between service providers. The data portability obligation would apply to requests from individuals who have an existing, direct relationship with organisations which have a presence in Singapore.

In a schedule to the Bill, the MCI and PDPC clarify the circumstances under which an organisation would not be required to port data. The porting organisation would not be required to transmit any of the following data:

  • opinion data kept to evaluate an individual or organisation;
  • any documents relating to prosecution, investigation or proceedings if such proceedings have not completed;
  • any personal data subject to legal privilege;
  • any personal data which would reveal confidential commercial information; and
  • derived personal data.

The porting organisation would also not be required to transmit any applicable data in the following circumstances:

  • the request will unreasonably interfere with the porting organisation because of repetitious or systematic requests;
  • the burden or expense is disproportionate to the individual’s interests.;
  • the data is trivial, does not exist or cannot be found; or
  • the request is frivolous or vexatious.

Companies subject to the Bill when it comes into force may want to examine their current policies and procedures for dealing with individual rights requests to ensure they are able to field portability requests in the future.

4) Offences for mishandling personal data:

The Bill proposes new offences to hold individuals accountable for egregious mishandling of personal data. The proposed offences are for knowing or reckless unauthorised disclosure, use of personal data for personal gain or to cause harm to another person, and re-identification of anonymised data. A person convicted of such offences would be liable on conviction to a fine not exceeding $5,000 or to imprisonment not exceeding two years or to both.

Feedback from the public consultation highlighted that the original draft bill was too broad and raised concerns about these offences deterring individuals from taking on roles which handle high volumes of data. In new advisory guidelines, the MCI and PDPC intend to clarify that the new offences are not intended to cover situations where the individuals are authorised as part of their employment to disclose, use or re-identify the data.

5) Business Asset Transactions:

The Bill allows parties contemplating a business asset transaction to share personal data of employees, customers, contractors, directors, officers, and shareholders of the target organisation. Feedback from the public consultation requested that this exception to consent as the basis for processing data goes beyond the current scope (the sale of assets only) to include other similar corporate transactions, including transfers, amalgamations, joint ventures, mergers and acquisitions, disposals of assets or transfers of control. This exception was included in the Bill and will also apply to companies in the same corporate group.

The Bill represents a significant shift in Singaporean data protection law, drawing inspiration from approaches taken in other major jurisdictions, while trying to balance businesses’ interests in processing personal data against the need to establish a credible enforcement regime to encourage compliance and protect individuals’ rights.

The Bill will come into force after further readings in Parliament and upon the President’s assent, which is expected to be before the end of 2020.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Christopher Garrett is an English-qualified international counsel in the Corporate Department and a member of the Data Strategy & Security practice, practising employment law and data protection. He has significant experience advising employers on all aspects of employment law and advising companies on compliance with UK and EU data protection law. Mr. Garrett has substantial experience in advising on the employment aspects of mergers & acquisitions transactions, including transfers of employees or other issues arising under TUPE/the Acquired Rights Directive. Mr. Garrett has a wide range of experience advising on other matters such as boardroom disputes, senior executive contracts and terminations, disciplinary and grievance matters, a variety of employment tribunal claims (including high-value discrimination claims), advising employers faced with industrial action, consultation on changes to occupational pension schemes and policy and handbook reviews. Mr. Garrett also has a particular focus on handling privacy and data protection issues relating to employees, as well as online privacy, marketing and safety practices, regular advice to clients on privacy policies, online marketing practices and related matters.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Hilary Davidson is a corporate associate and a member of Debevoise's Mergers & Acquisitions Group. Ms. Davidson’s practice focuses on private M&A, with particular experience advising private equity clients. This has included advising on joint ventures, cross-border mergers and acquisitions and secondary and co-invest transactions. She can be reached at hdavidson@debevoise.com.