Proposed changes strengthen Singapore’s data privacy law
By Paul Sutton, Vistra
Singapore is planning key updates to its data privacy law, bringing the country more closely in line with the EU, Australia, and other regions that have strictly regulated the use and sharing of online personal information. Multinationals doing business with the island nation should review their procedures for collecting and processing personal data to ensure they are in compliance before the changes become law.
The updates come in the form of amendments to Singapore’s Personal Data Protection Act (PDPA), which was passed in 2012 and became effective in 2014. After the EU’s landmark General Data Protection Regulation (GDPR) was passed in 2016, Singapore’s Ministry of Communications and Information and Personal Data Protection Commission (PDPC) began holding public consultations to gain feedback about proposed modifications to its PDPA and the country’s Spam Control Act (SCA), which regulates phone calls and texting.
On May 28, after obtaining public commentary on three feedback sessions held between 2017 and 2019, the government closed discussions on its proposed amendments. It is very likely to adopt these changes, which clarify some aspects of using personal data, strengthen protections for consumers, and introduce stiffer penalties for organisations and individuals who fail to comply.
Raising data privacy standards will allow Singapore to conduct business more easily with other advanced nations and win the trust of customers in an increasingly digital world economy. "The amendments...will support our organizations' efforts as they transform and grow in the digital economy to better serve consumers," said PDPC Deputy Commissioner Yeong Zee Kin.
Updating the data privacy law is part of a general technology push in Singapore, which has invested heavily in digital infrastructure and education. A recent Cisco survey named it the world's top nation in digital readiness, and Swiss business school IMD listed it as the world’s most digitally competitive economy in 2019 and 2020.
The proposed data privacy amendments contain their own nuances, but companies familiar with the GDPR and other privacy laws will find many similarities.
As with the GDPR, companies are not required to obtain consent to use customer information for legitimate business purposes.
The PDPA amendments clarify some of these purposes under a “business improvement” provision, which allows companies to use personal data without consent “where there is a need to carry out operational efficiency and service improvements, develop or enhance products/services, or know more about the organisation’s customers.”
The amendments also say that the use of personal data must be “what a reasonable person would consider appropriate in the circumstances,” and should not cause adverse effects for individuals.
Companies may also collect data without consent if it is necessary for contracts or if it benefits the broader public interest — for example, the creation of blacklists to prevent fraud. In some cases, researchers may use personal data without consent if it does not harm individuals or identify them in published results.
A new data portability rule will allow people to request the transfer of their personal data to another organisation, enabling them to change service providers more easily. More fluid information flows will facilitate the development of new services and drive innovation, the government believes.
So far, the data portability provision will only apply to organizations with a presence in Singapore, but it may be expanded in the future, the government notes.
The new amendments require companies to notify the PDPC if they experience a data breach involving 500 or more people or one that is likely to harm affected individuals. Companies must also notify the people affected by the breach.
Under existing PDPA rules, companies have up to 30 days to determine whether a breach merits notification. The new amendments remove the time limit, saying instead that organisations have “a duty to conduct, in a reasonable and expeditious manner, an assessment” about notification decisions.
Amendments to the SCA will outlaw the use of data-harvesting software and online dictionaries for the purpose of sending out bulk unsolicited messages by phone, email, text, or through instant messaging services on apps such as WhatsApp and Facebook Messenger.
Under the existing PDPA, organisations that violate its rules may be fined up to S$1 million. The new amendments allow a penalty of S$1 million or up to 10 percent of annual revenue, whichever is greater. In contrast, organisations found in violation of the EU’s GDPR rules may face penalties up to a maximum of 20 million euros or 4 percent of annual revenue, whichever is greater.
In addition to fining organisations, the amendments allow the government to prosecute individuals who mishandle personal data. If found guilty, they may be assessed a fine of up to S$5,000, receive a prison sentence of up to two years, or both.
Singapore’s changes to its data privacy law show that the country is serious about improving the digital environment for consumers and is willing to crack down on organisations that break the rules. Though the government has not yet announced a timeline for voting the changes into law, we strongly urge multinationals that do business with the country to study the proposed amendments and make any necessary changes to their personal data policies as soon as possible.