BR Law Corporation
br@brlawcorp.com +65 6899 9888
  • Our Team
  • Practice Areas
  • News and Insights
  • Join Us
  • Contact Us
br@brlawcorp.com +65 6899 9888

Key Updates to the PDPA Introduced by the Personal Data Protection (Amendment) Act 2020 (Part 1 – Consent, Protection, and Data Breach Notification)

 
26 April 2021
Dharma Sadasivan
Picture
​The Personal Data Protection (Amendment) Act 2020 (the “Amendment Act”) was passed in Parliament on 02 November 2020, and is partially in force as of 01 February 2021. The Amendment Act marks the first comprehensive review of the Personal Data Protection Act 2012 (“PDPA”) since its enactment, and is the culmination of a series of consultations between the Ministry of Communications and Information (“MCI”), the Personal Data Protection Commission (“PDPC”) as well as public and industry stakeholders.
 
This article, Part 1 of a 3-part series, highlights some key updates to the PDPA introduced by the Amendment Act, and focuses on updates relating to issues of consent, protection, and data breach notification.
Handling personal data without consent – the Legitimate Interests Exception

The Amendment Act introduces a new “legitimate interests” exception which allows organisations to collect, use or disclose personal data about an individual without consent where it is in the legitimate interests of the organisation or another person, and the legitimate interests outweigh any adverse effect on the individual. 

“Legitimate interests” generally refer to any lawful interests of an organisation or other person. Such interests may include detecting or preventing illegal activity such as fraud or money laundering, threats to physical safety and security or IT and network security, preventing misuse of services, and carrying out any necessary corporate due diligence.

As this exception is broad, the onus is on the organisation to comply with additional safeguards to ensure the interests of individuals are protected. Accordingly, organisations must first: 

  1. identify and articulate the legitimate interests being claimed; 

  2. conduct an assessment to identify any potential adverse effects arising from the collection, use, and disclosure of the individual’s personal data, and identify and implement reasonable measures to eliminate, mitigate, and minimize the adverse effects; and 

  3. disclose to the individual that the legitimate interests exception is being relied upon.

If requested by the PDPC, the organisation must provide justification of its reliance on the legitimate interests exception, which may include demonstrating that it has complied with the additional safeguards above. 

The “legitimate interests” exception at first glance appears to be a concept borrowed from the European Union’s General Data Protection Regulation 2016/679 (“GDPR”). However, closer scrutiny reveals some fundamental differences. 

First, the PDPA is a consent-based regime – consent is the foundation upon which personal data may be collected, used, and disclosed. Various exceptions to consent, including legitimate interests, are then prescribed, creating carve-outs from the default rule. 

By contrast, consent is merely one ground upon which personal data may be processed under the GDPR. Other grounds include where such processing is necessary in certain prescribed circumstances, one of which is where the processing is necessary for “legitimate interests”. In other words, “legitimate interests” under the GDPR is not an exception to the rule, but rather a basis for processing in itself.

Second, the PDPA allows for the “legitimate interests” exception to be relied upon only where the legitimate interests outweigh the adverse effects on the individual. From this perspective, the application of the legitimate interests exception under the PDPA is rather narrow – it is prohibited until the prescribed threshold is reached; only then may an organisation avail itself of the exception.

By contrast, under the GDPR, “legitimate interests” is one of the ordinary bases for processing personal data and can be relied upon so long as the legitimate interests do not begin to override the interests or fundamental rights and freedoms of the individual. From this perspective, the application of “legitimate interests” under the GDPR is rather broad – it is permitted until the prescribed threshold is reached; only then is an organisation unable to avail itself of this basis for processing personal data. 

Interestingly, organisations cannot rely on the “legitimate interests” exception to send direct marketing messages under the PDPA, whereas this is not prohibited under the GDPR. 

Handling personal data without consent – the Business Improvement Exception

The new “business improvement” exception allows organisations to collect, use or disclose personal data about an individual without consent for the following business improvement purposes:

  1. improving, enhancing or developing goods or services; 

  2. improving, enhancing or developing new methods or processes for business operations;

  3. learning about or understanding the behaviour and preferences of individuals in relation to goods or services; or

  4. matching, personalising or customising goods or services to individuals

(collectively, the “Business Improvement Purposes”). 

Specifically, under this exception, the personal data may be:

  • collected and disclosed (i.e. shared) between related corporations where such collection and disclosure is for Business Improvement Purposes and where the relevant individual is an existing customer of the disclosing party and an existing or prospective customer of the receiving party; and

  • used without consent where such use is for Business Improvement Purposes.

This exception may only be used where the Business Improvement Purposes cannot be reasonably achieved without using personal data in an individually identifiable form, and where a reasonable person would consider such use appropriate in the circumstances. 

Like the “legitimate interests” exception, this exception cannot be used as a basis for sending direct marketing messages.

Deemed Consent

The amended PDPA expands the concept of deemed consent by distinguishing between (i) deemed consent by conduct; (ii) deemed consent by contractual necessity; and (iii) deemed consent by notification.

Deemed consent by conduct

Where an individual voluntarily provides personal data to an organisation for particular purposes, and it would be reasonable in the circumstances for the individual to do so, consent will be deemed to have been given for those purposes. This form of deemed consent precedes the Amendment Act and has been in the PDPA since it was passed in 2012.

Deemed consent by contractual necessity

Sections 15(3) to 15(10) of the PDPA, introduced by the Amendment Act, permit downstream disclosure of personal data arising from contractual necessity.

Specifically, where an individual provides personal data to an organisation for a transaction and it would be reasonably necessary for the organisation to disclose that personal data to another organisation for the transaction, including where the first organisation and downstream organisation have entered into an agreement at the request of the individual, consent will be deemed to have been granted for the disclosure to and collection of the personal data by the downstream organisation.

The downstream organisation may further disclose the personal data to another downstream organisation where reasonably necessary for that transaction, and so on. Consent will be deemed to have been granted in respect of all the downstream entities’ collection and disclosure of personal data.

For instance, where an individual purchases an item from a retailer through an e-commerce platform, the individual will be deemed to have consented to his/her personal data (such as credit card details, contact number, residential address) being collected by and disclosed to the e-commerce company, payment gateway, payment processor, the relevant banks, delivery partners, etc. 

Deemed consent by notification 

The Amendment Act introduces section 15A of the PDPA, which provides for deemed consent by notification. This allows organisations to rely on an individual’s deemed consent where they have notified that individual of the purpose for the collection, use or disclosure of personal data, given that individual a reasonable period of time to opt-out, and the individual does not opt-out. In this regard, an individual is still entitled to withdraw their deemed consent after the lapse of the opt-out period. 

Before any collection, use or disclosure of personal data in accordance with this provision, an organisation must first conduct an assessment to ensure that the proposed collection, use or disclosure is not likely to have an adverse effect on the individual. Next, the organisation must implement reasonable measures to eliminate the adverse effect, reduce the likelihood of the adverse effect occurring, or mitigate the adverse effects. 

Organisations cannot rely on deemed consent by notification to send direct marketing messages.

Protection of personal data

Section 24 of the PDPA now expressly requires organisations to protect against the loss of storage mediums or devices on which personal data is stored.

Data Breach Notification Obligation

One of the most significant changes brought about by the Amendment Act is the introduction of the data breach notification obligation. Prior to the Amendment Act, organisations were not required to notify the PDPC or individuals about data breaches, although they were encouraged to do so in accordance with the PDPC’s Guide to Managing Data Breaches.

A data breach occurs where there is unauthorised access, collection, use, disclosure, copying, modification or disposal (“processing”) of personal data, or where a storage medium or device on which personal data is stored is lost in circumstances where unauthorised processing of that personal data is likely to occur. 

Section 26C of the PDPA requires an organisation to, where it has reason to believe that a data breach has occurred, assess whether that data breach is a notifiable data breach. The assessment must be carried out in a reasonable and expeditious manner (generally, within 30 days). Pursuant to section 26B of the PDPA, a data breach is notifiable if:- 

(i) it results in, or is likely to result in, significant harm to an affected individual (whether physical, psychological, emotional, economic, financial or reputational); or 

(ii) it is, or is likely to be, of a significant scale (at least 500 individuals are affected). 

If the data breach is notifiable, the organisation must comply with 2 sets of notification obligations – (1) it must notify the PDPC; and (2) it must notify the affected individuals.

The organisation must notify the PDPC as soon as practicable and in any event within 3 calendar days.

An organisation must notify the affected individuals unless it takes remedial action making significant harm unlikely (e.g. containment or destruction of data) or it had in place prior to the data breach, technological measures making significant harm unlikely (e.g. encryption).

Internal data breaches within an organisation are not notifiable data breaches. An example of an internal data breach is where an email containing personal data is sent from one department to another department which is not authorised to receive it, within the same organisation.

In the case of a data intermediary, where it has reason to believe that a data breach has occurred, it must notify the data controller without undue delay. The data controller must then conduct an assessment of that data breach. The data intermediary need not conduct its own assessment. 

Next Steps

In adapting to the amended PDPA, organisations should review their data protection policies and procedures and ensure that they are in line with the new amendments.

In particular, organisations should ensure that they are sufficiently prepared to manage data breach incidents in light of the mandatory data breach notification obligation. Where they update their data protection policies and procedures, they should conduct internal training sessions on the same. Organisations should also review their operations and consider the feasibility of taking advantage of the expanded consent framework.

Please contact us if you need assistance on personal data protection matters.


Read the rest of this series
  • Part 2 - Individual Rights
  • Part 3 - Offences, Enforcement, and Others


Dharma Sadasivan
Director, BR Law Corporation
dharma@brlawcorp.com

Thiyana Ilangchizian
Trainee, BR Law Corporation

Post date. Edit this to change the date post was posted. Does not show up on published site. 26/4/2021


Your comment will be posted after it is approved.


Leave a Reply.

    We're Here To Help

    Our team welcome any comments or questions and will gladly assist you with your enquiry. You can call us on +65 6899 9888 or fill out our simple contact form. 

    Disclaimer

    The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. The authors of the articles are or were employees of BR Law Corporation at the time of  publication, but may no longer be, now or in the future, in the employ of the firm.

    Subscribe to our Newsletter

    Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
    Subscribe to Newsletter

    RSS Feed

    Categories

    All
    Awards And Accolades
    Commercial Transactions
    Conveyancing
    Corporate Law
    COVID19
    Criminal Law
    Dispute Resolution
    Family And Matrimonial Law
    Intellectual Property
    International Law
    Personal Data Protection
    Probate And Administration
    Technology
    Wills And Trusts

    Archives

    August 2023
    July 2023
    June 2023
    May 2023
    February 2023
    November 2022
    June 2022
    May 2022
    April 2022
    March 2022
    November 2021
    October 2021
    September 2021
    July 2021
    May 2021
    April 2021
    October 2020
    September 2020
    July 2020
    May 2020
    April 2020
    January 2020
    October 2019
    June 2019
    March 2019
    February 2019
    January 2019
    December 2018
    August 2018
    July 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    September 2017
    August 2017
    January 2017
    September 2016
    March 2015
    January 2015
    July 2014
    June 2014
    May 2014
    April 2014

Firm Brochure

Download

Practice Areas

Subscribe to our quarterly newsletter to keep up to date with a wealth of insights from the BR Law.
Subscribe to Newsletter

Contact Us

br@brlawcorp.com
 
Main Branch - Republic Plaza
9 Raffles Place
#08-03 Republic Plaza
Singapore 048619
+65 6388 1717 Telephone
+65 6394 7398 Fax

Branch Office - Bank of China
4 Battery Road #29-00
Bank of China
Singapore 049908
+65 6899 9888 Telephone
+65 6338 5377 Fax

Branch Office - United Square
101 Thomson Road
#26-02/04 United Square
Singapore 307591
+65 6336 1717 Telephone
+65 6394 7318 Fax

Awards and Accolades

Picture
Terms of Use​  •  Privacy Statement
​© Copyright 2018 BR Law Corporation. Registered in Singapore (UEN: 200312051N).