26 April 2021
The Personal Data Protection (Amendment) Act 2020 (the “Amendment Act”) was passed in Parliament on 02 November 2020, and is partially in force as of 01 February 2021. The Amendment Act marks the first comprehensive review of the Personal Data Protection Act 2012 (“PDPA”) since its enactment, and is the culmination of a series of consultations between the Ministry of Communications and Information (“MCI”), the Personal Data Protection Commission (“PDPC”) as well as public and industry stakeholders.
This article, Part 1 of a 3-part series, highlights some key updates to the PDPA introduced by the Amendment Act, and focuses on updates relating to issues of consent, protection, and data breach notification.
Handling personal data without consent – the Legitimate Interests Exception
The Amendment Act introduces a new “legitimate interests” exception which allows organisations to collect, use or disclose personal data about an individual without consent where it is in the legitimate interests of the organisation or another person, and the legitimate interests outweigh any adverse effect on the individual.
“Legitimate interests” generally refer to any lawful interests of an organisation or other person. Such interests may include detecting or preventing illegal activity such as fraud or money laundering, threats to physical safety and security or IT and network security, preventing misuse of services, and carrying out any necessary corporate due diligence.
As this exception is broad, the onus is on the organisation to comply with additional safeguards to ensure the interests of individuals are protected. Accordingly, organisations must first:
If requested by the PDPC, the organisation must provide justification of its reliance on the legitimate interests exception, which may include demonstrating that it has complied with the additional safeguards above.
The “legitimate interests” exception at first glance appears to be a concept borrowed from the European Union’s General Data Protection Regulation 2016/679 (“GDPR”). However, closer scrutiny reveals some fundamental differences.
First, the PDPA is a consent-based regime – consent is the foundation upon which personal data may be collected, used, and disclosed. Various exceptions to consent, including legitimate interests, are then prescribed, creating carve-outs from the default rule.
By contrast, consent is merely one ground upon which personal data may be processed under the GDPR. Other grounds include where such processing is necessary in certain prescribed circumstances, one of which is where the processing is necessary for “legitimate interests”. In other words, “legitimate interests” under the GDPR is not an exception to the rule, but rather a basis for processing in itself.
Second, the PDPA allows for the “legitimate interests” exception to be relied upon only where the legitimate interests outweigh the adverse effects on the individual. From this perspective, the application of the legitimate interests exception under the PDPA is rather narrow – it is prohibited until the prescribed threshold is reached; only then may an organisation avail itself of the exception.
By contrast, under the GDPR, “legitimate interests” is one of the ordinary bases for processing personal data and can be relied upon so long as the legitimate interests do not begin to override the interests or fundamental rights and freedoms of the individual. From this perspective, the application of “legitimate interests” under the GDPR is rather broad – it is permitted until the prescribed threshold is reached; only then is an organisation unable to avail itself of this basis for processing personal data.
Interestingly, organisations cannot rely on the “legitimate interests” exception to send direct marketing messages under the PDPA, whereas this is not prohibited under the GDPR.
Handling personal data without consent – the Business Improvement Exception
The new “business improvement” exception allows organisations to collect, use or disclose personal data about an individual without consent for the following business improvement purposes:
(collectively, the “Business Improvement Purposes”).
Specifically, under this exception, the personal data may be:
This exception may only be used where the Business Improvement Purposes cannot be reasonably achieved without using personal data in an individually identifiable form, and where a reasonable person would consider such use appropriate in the circumstances.
Like the “legitimate interests” exception, this exception cannot be used as a basis for sending direct marketing messages.
The amended PDPA expands the concept of deemed consent by distinguishing between (i) deemed consent by conduct; (ii) deemed consent by contractual necessity; and (iii) deemed consent by notification.
Deemed consent by conduct
Where an individual voluntarily provides personal data to an organisation for particular purposes, and it would be reasonable in the circumstances for the individual to do so, consent will be deemed to have been given for those purposes. This form of deemed consent precedes the Amendment Act and has been in the PDPA since it was passed in 2012.
Deemed consent by contractual necessity
Sections 15(3) to 15(10) of the PDPA, introduced by the Amendment Act, permit downstream disclosure of personal data arising from contractual necessity.
Specifically, where an individual provides personal data to an organisation for a transaction and it would be reasonably necessary for the organisation to disclose that personal data to another organisation for the transaction, including where the first organisation and downstream organisation have entered into an agreement at the request of the individual, consent will be deemed to have been granted for the disclosure to and collection of the personal data by the downstream organisation.
The downstream organisation may further disclose the personal data to another downstream organisation where reasonably necessary for that transaction, and so on. Consent will be deemed to have been granted in respect of all the downstream entities’ collection and disclosure of personal data.
For instance, where an individual purchases an item from a retailer through an e-commerce platform, the individual will be deemed to have consented to his/her personal data (such as credit card details, contact number, residential address) being collected by and disclosed to the e-commerce company, payment gateway, payment processor, the relevant banks, delivery partners, etc.
Deemed consent by notification
The Amendment Act introduces section 15A of the PDPA, which provides for deemed consent by notification. This allows organisations to rely on an individual’s deemed consent where they have notified that individual of the purpose for the collection, use or disclosure of personal data, given that individual a reasonable period of time to opt-out, and the individual does not opt-out. In this regard, an individual is still entitled to withdraw their deemed consent after the lapse of the opt-out period.
Before any collection, use or disclosure of personal data in accordance with this provision, an organisation must first conduct an assessment to ensure that the proposed collection, use or disclosure is not likely to have an adverse effect on the individual. Next, the organisation must implement reasonable measures to eliminate the adverse effect, reduce the likelihood of the adverse effect occurring, or mitigate the adverse effects.
Organisations cannot rely on deemed consent by notification to send direct marketing messages.
Protection of personal data
Section 24 of the PDPA now expressly requires organisations to protect against the loss of storage mediums or devices on which personal data is stored.
Data Breach Notification Obligation
One of the most significant changes brought about by the Amendment Act is the introduction of the data breach notification obligation. Prior to the Amendment Act, organisations were not required to notify the PDPC or individuals about data breaches, although they were encouraged to do so in accordance with the PDPC’s Guide to Managing Data Breaches.
A data breach occurs where there is unauthorised access, collection, use, disclosure, copying, modification or disposal (“processing”) of personal data, or where a storage medium or device on which personal data is stored is lost in circumstances where unauthorised processing of that personal data is likely to occur.
Section 26C of the PDPA requires an organisation to, where it has reason to believe that a data breach has occurred, assess whether that data breach is a notifiable data breach. The assessment must be carried out in a reasonable and expeditious manner (generally, within 30 days). Pursuant to section 26B of the PDPA, a data breach is notifiable if:-
(i) it results in, or is likely to result in, significant harm to an affected individual (whether physical, psychological, emotional, economic, financial or reputational); or
(ii) it is, or is likely to be, of a significant scale (at least 500 individuals are affected).
If the data breach is notifiable, the organisation must comply with 2 sets of notification obligations – (1) it must notify the PDPC; and (2) it must notify the affected individuals.
The organisation must notify the PDPC as soon as practicable and in any event within 3 calendar days.
An organisation must notify the affected individuals unless it takes remedial action making significant harm unlikely (e.g. containment or destruction of data) or it had in place prior to the data breach, technological measures making significant harm unlikely (e.g. encryption).
Internal data breaches within an organisation are not notifiable data breaches. An example of an internal data breach is where an email containing personal data is sent from one department to another department which is not authorised to receive it, within the same organisation.
In the case of a data intermediary, where it has reason to believe that a data breach has occurred, it must notify the data controller without undue delay. The data controller must then conduct an assessment of that data breach. The data intermediary need not conduct its own assessment.
In adapting to the amended PDPA, organisations should review their data protection policies and procedures and ensure that they are in line with the new amendments.
In particular, organisations should ensure that they are sufficiently prepared to manage data breach incidents in light of the mandatory data breach notification obligation. Where they update their data protection policies and procedures, they should conduct internal training sessions on the same. Organisations should also review their operations and consider the feasibility of taking advantage of the expanded consent framework.
Please contact us if you need assistance on personal data protection matters.
Read the rest of this series
Director, BR Law Corporation
Trainee, BR Law Corporation
Post date. Edit this to change the date post was posted. Does not show up on published site. 26/4/2021
The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. The authors of the articles are or were employees of BR Law Corporation at the time of publication, but may no longer be, now or in the future, in the employ of the firm.
Subscribe to our Newsletter
Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.