Key Updates to the PDPA Introduced by the Personal Data Protection (Amendment) Act 2020 (Part 3 – Offences, Enforcement, and Others)

10 May 2021

Dharma Sadasivan

The Personal Data Protection (Amendment) Act 2020 (the “Amendment Act”) was passed in Parliament on 02 November 2020, and is partially in force as of 01 February 2021. The Amendment Act marks the first comprehensive review of the Personal Data Protection Act 2012 (“PDPA”) since its enactment, and is the culmination of a series of consultations between the Ministry of Communications and Information (“MCI”), the Personal Data Protection Commission (“PDPC”) as well as public and industry stakeholders.

This article, the final in a 3-part series, highlights some key updates to the PDPA introduced by the Amendment Act, and focuses on updates relating to offences and enforcement, as well as miscellaneous key updates.

Increased Financial Penalty Cap (not yet in force)

Where an organisation is in breach of its data protection obligations, the Amendment Act will empower the PDPC through section 48J of the PDPA to impose a financial penalty of up to S$1 million or 10% of the organisation’s annual turnover in Singapore, whichever is higher. At present, the maximum financial penalty that the PDPC may impose on an organisation is S$1 million.

Section 48J will also empower the PDPC to impose on organisations that have breached the prohibition against the use of dictionary attacks and address harvesting software, financial penalties of up to S$1 million or 5% of the organisation’s annual turnover in Singapore, whichever is higher, or S$200,000 on an individual. At present, the maximum financial penalty for such breaches is S$1 million for organisations and S$200,000 for individuals.

Offences for Mishandling of Personal Data

To hold individuals accountable for the mishandling of personal data in the possession or under the control of an organisation, the PDPA has introduced the following offences at a new Part IXB:

knowing or reckless unauthorised disclosure of personal data;
knowing or reckless unauthorised use of personal data for a gain for that individual or another person, or causing harm or loss to another person; and
knowing or reckless unauthorised re-identification of anonymised information.

These offences are subject to specified defences, such as where the information is publicly available, where the individual reasonably believes that he had the legal right to do so, or where independent testing of anonymisation of personal data is carried out. An individual found guilty of any of the above offences will be liable on conviction to a fine of S$5,000 and/or imprisonment for a term not exceeding 2 years.

Voluntary Undertakings

The Amendment Act introduces Part IXC of the PDPA, which empowers the PDPC to accept and enforce voluntary undertakings from organisations where the PDPC has reasonable grounds to believe that an organisation has not complied, is not complying, or is not likely to comply with the PDPA.

A voluntary undertaking is given and accepted in place of the conduct of a full investigation. It may include a commitment to do any of the following:-

take a specified action within a specified time;
refrain from taking a specified action; or
publicise the voluntary undertaking.

If an organisation does not comply with its voluntary undertaking, the PDPC may give the organisation or any person concerned any direction that it thinks fit to ensure the compliance of the organisation with the undertaking.

Alternative Dispute Resolution

The PDPC is now empowered under Part IXC to refer any complaint by an individual against an organisation to mediation under a dispute resolution scheme if it is of the opinion that the complaint may be more appropriately resolved. The PDPC may do so without the individual’s or the organisation’s consent. Both parties will be required to participate in the mediation as directed by the PDPC and must comply with any regulations prescribed by the PDPC.

Others

Removal of Exemption for Organisations Acting on Behalf of Public Agencies

Prior to the Amendment Act, private organisations that acted on behalf of a public agency were exempted from the data protection obligations in the PDPA. With the Amendment Act, all private organisations are now subject to the PDPA, even if they are acting on behalf of a public agency. Public agencies continue to be exempted from the data protection obligations in the PDPA.

Increased Protection from Unsolicited Messages

The new Part IXA relates to the PDPA’s Do Not Call provisions (“DNC Provisions”) and prohibits the sending of unsolicited messages to telephone numbers obtained through the use of dictionary attacks or address harvesting software. The Amendment Act also amends the Spam Control Act to this effect.

Next Steps

In adapting to the amended PDPA, organisations should review their data protection policies and procedures and ensure that they are in line with the new amendments.

In particular, organisations should ensure that they are sufficiently prepared to manage data breach incidents in light of the mandatory data breach notification obligation. Where they update their data protection policies and procedures, they should conduct internal training sessions on the same. Organisations should also review their operations and consider the feasibility of taking advantage of the expanded consent framework.

Please contact us if you need assistance on personal data protection matters.

Read the rest of this series

Dharma Sadasivan
Director, BR Law Corporation
dharma@brlawcorp.com

Thiyana Ilangchizian
Trainee, BR Law Corporation

Post date. Edit this to change the date post was posted. Does not show up on published site. 10/5/2021

Your comment will be posted after it is approved.