Parliament: Heavier fines for data breaches, more support for legitimate business uses of data under amended PDPA
In the event of a data breach, a company can be fined up to 10 per cent of its annual turnover in Singapore or $1 million, whichever is higher.
Companies will be penalised more heavily for data breaches while also getting more freedom to use personal data to innovate under changes to Singapore's data protection laws passed in Parliament on Monday (Nov 2).
This tension between keeping consumers' trust high and supporting data use for innovation was acknowledged by Communications and Information Minister S. Iswaran during the debate on changes to the Personal Data Protection Act (PDPA). It was also the subject of rigorous debate between MPs.
"Consumers must have the confidence that their personal data will be secure and used responsibly... (and) organisations need certainty to harness personal data for legitimate purposes, with the requisite safeguards and accountability," said Mr Iswaran.
"The proposed amendments to the (Bill) seek to strike this balance."
A key change in the Bill increases the maximum amount that a company can be fined for a data breach to 10 per cent of its annual turnover in Singapore or $1 million, whichever is higher.
Currently, the maximum a company can be fined for a data breach is $1 million.
Organisations are now also required by law to inform both the Personal Data Protection Commission (PDPC) and affected individuals of data breaches that result in or are likely to result in significant harm.
Mr Iswaran addressed concerns raised about the higher fines during public consultations prior to the passing of the Bill, as well as by Mr Desmond Choo (Tampines GRC) on Monday.
Mr Choo had said that the revised maximum penalty might "artificially" create the impression that penalties under Singapore's data privacy regime are much harsher than those of the country's neighbours, and cause foreign companies to choose other Asian countries over Singapore to set up operations instead.
"I would like to assure Members that the PDPC will ensure that financial penalties imposed are proportionate to the severity of the data breach," Mr Iswaran said, adding that the raised cap will take effect only a year after the amended Act comes into force.
The Bill also allows organisations to collect, use or disclose personal data without the consent of individuals in circumstances classified as "legitimate interests", so long as these organisations conduct an assessment to eliminate or reduce the risks involved, and ensure the overall benefits outweigh any adverse effects.
Such situations include using personal data to detect anomalies in payment systems to prevent fraud, or the data from security cameras or other Internet of Things devices to help in investigations or legal proceedings.
Mr Iswaran also drew attention to a new provision which allows organisations to notify consumers of a new purpose their personal data will be used for, and to provide a reasonable period for them to opt out.
In such cases, organisations will also have to conduct a risk assessment to ensure that individuals are not adversely affected by the new purpose.
"For example, a financial institution may want to use voice data as an alternative means to authenticate and verify its customers," Mr Iswaran said.
"With these amendments, the financial institution can notify its customers of the intended use of their voice data, providing a reasonable opt-out period, and a contact number for customers' queries."
On protecting data while enabling innovation: 6 highlights from MPs' rigorous debate on PDPA amendments
MPs raised a host of concerns during the debate on changes to the Personal Data Protection Act (PDPA) on Monday (Nov 2), centring on how to strike a balance between protecting consumers' personal data and enabling the innovative use of such data by businesses.
Many cited the recent data breaches that involved 1.1 million RedMart users and 2.8 million Eatigo users. Here are some of the key points highlighted.
The revised PDPA expands the list of legitimate interests when using personal data for which companies either do not need to seek consent or are deemed to have obtained consent.
Ms Jessica Tan (East Coast GRC), Mr Louis Chua (Sengkang GRC) and Ms Tin Pei Ling (MacPherson) were among those who were worried if these new exceptions would erode consumer protection and trust.
"There must be measures to ensure that individuals fully understand that they are deemed to have given their consent for the use of their personal data," said Ms Tan. "At the end of the day, what's important is consumer trust."
In response, Communications and Information Minister S. Iswaran pointed to how consumers can opt out at any time if they want to. He added that to qualify for these exception, organisations must also do a risk assessment and be satisfied the overall benefits outweigh any adverse effects to consumers.
Mr Desmond Choo (Tampines GRC) and Mr Leon Perera (Aljunied GRC) asked if a right to erasure could be included, allowing consumers to request that companies delete their personal data.
"Such an obligation (to delete data on request) seems to me to be not overly onerous on businesses," Mr Perera said, noting the right to erasure is provided for in the European Union's General Data Protection Regulation (GDPR).
Mr Iswaran noted the PDPA now allows consumers to ask companies to stop collecting, using or disclosing their personal data, and the Personal Data Protection Commission (PDPC) can also direct companies to destroy data collected in contravention of the law.
"So, we have the provisions. They are not identical to the right of erasure, but they give a substantially similar effect," he added.
3. 'Do not call' provision
Ms Tin Pei Ling asked if the fact that contraventions of Do Not Call (DNC) provisions under the PDPA will now be dealt with as civil, instead of criminal, proceedings in court could be perceived as a "step down" and diminish the importance of personal data protection.
Mr Iswaran said that, on the contrary, enforcement of DNC contraventions would be more effective under a civil administrative regime. "DNC infringements typically stem from commercial motives. Hence, directions and financial penalties are more effective in addressing poor practices by depriving offenders of financial gains," he added.
4. Data breach threshold
Mr Shawn Huang (Jurong GRC) asked what constitutes a data breach of significant scale or harm under the revised PDPA, for which mandatory notification is needed.
Mr Iswaran said the threshold for a data breach of significant scale is 500 individuals, and cited that examples of significant harm would be identity theft or fraud from the leakage of full names or confidential financial information.
Ms Joan Pereira (Tanjong Pagar GRC) suggested that it be made mandatory for companies to notify the PDPC of all data breaches, and to subject companies to a clear deadline for informing individuals.
Mr Iswaran said: "Such a threshold for notification is important, but we also have to take into account the compliance costs on organisations... So we have not set a fixed time frame."
Mr Patrick Tay (Pioneer) asked Mr Iswaran to elaborate on the removal of exclusion for private organisations acting on behalf of the Government, putting such organisations under the PDPA ambit.
Mr Iswaran replied: "This makes it clear that the PDPA applies to all private organisations.
"Currently, the exclusion... has created a situation where the Government can only hold (such agents) to account by contracts or laws like the Official Secrets Act, (and this) can undermine security as they may handle large and sensitive volumes of personal data."
6. Public sector data
Senior Minister of State for Communications and Information Janil Puthucheary and Mr Gerald Giam (Aljunied GRC) crossed swords on the subject of data security standards in the public and private sectors.
The PDPA does not apply to public sector agencies, which are instead subject to a different set of laws under the Public Sector (Governance) Act.
Mr Giam called for the Government to hold itself to the same level of data privacy standards, procedures and accountability that it expects of private sector companies.
In response, Dr Janil said the separation of the public and private sector data protection regimes in Singapore remains relevant.
"It remains necessary for us to keep achieving the outcomes that we want to achieve in terms of good policy, responsiveness to citizens, operating as one government," he said
Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.