Amendments to the Personal Data Protection Act

Currently, under the PDPA, financial penalties of up to S$ 1 million may be imposed for default by organisations or individuals. A private right of action is also available under the PDPA for individuals who have suffered any damages as a result of any breach.

Under the Amendment Act, the maximum financial penalty for breaches will be 10% of an organisation’s annual turnover in Singapore or S$1million, whichever is higher.

This increased cap on financial penalties is due to take effect at a later date to be notified.

The Personal Data Protection Commission (“PDPC”), which enforces the PDPA, will consider the following factors when imposing financial penalties for non-compliance: 

1. the type, seriousness and duration of the violation or non-compliance;
2. the nature and type of personal data affected;
3. whether any mitigating factors were taken in a timely manner by the offending party; and
4. the impact of the financial penalty on the offending party

Currently, there is no data portability obligation under the PDPA.

However, under the Amendment Act, at the request of individuals, organisations which store their personal data must transmit such data to another organisation, which is known as data porting.

Such data must be stored in electronic form and must have been created or collected for a specific time period (which varies) before the data porting request was made.

If an organisation declines to carry out the data porting request, the PDPC will review the circumstances of such a refusal. It can also review if the data was transmitted in a timely manner and if any fees charged by the organisation for data porting were reasonable.

Lastly, there are certain exceptions to the data portability obligation under the Amendment Act. For example, if the data porting request would reveal confidential information of the organisation that would adversely affect is competitiveness, or if the request is an unreasonable burden or expense to the organisation, it need not be complied with.

The data portability obligation is also due to come into force in the coming months.

Under the Amendment Act, organisations must now notify the PDPC if there is any data breach that is likely, or will result in significant harm to individuals, or a large number of individuals would be affected by the breach. This would be a breach which “is, or is likely to be, of a significant scale” and is known as a notifiable data breach.

This is a new requirement not previously found in the PDPA and has come into effect as of 1st February 2021

If an organisation assesses that there is a notifiable data breach, it must notify the PDPC of the breach no later than 3 calendar days after such an assessment.

In addition, data intermediaries that process personal data on behalf of public agencies would also have to notify the public agency involved if it has reasons to believe that a notifiable data breach has occurred.

Lastly, if individuals may suffer significant harm as a result of a data breach, organisations would have to notify them also.

1. if disclosure of personal data by an individual to third parties is necessary for contractual performance between the individual and the disclosing organisation;
2. if individuals are given notification for the purposes of collection, use or disclosure of their personal data and do not opt-out within a reasonable period; and
3. under certain prescribed circumstances, e.g. where disclosure is in the organisation’s legitimate interests, or for business improvement purposes.

Please note that for the purpose of legitimate interest, the organisation must identify the legitimate interest, assess whether such interest outweighs any adverse effect on the individual(s) whose personal data is affected, as well as provide the affected individuals with reasonable access to information about the organisation’s collection, use or disclosure of the personal data.

For the purpose of business improvement, this must be for certain “relevant purposes” as specified in the Amendment Act. In addition, a reasonable person must consider the “relevant purpose” appropriate in that situation. Further, the “relevant purpose” should only be achievable through use of the personal data.

These “deemed consent” provisions have now come into force as of 1st February 2021.

1. knowing or reckless unauthorised disclosure of personal data;
2. knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and
3. knowing or reckless unauthorised re-identification of anonymised data

These changes have also come into effect as of 1st February 2021.

1. complaints by individuals can now be referred by the PDPC to mediation if it deems mediation a more appropriate approach;
2. widened powers of review, which include a review of an organisations refusal to release, correct or transmit an individual’s personal data, pursuant to a request to release, correct or transmit such personal data;
3. The PDPC’s directions or written notices can now be registered in the District Court, which is in turn empowered to make court orders for enforcement of such notices or directions; and
4. where the PDPC has reasonable grounds to believe that an organisation has not complied with the PDPA’s provisions, such an organisation can now give voluntary written undertakings to the PDPC, to take a certain course of action or even publicise such an undertaking.