Singapore: Amendments to the Personal Data Protection Act 2012 (PDPA) now in force

The following sections of the Amendment Bill are now in force (as of 1 February 2021):

a. Mandatory data breach notification

Organisations must now notify the Personal Data Protection Commission (PDPC) and affected individuals if a data breach results in, or is likely to result in, significant harm to affected individuals, or affects 500 or more individuals.

b. New criminal offences

It is now a crime for individuals to mishandle personal data or re-identify anonymised information unless you have been authorised to do so. The penalty for these offences is a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years or both.

c. An expanded deemed consent framework

New bases upon which consent may be deemed have been added into the Act – contractual necessity and notification.

d. Exceptions to express consent requirements

Organisations may now collect, use and/or disclose personal data without consent on the basis of legitimate interests or business improvements, provided that organisations conduct assessments to ensure that the legitimate interest of the organisation outweighs any adverse effect on the individual.

 

Accompanying regulations have also been promulgated to provide clarity on the mandatory data breach notification and consent framework and exceptions. In addition, the PDPC has updated a number of the advisory guidelines to reflect the changes to the PDPA.

We anticipate that other provisions on the increased financial penalty and the new right of data portability for individuals (as mentioned in our previous alert) that are not currently in force will take effect within the next 12 months.

Organisations should:

  • review their privacy policies for compliance with the amended PDPA;
  • review their data breach or incident response plans in accordance with the mandatory data breach notification requirements;
  • consider if new processes need to be put in place in anticipation of the new right of data portability for individuals;
  • conduct relevant assessments on the likely adverse effect of the intended collection, use or disclosure of personal data, in order to rely on the consent framework and/or exceptions; and
  • conduct internal training in respect of the changes under the Personal Data Protection (Amendment) Act 2020.

The Personal Data Protection (Amendment) Act 2020 is available here: https://sso.agc.gov.sg/Acts-Supp/40-2020/Published/20201210?DocDate=20201210

The updated PDPA consolidating all the changes is available here: https://sso.agc.gov.sg/Act/PDPA2012#legis

Please contact Carolyn Bigg (Partner) or Yue Lin Lee (Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.