The following sections of the Amendment Bill are now in force (as of 1 February 2021):
a. Mandatory data breach notification
Organisations must now notify the Personal Data Protection Commission (PDPC) and affected individuals if a data breach results in, or is likely to result in, significant harm to affected individuals, or affects 500 or more individuals.
b. New criminal offences
It is now a crime for individuals to mishandle personal data or re-identify anonymised information unless you have been authorised to do so. The penalty for these offences is a fine not exceeding S$5,000 or imprisonment for a term not exceeding 2 years or both.
c. An expanded deemed consent framework
New bases upon which consent may be deemed have been added into the Act – contractual necessity and notification.
d. Exceptions to express consent requirements
Organisations may now collect, use and/or disclose personal data without consent on the basis of legitimate interests or business improvements, provided that organisations conduct assessments to ensure that the legitimate interest of the organisation outweighs any adverse effect on the individual.
Accompanying regulations have also been promulgated to provide clarity on the mandatory data breach notification and consent framework and exceptions. In addition, the PDPC has updated a number of the advisory guidelines to reflect the changes to the PDPA.
We anticipate that other provisions on the increased financial penalty and the new right of data portability for individuals (as mentioned in our previous alert) that are not currently in force will take effect within the next 12 months.
- review their privacy policies for compliance with the amended PDPA;
- review their data breach or incident response plans in accordance with the mandatory data breach notification requirements;
- consider if new processes need to be put in place in anticipation of the new right of data portability for individuals;
- conduct relevant assessments on the likely adverse effect of the intended collection, use or disclosure of personal data, in order to rely on the consent framework and/or exceptions; and
- conduct internal training in respect of the changes under the Personal Data Protection (Amendment) Act 2020.
The Personal Data Protection (Amendment) Act 2020 is available here: https://sso.agc.gov.sg/Acts-Supp/40-2020/Published/20201210?DocDate=20201210
The updated PDPA consolidating all the changes is available here: https://sso.agc.gov.sg/Act/PDPA2012#legis
DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.