This article explains how the Personal Data Protection (Amendment) Act 2020 (the “Amendment”) benefits the user in three areas: customer experience, safeguards, and transparency. Firstly, the Amendment improves customer experience in two ways: (1) deemed consent by contractual necessity eliminates the hassle of clicking multiple checkboxes to express the user’s consent to the sharing of his personal data with sub-contractors; (2) the amendment facilitates the transfer of user data from one platform to another, thereby ensuring a personalised experience for the consumer and spurring the development of novel services. Secondly, users enjoy stronger safeguards from data breaches because data cannot be ported at the expense of the user, and the enhanced penalties encourage organisations to strengthen their internal governance to manage users’ personal data more safely. Thirdly, users enjoy greater transparency because they will receive timely notifications about data breaches from businesses.
II. Customer Experience
A. Convenient Transactions
After the Amendment, the user is deemed to have given his consent for the disclosure of personal data to third party organisations where it is reasonably necessary for the performance of a contract between the user and the organisation. For example, an online shopper can now consent to the collection of his personal data by the online retailer once, avoiding the hassle of agreeing to multiple checkboxes to express his consent to the disclosure of his personal data to the retailer’s delivery and payment subcontractors.
B. Data Porting
By providing customers with the right to request for their data to be transmitted to another organisation, the data porting obligation improves customer experience by providing data to organisations to improve their goods and services and by spurring competition. The amendments to the PDPA facilitates the porting of applicable data of individuals to organisations that have a commercial relationship with those individuals. The applicable data typically relates to individuals’ user activity data or user-provided data. Hence, by giving businesses access to such data, they would be able to tailor their goods and services to their customers. Secondly, since customers are no longer locked in to a single service provider, the playing field for service providers becomes more equitable towards new players, thereby spurring the development of substitute as well as novel services.
A. Data Porting
However, in recognising the infancy of data porting in Singapore, the Amendment have placed two guidelines to data porting to ensure personal data remains protected. Firstly, the amended PDPA prohibits the porting of data if the porting organisation reasonably expects adverse consequences. Such adverse consequences include whether the porting of data threatens the well-being of individuals or is against the national interest. For instance, data porting may be prohibited to safeguard the well-being of an individual with compulsive buying disorder because data porting makes online shopping more addictive by improving algorithms that generate online advertisements. Secondly, organisations are not required to port the user’s data if porting would be disproportionate to the individual’s interests.
B. Protection of Personal Data
The Amendments adds an additional requirement for organisations to ensure that security measures exist to protect physical storage devices.
First, organisations must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks of personal data. Second, organisations are also now required to make reasonable security arrangements to prevent the loss of any storage or medium device that stores personal data in its possession or under its control.
C. Enhanced Penalties
Generally, any contravention of the PDPA will result in a financial penalty of up to $1 million. However, in recognising that organisations that are privy to personal data are normally wealthy organisations or individuals, the Amendment has increased the $1 million threshold for certain situations. Specifically, if the annual turnover of an organisation exceeds $10 million, the maximum penalty that can be imposed will be 10% of its annual turnover while if the annual turnover of an individual exceeds $20 million, the maximum penalty that can be imposed will be 5% of that individual’s annual turnover. Moreover, even a negligent contravention of the PDPA will attract financial penalties, further cementing the deterrent effect of mishandling personal data.
In addition to the enhanced financial penalties, certain contraventions of the PDPA may even lead to imprisonment. The Amendment has made it an offence for unauthorised use or disclosure of personal data, or unauthorised re-identification of anonymised information. The amended PDPA also penalises organisations for the circulation of false requests for data porting on behalf of the individual.
D. Notifiable Data Breaches
Users will now be notified of any data breaches that puts them at risk of significant harm. Some potential categories of data which will be considered likely to subject the user to significant harm are as follows:
- medical diagnosis by a medical professional; and
- account usernames and passwords.
Timely notifications empower the user to protect his data because they provide clear steps he can take to prevent the data from being abused such as changing his password.
In conclusion, the amended PDPA provides organisations with options to access customer data apart from the existing consent-based ones, thereby allowing them to provide better customer service to users. At the same time, users can be reassured that the greater accessibility of their data is accompanied by a more stringent set of guidelines to enforce accountability on the part of organisations.
– – – For a PDF version of this article, click here. – – –
Written by: Ng Jing Jie and An Ye Qi
Disclaimer: This article does not constitute legal advice or a legal opinion on any matter discussed and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and practice in this area. If you require any advice or information, please speak to a practising lawyer in your jurisdiction. No individual who is a member of SMU Lexicon or SMU Yong Pung How School of Law accepts or assumes responsibility, or has any liability, to any person in respect of this article.