Strengthening Data Protection Standards in Singapore
Strengthening Singapore’s data protection standards with mandatory notification and stiffer penalties for data breaches.
Minister for Communications and Information Mr S. Iswaran recently presented a proposed amendment to the Personal Data Protection Act. The Personal Data Protection (Amendment) Bill is amongst four Bills that were introduced in Parliament recently. The amendments were introduced as a measure towards strengthening Singapore’s data protection standards.
The Bill will introduce mandatory notification requirements and stiffer penalties for data breaches, amongst others. Under the current law in Singapore, data breaches warrant a maximum penalty or fine of $1 million for the offending company. The proposed change in the personal data protection law imposes a fine of up to 10% of a company’s annual turnover in Singapore. However, this stiffer penalty is only applicable to companies with an annual turnover exceeding $10 million.
The proposed amendment also necessitates all organizations to notify the Personal Data Protection Commission as well as the affected individuals of data breaches. The notification is necessary for data breaches that may cause harm to the affected individuals. With enough notice, affected individuals will be able to take precautionary measures such as making a report, cancelling their cards, changing passwords, etc. This mandatory requirement thereby enforces a duty of care on organizations.
Mr Iswaran stated that the amendments would clear ambiguity and provide greater certainty for businesses. It would also guide them in their obligations and duties. Most importantly, it clearly defines the course of action and measures to be taken in the event of an incident.
The Bill facilitates the collection, use or disclosure of personal data by organizations. The consent of individuals is not necessitated in circumstances which can be classified as ‘legitimate interests.’ These circumstances would arise in situations that encompass using the Internet of Things devices such as data from security cameras, etc. The rationale behind such a proposal is to facilitate debt recovery or payment, investigations and legal proceedings, amongst others.
To ensure equitable fairness, consumers are also afforded the protection of their rights and privacy. The Bill requires all consumers to be allowed to opt-out of having their data used by companies. E-commerce platforms such as Shopee, Lazada and Amazon have algorithms that run predictive recommendations based on a user’s online behaviour and pattern. Browsing habits, previous purchases, etc. are all scrutinized to auto-generate new purchase suggestions that drive sales.
Mr Iswaran reinforced the need to provide consumers with greater confidence when it comes to their data protection. He stated that the safety of their data is of primary importance and that consumers needed to be assured of this.
Such data should be used in a responsible manner towards Singapore’s economy but underscored with culpability. Mr Iswaran placed a strong emphasis on the need for accountability by companies and organizations who collect information and data for its use. This necessitates regulators be empowered with tools and measures that allow enforcement to ensure compliance, explained Mr Iswaran.