Heavier fines for data breaches, more support for legitimate uses under amended PDPA

[SINGAPORE] Companies will be penalised more heavily for data breaches while also getting more freedom to use personal data to innovate under changes to Singapore's data protection laws passed in Parliament on Monday (Nov 2).

This tension between keeping consumers' trust high and supporting data use for innovation was acknowledged by Communications and Information Minister S Iswaran during the second reading of the Personal Data Protection (Amendment) Bill, and was also the subject of rigorous debate between MPs.

"Consumers must have the confidence that their personal data will be secure and used responsibly... (and) organisations need certainty to harness personal data for legitimate purposes, with the requisite safeguards and accountability," said Mr Iswaran. "The proposed amendments to the (bill) seek to strike this balance." A key change in the bill increases the maximum amount that a company can be fined for a data breach to 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.

Currently, the maximum a company can be fined for a data breach is S$1 million.

Organisations are now also required by law to inform both the Personal Data Protection Commission (PDPC) and affected individuals of data breaches that result in or are likely to result in significant harm.

Mr Iswaran addressed concerns raised about the higher fines during public consultations prior to the passing of the bill, as well as by Desmond Choo (Tampines GRC) on Monday.

A NEWSLETTER FOR YOU

Friday, 8.30 am

Asean Business

Business insights centering on South-east Asia's fast-growing economies.

Sign Up

Mr Choo had said that the revised maximum penalty might "artificially" create the impression that penalties under Singapore's data privacy regime are much harsher than those of the country's neighbours, and cause foreign companies to choose other Asian countries over Singapore to set up operations instead. "I would like to assure Members that the PDPC will ensure that financial penalties imposed are proportionate to the severity of the data breach," Mr Iswaran said, adding that the raised cap will only take effect a year after the amended Act comes into force.

The bill also allows organisations to collect, use or disclose personal data without the consent of individuals in circumstances classified as "legitimate interests", so long as these organisations conduct an assessment to eliminate or reduce the risks involved, and ensure the overall benefits outweigh any adverse effects.

Such situations include using personal data to detect anomalies in payment systems to prevent fraud, or the data from security cameras or other Internet of Things devices to help in investigations or legal proceedings.

Mr Iswaran also drew attention to a new provision which allows organisations to notify consumers of a new purpose their personal data will be used for, and to provide a reasonable period for them to opt out.

In such cases, organisations will also have to conduct a risk assessment to ensure that individuals are not adversely affected by the new purpose."For example, a financial institution may want to use voice data as an alternative means to authenticate and verify its customers," Mr Iswaran said."With these amendments, the financial institution can notify its customers of the intended use of their voice data, providing a reasonable opt-out period, and a contact number for customers' queries."

THE STRAITS TIMES