[ad_1]
SINGAPORE – Businesses will be penalized more severely for data breaches while at the same time having more freedom to use personal data to innovate under changes to Singapore’s data protection laws passed in Parliament on Monday (November 2).
This tension between keeping consumer confidence high and supporting the use of data for innovation was recognized by the Minister of Communications and Information S. Iswaran during the debate on changes to the Personal Data Protection Act (PDPA). It was also the subject of rigorous debate among the deputies.
“Consumers must be confident that their personal data will be safe and used responsibly … (and) organizations need certainty to use personal data for legitimate purposes, with the necessary guarantees and responsibility,” said the Mr. Iswaran.
“The proposed amendments to the (bill) seek to achieve this balance.”
A key change in the bill increases the maximum amount by which a company can be fined for a data breach to 10 percent of its annual turnover in Singapore or $ 1 million, whichever is greater.
Currently, the maximum amount that a business can be fined for a data breach is $ 1 million.
Organizations are now also required by law to inform both the Personal Data Protection Commission (PDPC) and affected individuals about data breaches that result or may result in significant harm.
Mr. Iswaran addressed concerns raised by the higher fines during public consultations prior to the bill’s passage, as well as by Mr. Desmond Choo (Tampines GRC) on Monday.
Choo had said the revised maximum penalty could “artificially” create the impression that sanctions under Singapore’s data privacy regime are much harsher than those of the country’s neighbors, and cause foreign companies to choose other Asian countries. rather than Singapore to establish operations.
“I would like to assure members that the PDPC will ensure that the financial penalties imposed are commensurate with the severity of the data breach,” Iswaran said, adding that the raised cap will take effect only one year after the amended law enters. in force.
The bill also allows organizations to collect, use or disclose personal data without the consent of individuals in circumstances classified as “legitimate interests”, provided that these organizations conduct an assessment to eliminate or reduce the risks involved and ensure that the benefits general outweigh any adverse effects.
Such situations include the use of personal data to detect anomalies in payment systems to prevent fraud, or data from security cameras or other Internet of Things devices to aid in investigations or legal proceedings.
Mr. Iswaran also drew attention to a new provision that allows organizations to notify consumers of a new purpose for which their personal data will be used and to provide a reasonable period for them to opt out.
In such cases, organizations will also have to conduct a risk assessment to ensure that people are not negatively affected by the new purpose.
“For example, a financial institution may want to use voice data as an alternative means of authenticating and verifying its customers,” Iswaran said.
“With these amendments, the financial institution can notify its customers of the intended use of their voice data, providing a reasonable exclusion period and a contact number for customer inquiries.”
[ad_2]
