[ad_1]
SINGAPORE: Parliament passed changes to the Personal Data Protection Act (PDPA) on Monday (Nov 2), including an amendment allowing organizations to use data without consent in more cases, as well as tougher penalties for data breaches .
Under the PDPA’s “exceptions to the consent requirement”, organizations can now use, collect or disclose data for legitimate interests, business enhancements and broader research and development, Communications and Information Minister S Iswaran told Parliament earlier. the bill was approved.
This includes preventing fraud, improving products, or conducting market research to understand potential customer segments. Current consent exceptions include investigations and emergency response.
The amended PDPA will also allow organizations to share data with different contractors to fulfill contracts under “presumed consent,” including consent by notification.
Iswaran said these changes “accommodate modern trade agreements and essential purposes such as security, and support business innovation.”
But some members of Parliament on both sides of the aisle raised concerns about the changes, arguing that they favored organizations over people or that they could lead to unintended or uninformed consent.
Iswaran said using data under consent or presumptive consent exceptions will come with safeguards, including clear limits on how the data can be used and getting organizations to conduct risk assessments.
“Currently, the PDPA recognizes the need for organizations to use personal data for legitimate purposes and accommodates it through exceptions to the consent requirement, or as presumed consent,” he said.
“For all other purposes, organizations must obtain the consent of the individual.”
When it comes to sending direct marketing messages, organizations must still obtain express consent, he added.
STRONGER SANCTIONS
The modified PDPA also comes with stiffer penalties for data breaches and requires organizations to report breaches of a certain scale and severity to the Personal Data Protection Commission (PDPC).
Companies with an annual turnover in excess of S $ 10 million can now be fined up to 10 per cent of their annual turnover in Singapore. The maximum fine was previously S $ 1 million.
While MPs generally welcomed these changes, they questioned the consent-related amendments.
Under alleged consent by notification, Workers’ Party deputy Louis Chua noted that organizations can now collect personal data as long as they have taken “reasonable” steps to inform people and ensure that it is not likely to have an “adverse effect.” about them.
“This system reduces the power of individuals in relation to organizations that have the power to determine whether their collection, use and disclosure of personal data has any adverse effect on individuals,” said Sengkang GRC MP.
Regarding consent exceptions, Tampines GRC MP Desmond Choo noted that “legitimate interests” are viewed from an organization’s perspective.
“This inadvertently encompasses a subjective determination by the organization when assessing whether its legitimate interests outweigh the possible adverse effects on an individual,” he said.
LEGITIMATE INTERESTS
Iswaran said organizations can use data without consent for legitimate interests such as detecting anomalies in payment systems to prevent fraud or money laundering.
“To rely on this exception, organizations must conduct an assessment to eliminate or reduce the risks associated with the collection, use or disclosure of personal data, and they must be satisfied that the overall benefit of doing so outweighs any residual adverse effects on An individual”. he said.
“To ensure transparency, organizations must disclose when they are relying on this exception.”
Iswaran said the PDPC can require organizations to produce these assessments for review.
“It will also issue detailed guidance on the legitimate interest exception and how to identify the adverse effect, which generally refers to any physical harm, harassment, serious alarm or distress to an individual,” he added.
BUSINESS IMPROVEMENT
Organizations can also use the data without consent for business improvement purposes, including operational efficiency and service improvements, product or service development or improvement, and knowledge of the organizations’ customers, Iswaran said.
“As a safeguard, this exception can be relied upon only for purposes that a reasonable person may consider appropriate in the circumstances, and where the purpose cannot be achieved without the use of personal data,” he said.
Mr. Iswaran noted that companies have requested that this exception also apply to entities within a group, as they can consolidate corporate or managerial functions, or concentrate research and development expertise in a single unit that supports the entire group.
As such, the amended PDPA allows related corporations to collect and disclose personal data among themselves for the same purposes, but with“Clearly defined boundaries,” said the minister.
“The bill provides additional safeguards for intra-group exchange by requiring related corporations to be bound by a binding contract, agreement or corporate rules to implement and maintain adequate safeguards for personal data,” he added.
INVESTIGATION AND DEVELOPMENT
Organizations can also use data without consent to support commercial research and development that is not immediately directed towards production, Iswaran said.
“This could apply to research institutes conducting scientific research and development, educational institutes engaging in social science research, and organizations conducting market research to identify and understand potential customer segments,” he said.
This will come with safeguards similar to the data used under the business improvement exception, he added.
CONSIDERED CONSENT FOR CONTRACT EXECUTION
Regarding the performance of contracts under presumed consent, Mr. Iswaran said that multiple levels of contracting and subcontracting are common in modern business agreements.
One scenario would be when a customer provides their address when ordering an item from an online retailer. The online retailer will now be able to share your address with other logistics partners through presumed consent so that the item can be delivered successfully.
“Fundamentally, organizations that rely on presumed consent for contractual necessity can only collect, use and disclose personal data when it is reasonably necessary to fulfill the contract with the individual,” Iswaran said.
Additionally, the amended PDPA has expanded the presumptive consent regime to include notification.
“Under this provision, organizations can notify their clients of the new purpose and provide them with a reasonable period to exclude themselves,” Iswaran said.
“Before doing so, organizations should conduct a risk assessment and conclude that the collection, use or disclosure of personal data in this manner is unlikely to have an adverse effect on the individual.”
People can withdraw their consent even after the exclusion period, he added.
Ultimately, Iswaran believes that the PDPA amendments will strengthen consumer confidence with greater responsibility for the protection of personal data.
“It will give greater certainty for organizations to use data for legitimate business purposes with the necessary safeguards, and will ultimately enhance Singapore’s status as a major node in the global network of digital data flows and transactions,” he said.