Singapore’s mandatory breach notification regime is now in force
From 1 February 2021, most of the recent amendments to the Personal Data Protection (Amendment) Act 2020 (No. 40 of 2020) are now in force. The amendments update Singapore's regulatory framework and seek to balance economic needs with the protection of consumers' data rights.
The amendments have four primary aims:
Strengthening consumer trust through organisational accountability;
Ensuring the effectiveness of enforcement;
Enhancing consumer autonomy; and
Supporting data use for innovation.
Some key sections, including those covering data portability and the increase in the amounts of fines, are not yet in force but we expect that they will be implemented this year.
Some of the key amendments include:
Mandatory data breach notification
The amendments introduce a mandatory notification system to the Personal Data Protection Commission (PDPC) when a data breach occurs. These amendments are now in force.
Organisations must notify the PDPC of significant scale data breaches, which the regulations have set as a breach that affects 500 or more people. For the avoidance of doubt, in the event that an organisation is unable to determine the actual numbers of people affected by the data breach but believe that the number of such affected people is at least 500, the organisation should also notify the PDPC accordingly and thereafter, subsequently update the PDPC again once the actual numbers have been determined. Organisations must also notify both the PDPC and affected individuals when data breaches results or are likely to result, in significant harm to individuals. Including any breaches were passwords, a person's full name, alias, identification number, wage information, credit card details, banking and financial details are obtained. The Personal Data Protection (Notification of Data Breaches) Regulations 2021, which also came into force on 1 February 2021, address these threshold issues.
Statutory undertakings
The amendments allow the PDPC to accept written voluntary undertakings from organisations to remedy breaches and prevent their recurrence, in lieu of a full investigation.
Alternative dispute resolution schemes
The amendments provide the power to the PDPC to establish dispute resolution schemes for customer complaints. The PDPC may also direct complainants and organisation to attempt to resolve disputes via compulsory mediation.
Strengthen the PDPC’s enforcement powers
The PDPC can now require an individual or employee to give statements and produce documents relevant to its investigations.
Increase financial penalty cap for organisations
The maximum financial penalty for data protection breaches will be increased to 10% of an organisation’s annual turnover in Singapore or S$1 million, whichever is higher. The increase in financial penalties has not yet commenced, with no date yet confirmed.
Data Portability Obligation
Under the Personal Data Protection Act 2012 (No. 26 of 2012), individuals can access their personal data and request corrections or a copy be provided. The amendments extend this right by delivering data portability, enabling individuals to request a copy of their data to be transmitted to another organisation. The Data Portability provisions are not yet in force.
Deemed consent for contractual performance
The amendments expand deemed to consent to allow personal data to be passed from an organisation to successive layers of contractors to fulfil the contract with its customer.
Deemed consent by notification
Under these provisions, organisations may notify their customers of the new purpose and provide a reasonable period for them to opt-out. Before doing so, organisations must conduct a risk assessment and conclude that the collection, use or disclosure of personal data in this manner will not likely harm the individual.
For example, a bank wants to use voice authentication to verify its customers using telephone banking. The bank can now notify its customers of their intention, provide a reasonable opt-out period, and a contact number for customers' queries.
New exceptions to consent
The amendments contain new exceptions to consent:
Legitimate interests exception: To qualify under this exception, organisations must be satisfied that the overall benefit outweighs any residual adverse effect on an individual and must disclose when they rely on this exception. One of the potential uses could be to prevent fraud or money-laundering.
For example, an insurance company could seek to use the exception to use data about its customers’ past insurance claims for fraud detection and prevention. The benefits of preventing fraud might outweigh any adverse effect on the individual.
Business improvement exception: The amendments clarify that organisations may use personal data for business improvement purposes, including operational efficiency and service improvements, developing or enhancing products or services, and knowing the organisations' customers. As a safeguard, this exception can only be relied upon for purposes that a reasonable person may consider appropriate in the circumstances and cannot be achieved without using personal data.
For example, a bank could use the data to a credit risk model to reduce the time taken to assess and approve loan applications.
Research and development exception: The amendments revised the current research exception to support commercial research and development not immediately directed at productisation.
For example, a company could use the exception to conduct market research to identify and understand potential customer segments.
Impact on Insurers
We expect that the amendments are likely to raise the demand for cyber insurance in Singapore. The combination of the PDPC's enforcement approach, mandatory breach notification and significant increase in the maximum fine amounts means that we are likely to see an increase in the number of investigations and higher fines, which might prompt organisations to consider their insurance cover in this regard.
Insurability of Fines and Penalties
It is currently an open question in Singapore, whether, and to what extent, fines and penalties are insurable. This question has yet to come before the Singapore courts. Given the close affinity between Singapore law and English law (especially in insurance law), the English case law on this might be instructive. Whether fines and penalties are insurable might depend upon the extent of moral turpitude or moral reprehensibility involved in any given case.
Silent Cyber Risks
The risk of increased regulatory investigations and prosecutions may trigger "silent cyber" issues in financial lines products such as management liability policies. Again, the insurability of fines and penalties in Singapore may affect the potential severity of these losses, as otherwise, the investigation would only result in increased defence costs.
Fraud Detection
The legitimate business interest and business improvement exceptions should allow insurers and third-party providers to more easily share personal data and allow for better fraud detection systems.
Data Portability
Data Portability has the potential to provide increased competition between insurers. The amendments should make it more convenient for customers to avoid re-entering data when shopping for insurance. It will also give insurers access to more diverse and larger data sets, which could create more customised products for insureds.
By Thomas Choo and Nicholas Sykes