Important Proposed Amendments to PDPA 2012

Last Thursday (14 May 2020), #MCI and #PDPC released a public consultation paper on proposed amendments to the #PDPA. These proposed amendments are important  as it is a first comprehensive revision to the Act since it was enacted in 2012. #PDPC has also conducted public consultations on mandatory notification and data portability obligation last year.

There are 4 key areas of the proposed amendments:

1. Strengthen Accountability.

#PDPC has been emphasizing that organisations should be more accountable for protecting personal data. Accountability obligation will be made explicit. This is a good move. It will make organisations to sit up and pay attention to #PDPA and also make #DPO more responsible too.

  • Mandatory Notification Obligation. Organisations will be subjected to more stringent accountability requirement with the proposed mandatory Data Breach Notification. Organisations will need to notify PDPC within 72 hours (ie. 3 calendar days) when it determines a “significant” data breach had happened.  3-calendar-day is a very short period. This mandatory notification obligation will raise the importance of the data breach management plan.

  • Organisations acting on behalf of public agency are no longer exempted from PDPA.

  • Individuals (other than public officers) could be held accountable under PDPA too. Individuals found to have mishandled personal data in an egregious (ie. shockingly bad) manner could be criminally liable and fine up to $5,000 or 2-year jail term or both.

2. Enable meaningful consent. Basically this expands the scope of deemed consent and exemptions. This is pro-business as it makes it easier for organizations to obtain consent, use and disclose data.

3. Greater consumer autonomy. With the new Data Portability obligation, individuals will be able to request for a copy of their personal data to be transferred to another organization. An analogy would be the mobile number portability across the telcos. This obligation will increase competitiveness by leveling the playing field for new entrants because it is easier for consumers to switch to new service providers. This will encourage innovations and nurture a vibrant digital economy.

4. Strengthen effectiveness of enforcement.

Higher financial penalty cap. Yes, it is timely to raise the financial penalty limit from S$1 million to 10% of annual turnover, whichever is higher.

While almost all eye-balls are fixated at the financial penalty cap, I feel that other proposed amendments in this section have more profound impact on the way complaints, investigations, and enforcements will be handled in the future.

First, it will be an offence to not cooperate with #PDPC.

Second, #PDPC will have more flexibility in meting out judgement through statutory undertakings.

Third, and this will really change the way in which disputes resolution and enforcement going forward, #PDPC may direct data privacy disputes to be resolved via mediation. #PDPC found that it could not cope with the increasing number of data breach complaints. With the mediation schemes, #PDPC can direct all parties to mediation process. If an individual does not agree to mediation, he may have to resolve the matter on his own, e.g. through the court. To me, this is bad news for Davids (individuals) among us who need to deal with the Goliaths (organisations).

Read our related post on facebook and linkedIn.