The Personal Data Protection (Amendment) Bill 2020 was passed on 2 November 2020. As compared to when the PDPA first came into force in 2014 giving organisations a generous grace period, the updates to the PDPA have no grace period and require organisations to immediately comply upon its enactment by gazette.
Silvester Legal will explore some of the salient features of the amendments in this issue that will be pertinent to you.
A mandatory obligation to notify individuals and the Personal Data Protection Commission in the event of a data breach.
Organisations must notify the PDPC of any data breach that: (i) results in, or is likely to result in, significant harm to the affected individuals; or (ii) is of a significant scale. Affected individuals must be notified if the data breach is likely to result in significant harm to them.
Once an organisation has credible grounds to believe that a data breach has occurred, the organisation is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA, usually within 30 days.
Enhanced Framework for Collection, Use and Disclosure of Personal Data,
Among other things, the Enhanced Framework introduces two new forms of deemed consent:
- Deemed consent by contractual necessity. Consent is deemed for the disclosure of personal data from one organisation to another for the necessary conclusion or performance of a contract/transaction between the individual and the organisation he had originally provided the personal data to; and
- Deemed consent by notification. Where a notification is in compliance with certain requirements, consent is deemed from an individual’s acquiescence after notification, provided that individual had reasonable opportunity to opt-out.
Exceptions to Obligation to obtain Consent
There are now new exceptions to the express consent requirement under legitimate interests and business improvements.
- “Legitimate interests” generally refer to any lawful interests of an organisation or other person (including other organisations). An organisation need not obtain consent if they have “legitimate interests”. This requires them to articulate the situation or purpose that qualifies as a legitimate interest and conduct assessments to determine that the legitimate interests of the organisation or other person (including other organisations) outweigh any likely residual adverse effect to the individual. Legitimate interests cannot be used to justify sending direct marketing messages.
- “Business Improvements”. Organisations need not obtain consent if they obtain personal data for “Business Improvements” which are any of the following purposes:
- Improving, enhancing or developing new goods or services;
- Improving, enhancing or developing new methods or processes for business operations in relation to the organisations’ goods and services;
- Learning or understanding behaviour and preferences of individuals (including groups of individuals segmented by profile); or
- Identifying goods or services that may be suitable for individuals (including groups of individuals segmented by profile) or personalising or customising any such goods or services for individuals.
However, the Business Improvement exception applies only if the data cannot reasonably be achieved without using the personal data in an individually identifiable form, and is a reasonably appropriate in the circumstances.
New offences will be introduced under the PDPA to hold individuals accountable for egregious mishandling of personal data in the possession of or under the control of an organisation (including a public agency). The offences are for:
- a) Knowing or reckless unauthorised disclosure of personal data;
- b) Knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person; and
- c) Knowing or reckless unauthorised re-identification of anonymised data.
Increased financial penalty
The new bill increases the possible financial penalty of up to 10% of the annual turnover of the organization with an annual turnover exceeding USD10 million, or USD1 million, whichever is higher.
Businesses that make use of personal data may well benefit from the enhanced framework for collection, use and disclosure of personal data and the newly fashioned exceptions to obligations to obtain consent. At the same time, such enhancements should not be treated as carte blanche permissions to send direct marketing messages. Moreover, businesses ought to be more vigilant in their data protection obligations.
Businesses are encouraged to review their internal personal data obligations or their contracts with data intermediaries alongside existing legislation. Let our skilled team of experts provide you employment law services with timely, relevant advice. We offer a broad range of solutions that can be customised to the unique needs of an individual or business. Leave the legal worries to us so that you can focus on your business.
Please note that this article does not constitute express or implied legal advice, whether in whole or in part. If you require legal advice, please contact me at email@example.com.