According to a joint press release by the Ministry of Communications and Information (MCI) and the Personal Data Protection Commission (PDPC), the MCI and PDPC have launched an online public consultation in relation to the proposed amendments to the Personal Data Protection Act (PDPA) and related amendments to the Spam Control Act (SCA). The objectives behind this consultation is apparently “to strengthen public trust, enhance business competitiveness, and provide greater organisational accountability and assurance to consumers, in support of Singapore’s Digital Economy.”
The PDPA is a fairly new piece of legislation, enacted only in 2012. One might argue that at just 8 years old, it is still relevant and not in need of amendment yet. However, according to the MCI and PDPC, this review is necessary to ensure that the PDPA “continues to keep pace with technological advances, new business models and global developments in data protection legislation.”
While some of the proposed changes are unremarkable, a few of the proposals do spark some concern and require further examination.
For example, one of the proposed amendments calls for the introduction of a mandatory breach notification requirement. If passed, it will be mandatory for organisations to notify PDPC of a data breach that results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach relates to (“affected individuals”); or (ii) is of a significant scale. Organisations will also be required to notify the affected individuals if the data breach is likely to result in significant harm to them.
Using the SingHealth data breach which affected the data of 1.5 million people including that of Prime Minister Lee Hsien Loong, there is logic behind this amendment. However, what would constitute “significant”? If I am an “affected individual”, my idea of what constitutes “significant” might well be different from how an organisation will construe it. Will I end up falling through the cracks?
Secondly, the proposals have asked for the concept of “deemed consent” to be expanded to cover circumstances where: i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or ii) where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out.
This sparks grave concerns. Shouldn’t it be a “opt in” instead of “opt out”? If you are trying to protect data, surely, I should have to proactively opt in for my data to be collected rather than opt out? If you are trying to collect my data, the onus should be on the collector to ask for permission, not vice versa! Besides, it is imperative to remember that not everyone is savvy enough to “opt out”. If passed, this could end up unfairly penalising people for not being savvy enough to know that they have to “opt out”. One’s data is not less private just because one is not savvy enough to know how or when to “opt out”.
Even more disturbing, is the introduction new exceptions to the collection of personal data — that of personal data collected to facilitate legitimate interests and business improvement.
In other words, if your data is collected “to cater to situations where there are larger public or systemic benefits where obtaining individuals’ consent may not be appropriate, organisations will be able to collect, use or disclose personal data for legitimate interests.” Organisations can even utilise personal data properly collected for business improvement purposes.
Who deems what constitutes “legitimate interests and business development”? Who decides what constitutes “larger or systemic benefits”? Who is the arbiter of appropriateness? This could lead to potential arbitrary abuse of personal data if used to boost the coffers of organisations under the guise of “legitimate interests and business development”.
The proposal to give the PDPC the additional power to require “any person whom the Commission or
inspector reasonably believes has any information, or any document in the person’s custody or control, that is relevant to the investigation, to furnish that information or document, within the time and manner specified in the written notice” and furthermore to mandate “any person within the limits of Singapore, who appears to be acquainted with the facts or circumstances of the matter, to attend before the commission or inspector” is alarming in that it may have the effect of de-incentivising whistle blowers from speaking up. Ensuring objectivity in this framework may also be problematic.
Once again, how is “reasonably believes” defined and interpreted? What about genuine whistle blowers who may wish to remain anonymous out of fear of their personal well being if they are being forced out into the open? For example, a publication may be forced to reveal its records and communications if the inspector “suspects” the information published was from a leaked document instead from the person who provided the information anonymously.
These proposed measures if passed could end up penalising the individual in favour of the organisation especially when the balance of power is already so weighted in favour of an organisation.
The PDPC who will be policing this has at its helm : Tan Kiat How, Leong Keng Thai and Yeong Zee Kin.
Tan Kiat How is both the Chief Executive of the Info-communications Media Development Authority (IMDA) and the Commissioner of the Personal Data Protection Commission (PDPC) while Leong Keng Thai is the Deputy Chief Executive of the IMDA. Given that the IMDA has been criticised for being biased, will this affect the PDPC?
Yeong Zee Kin appears to be a civil servant which in the Singaporean context, can be considered by some to be affiliated with the government in Singapore. Could this potentially create the appearance of the possibility of data being misused by the government?
Data is such a precious commodity in the digital age. If these amendments are too widely drafted or too arbitrarily applied, data could be misused to suit the narrative of those who possess power.
Will this achieve the objectives of “strengthening public trust”? Will the amendments lead to better protection of personal data or could it unwittingly create loopholes for such data to be legally misused?