Parliament: Heavier fines for data breaches, more support for legitimate business uses of data under amended PDPA

In the event of a data breach, a company can be fined up to 10 per cent of its annual turnover in Singapore or $1 million, whichever is higher. PHOTO: ST FILE

SINGAPORE - Companies will be penalised more heavily for data breaches while also getting more freedom to use personal data to innovate under changes to Singapore's data protection laws passed in Parliament on Monday (Nov 2).

This tension between keeping consumers' trust high and supporting data use for innovation was acknowledged by Communications and Information Minister S. Iswaran during the debate on changes to the Personal Data Protection Act (PDPA). It was also the subject of rigorous debate between MPs.

"Consumers must have the confidence that their personal data will be secure and used responsibly... (and) organisations need certainty to harness personal data for legitimate purposes, with the requisite safeguards and accountability," said Mr Iswaran.

"The proposed amendments to the (Bill) seek to strike this balance."

A key change in the Bill increases the maximum amount that a company can be fined for a data breach to 10 per cent of its annual turnover in Singapore or $1 million, whichever is higher.

Currently, the maximum a company can be fined for a data breach is $1 million.

Organisations are now also required by law to inform both the Personal Data Protection Commission (PDPC) and affected individuals of data breaches that result in or are likely to result in significant harm.

Mr Iswaran addressed concerns raised about the higher fines during public consultations prior to the passing of the Bill, as well as by Mr Desmond Choo (Tampines GRC) on Monday.

Mr Choo had said that the revised maximum penalty might "artificially" create the impression that penalties under Singapore's data privacy regime are much harsher than those of the country's neighbours, and cause foreign companies to choose other Asian countries over Singapore to set up operations instead.

"I would like to assure Members that the PDPC will ensure that financial penalties imposed are proportionate to the severity of the data breach," Mr Iswaran said, adding that the raised cap will take effect only a year after the amended Act comes into force.

The Bill also allows organisations to collect, use or disclose personal data without the consent of individuals in circumstances classified as "legitimate interests", so long as these organisations conduct an assessment to eliminate or reduce the risks involved, and ensure the overall benefits outweigh any adverse effects.

Such situations include using personal data to detect anomalies in payment systems to prevent fraud, or the data from security cameras or other Internet of Things devices to help in investigations or legal proceedings.

Remote video URL

Mr Iswaran also drew attention to a new provision which allows organisations to notify consumers of a new purpose their personal data will be used for, and to provide a reasonable period for them to opt out.

In such cases, organisations will also have to conduct a risk assessment to ensure that individuals are not adversely affected by the new purpose.

"For example, a financial institution may want to use voice data as an alternative means to authenticate and verify its customers," Mr Iswaran said.

"With these amendments, the financial institution can notify its customers of the intended use of their voice data, providing a reasonable opt-out period, and a contact number for customers' queries."

Join ST's WhatsApp Channel and get the latest news and must-reads.