SINGAPORE - MPs raised a host of concerns during the debate on changes to the Personal Data Protection Act (PDPA) on Monday (Nov 2), centring on how to strike a balance between protecting consumers' personal data and enabling the innovative use of such data by businesses.
Many cited the recent data breaches that involved 1.1 million RedMart users and 2.8 million Eatigo users. Here are some of the key points highlighted.
The revised PDPA expands the list of legitimate interests when using personal data for which companies either do not need to seek consent or are deemed to have obtained consent.
Ms Jessica Tan (East Coast GRC), Mr Louis Chua (Sengkang GRC) and Ms Tin Pei Ling (MacPherson) were among those who were worried if these new exceptions would erode consumer protection and trust.
"There must be measures to ensure that individuals fully understand that they are deemed to have given their consent for the use of their personal data," said Ms Tan. "At the end of the day, what's important is consumer trust."
In response, Communications and Information Minister S. Iswaran pointed to how consumers can opt out at any time if they want to. He added that to qualify for these exception, organisations must also do a risk assessment and be satisfied the overall benefits outweigh any adverse effects to consumers.
Mr Desmond Choo (Tampines GRC) and Mr Leon Perera (Aljunied GRC) asked if a right to erasure could be included, allowing consumers to request that companies delete their personal data.
"Such an obligation (to delete data on request) seems to me to be not overly onerous on businesses," Mr Perera said, noting the right to erasure is provided for in the European Union's General Data Protection Regulation (GDPR).
Mr Iswaran noted the PDPA now allows consumers to ask companies to stop collecting, using or disclosing their personal data, and the Personal Data Protection Commission (PDPC) can also direct companies to destroy data collected in contravention of the law.
"So, we have the provisions. They are not identical to the right of erasure, but they give a substantially similar effect," he added.
3. 'Do not call' provision
Ms Tin Pei Ling asked if the fact that contraventions of Do Not Call (DNC) provisions under the PDPA will now be dealt with as civil, instead of criminal, proceedings in court could be perceived as a "step down" and diminish the importance of personal data protection.
Mr Iswaran said that, on the contrary, enforcement of DNC contraventions would be more effective under a civil administrative regime. "DNC infringements typically stem from commercial motives. Hence, directions and financial penalties are more effective in addressing poor practices by depriving offenders of financial gains," he added.
4. Data breach threshold
Mr Shawn Huang (Jurong GRC) asked what constitutes a data breach of significant scale or harm under the revised PDPA, for which mandatory notification is needed.
Mr Iswaran said the threshold for a data breach of significant scale is 500 individuals, and cited that examples of significant harm would be identity theft or fraud from the leakage of full names or confidential financial information.
Ms Joan Pereira (Tanjong Pagar GRC) suggested that it be made mandatory for companies to notify the PDPC of all data breaches, and to subject companies to a clear deadline for informing individuals.
Mr Iswaran said: "Such a threshold for notification is important, but we also have to take into account the compliance costs on organisations... So we have not set a fixed time frame."
Mr Patrick Tay (Pioneer) asked Mr Iswaran to elaborate on the removal of exclusion for private organisations acting on behalf of the Government, putting such organisations under the PDPA ambit.
Mr Iswaran replied: "This makes it clear that the PDPA applies to all private organisations.
"Currently, the exclusion... has created a situation where the Government can only hold (such agents) to account by contracts or laws like the Official Secrets Act, (and this) can undermine security as they may handle large and sensitive volumes of personal data."
6. Public sector data
Senior Minister of State for Communications and Information Janil Puthucheary and Mr Gerald Giam (Aljunied GRC) crossed swords on the subject of data security standards in the public and private sectors.
The PDPA does not apply to public sector agencies, which are instead subject to a different set of laws under the Public Sector (Governance) Act.
Mr Giam called for the Government to hold itself to the same level of data privacy standards, procedures and accountability that it expects of private sector companies.
In response, Dr Janil said the separation of the public and private sector data protection regimes in Singapore remains relevant.
"It remains necessary for us to keep achieving the outcomes that we want to achieve in terms of good policy, responsiveness to citizens, operating as one government," he said.