Companies will be penalised more heavily for data breaches while also getting more freedom to use personal data to innovate under changes to Singapore's data protection laws passed in Parliament yesterday.
This tension between keeping consumers' trust high and supporting data use for innovation was acknowledged by Communications and Information Minister S. Iswaran during the debate on changes to the Personal Data Protection Act.
"It's important that we first recognise that this is a delicate and dynamic balance. It's delicate because if we overcorrect in one direction, consumers may not retain their confidence and trust in the system," Mr Iswaran said.
"If we swing the other way, then we shackle our businesses and the very benefits that we seek to create for our consumers, for our economy will diminish."
A key change in the law increases the maximum amount that a company can be fined for a data breach to 10 per cent of its annual turnover in Singapore or $1 million, whichever is higher.
Currently, the maximum a company can be fined for a data breach is $1 million.
Organisations are now also required by law to inform both the Personal Data Protection Commission (PDPC) and affected individuals of data breaches that result in or are likely to result in significant harm.
Mr Iswaran addressed concerns raised about the higher fines during public consultations prior to the passing of the Bill, as well as by Mr Desmond Choo (Tampines GRC) yesterday.
Mr Choo had said that the revised maximum penalty might "artificially" create the impression that penalties under Singapore's data privacy regime are much harsher than those of the country's neighbours, and cause foreign companies to choose other Asian countries over Singapore to set up operations instead.
"I would like to assure Members that the PDPC will ensure that financial penalties imposed are proportionate to the severity of the data breach," Mr Iswaran said, adding that the raised cap will take effect only a year after the amended Act comes into force.
The Bill also allows organisations to collect, use or disclose personal data without the consent of individuals in circumstances classified as "legitimate interests", so long as the organisations conduct an assessment to eliminate or reduce the risks involved, and ensure the overall benefits outweigh any adverse effects.
Such situations include using personal data to detect anomalies in payment systems to prevent fraud, or the data from security cameras or other Internet of Things devices to help in investigations or legal proceedings.
Mr Iswaran also drew attention to a new provision which allows organisations to notify consumers of a new purpose their personal data will be used for, and to provide a reasonable period for them to opt out.
In such cases, organisations will also have to conduct a risk assessment to ensure that individuals are not adversely affected by the new purpose.
"For example, a financial institution may want to use voice data as an alternative means to authenticate and verify its customers," Mr Iswaran said.
"With these amendments, the financial institution can notify its customers of the intended use of their voice data, providing a reasonable opt-out period, and a contact number for customers' queries."
