INTRODUCTION As Singapore’s digital landscape continues to evolve, technological innovations and cybersecurity breaches are posing challenges to its consent-based approach to data

protection. On one hand, organisations are collecting large volumes of data and it is becoming increasingly unfeasible to obtain the consent of individuals for each instance of data

collection and new business purposes. On the other hand, individuals are unable to provide meaningful consent as their decisions may not fully take account of the systemic risks or benefits

to data collection. It is under these circumstances that the Personal Data Protection Commission (PDPC) and the Ministry of Communications and Information (MCI) have decided to review

OBLIGATION_ Currently, the Second, Third and Fourth Schedules of the PDPA provide several exceptions to the consent obligation for collecting, using and disclosing personal data. In light of

the proposed amendments, these schedules have been consolidated and simplified with the proposed addition of two new “business-friendly” exceptions: * LEGITIMATE INTERESTS EXCEPTION:

Organisations may collect, use or disclose personal data without consent in circumstances where it is in the legitimate interests of the organisations and the benefit to the public is

greater than any adverse effect on the individual. Some examples of legitimate interests include preventing illegal activities (_e.g._, fraud and money laundering) or threats to safety and

security, ensuring IT and network security and to prevent misuse of services; and * BUSINESS IMPROVEMENT EXCEPTION: Organisations may use personal data without consent for business

improvement purposes, such as (i) to increase operational efficiency; (ii) to develop or improve products/services; and (iii) to know more about the organisation’s customers. _EXPANDED

DEEMED CONSENT_ Section 15 of the PDPA currently provides that an individual is deemed to have consented to the collection, use and disclosure of his/her personal data if the individual

voluntarily provides the personal data to the organisation and it is reasonable to do so. It is proposed that the deemed consent will be expanded to include: * DEEMED CONSENT BY CONTRACTUAL

NECESSITY: Consent is deemed to be given where it is necessary for the closing of performance of a contract or transaction; and * DEEMED CONSENT BY NOTIFICATION: Consent is deemed to be

given if the organisation provides appropriate notification to the individual of its purpose of collection, use or disclosure of the personal data with a reasonable period for the individual

to opt out, and the individual did not do so. Organisations will need to assess and ensure that the intended collection, use and disclosure of personal data will not have any adverse effect

on the individual. DATA PORTABILITY OBLIGATION It is proposed that organisations must be able provide an individual’s personal data that is in its possession or control to another

organisation in a machine-readable format when requested by an individual who has an existing and direct relationship with the organisation. The data portability obligation is however

limited in scope to (i) receiving organisations that are either formed or recognised under the law of Singapore or have a place of business in Singapore and (ii) user-provided data and user

activity data that is held in electronic form. Personal data about an individual that is derived by an organisation in the course of business from other personal data is excluded from the

data portability obligation. Exceptions to the data portability obligation will be similar to those set out in the Fifth Schedule of the PDPA. In the event an organisation declines a data

porting request, it must notify the individual of its reasons within a reasonable time. The PDPC may review an organisation’s refusal to port data and can direct an organisation to do so. In

any event, organisations will be required to preserve the personal data (or a copy thereof) that is requested by an individual for (i) at least 30 days after declining the request or (ii)

until the individual has exhausted his/her right to review/appeal to the PRPC, Data Protection Appeal Committee, High Court or Court of Appeal, whichever is later. MANDATORY DATA BREACH

NOTIFICATION _NOTIFICATION REQUIREMENT_ It is proposed that organisations are required to NOTIFY THE PDPC of a data breach that (i) results or is likely to result in significant harm to the

individuals to whom the data breach relates, or (ii) is of a significant scale (_i.e._, affecting more than 500 individuals). Organisations are also required to NOTIFY AFFECTED INDIVIDUALS

of a data breach if it results or is likely to result in significant harm to them. Prescribed categories of personal data (_e.g._, identification numbers, credit/debit card numbers, medical

history information, etc.), which are compromised in a data breach will be deemed “likely to be regarded as significant harm.” Organisations must notify both the PDPC and the affected

individuals as soon as practicable; however, the PDPC must be notified _BEFORE_ or at the same time as affected individuals, and in any event _NO LATER THAN THREE DAYS_ after the day the

organisation makes an assessment of a notifiable breach. _EXCEPTIONS TO THE NOTIFICATION REQUIREMENT_ There are certain exceptions to the requirement to notify individuals: * REMEDIAL ACTION

EXCEPTION: Organisations that have taken remedial actions such that the data breach is unlikely to result in significant harm to the affected individuals; * TECHNOLOGICAL PROTECTION

EXCEPTION: Organisations that have taken security measures (_e.g._, encryption that is of a reasonable security standard), that the data breach is unlikely to result in significant harm to

the affected individuals; and * PERMITTED AUTHORITY EXCEPTION: Organisations that are instructed by a prescribed law enforcement agency or directed by PDPC not to notify any affected

individuals. NEW OFFENCES AND ENFORCEMENT MECHANISMS _EGREGIOUS MISHANDLING OF PERSONAL DATA_ It is proposed that organisations may be liable for the actions of their employees (excluding

public officers) in the course of their employment who egregiously mishandle person data in the possession of or under the control of the organisation. Some of these offences include: *

Knowing or reckless unauthorised disclosure of personal data; * Knowing or reckless unauthorised use of personal data for a wrongful gain or a wrongful loss to any person; and * Knowing or

reckless unauthorised reidentification of anonymised data. _INCREASED FINANCIAL PENALTIES_ The proposed amendments aim to increase the maximum financial penalty for data breaches under

Section 29(2)(d) of the PDPA to (i) up to 10 percent of an organisation’s annual gross turnover in Singapore where such organisation has an annual turnover exceeding S$10 million; or (ii) in

such other cases, S$1 million. _ATTENDANCE FOR INVESTIGATION_ The proposed amendments introduce an offence for persons who (i) fail to comply with an order to appear before a PDPC inspector

and provide their statements in connection with an investigation; or (ii) fail to provide any document or information as required under paragraph 1(1) of the Ninth Schedule to the PDPA.

_REFERRALS TO MEDIATION_ The proposed amendments will provide the PDPC with the power to direct data protection complainants to resolve disputes via mediation, as well as to the power to

establish or approve such mediation schemes. IMPROVED CONTROLS FOR UNSOLICITED MESSAGES It is proposed that the do-not-call provisions in the PDPA will be extended to include the prohibition

of sending messages to telephone numbers obtained through the use of dictionary attacks or address-harvesting software. It is also proposed that the Spam Control Act will be amended to

prohibit unsolicited commercial messages sent to instant messaging accounts, such as WhatsApp, WeChat and Telegram. ALIGNMENT WITH GDPR? The proposed amendments, and in particular the move

towards a risk-based approach to data protection, helpto align the PDPA closer to the provisions of the European Union’s General Data Protection Regulation (GDPR). For instance, the proposed

revenue-based financial penalty cap (see _“New Offences and Enforcement Mechanisms” above_) imposed on organisations that violate the PDPA closely follows that of the penalties under the

Article 83 of the GDPR. Also, the proposed data portability obligation on organisations (see “_Data Portability Obligation” _above) provides similar rights to individuals under Article 20 of

the GDPR. Generally, data portability would apply to personal data provided by an individual to an organisation as well as to personal data that is gathered by organisations from an

individual’s activities, such as browsing history, cookies, or traffic and location data. However, it is important to highlight that an individual’s right to data portability under Article

20 of the GDPR, _MAY BE LIMITED TO PERSONAL DATA WHERE PROCESSING IS BASED ON THE GROUNDS OF AN INDIVIDUAL’S CONSENT OR FOR THE PERFORMANCE OF A CONTRACT._ In contrast, the proposed data

portability obligation under the PDPA, _DOES NOT APPEAR TO BE LINKED TO THE CONSENT OBLIGATION_, and therefore, user-provided data and user activity data that is held in electronic form may

be available for data portability. In addition, the proposed legitimate interests exception to the consent obligation under the PDPA also appears to be a concept borrowed from Article

6(1)(f) of the GDPR. However, it is important to highlight that this exception differs largely from the GDPR. In particular, Article 6(1)(f) of the GDPR requires the controller (_i.e._, the

organisation) to conduct an assessment of whether the legitimate interests pursued by the controller or by a third party are overridden by the _INTERESTS OR FUNDAMENTAL RIGHTS AND FREEDOMS

OF THE DATA SUBJECT _(_i.e._, the individual), which requires protection of personal data. In contrast, the proposed legitimate interests exception requires an organisation to conduct an

assessment of whether _THE BENEFIT TO THE PUBLIC IS GREATER THAN ANY ADVERSE EFFECT ON THE INDIVIDUAL_. In other words, the exception would only apply where there are public and systemic

advantages. This may be beneficial for government or publicly driven measures (such as contact-tracing applications during COVID-19 or anti-money laundering monitoring measures); however,

its utility for private organisations may be limited in scope. CONCLUDING THOUGHTS The proposed amendments seem to be more stringent with the new enforcement measures, and it places

increasing responsibility on organisations. In light of the foregoing, organisations should be aware of the implications of the proposed amendments as they are considered and finalised by

the MCI and the PDPC to determine the best approach towards continued data protection compliance. _THE OPINIONS EXPRESSED IN THIS ARTICLE ARE MY OWN AND DO NOT REPRESENT THE OPINIONS OF MY

EMPLOYER. THIS ARTICLE DOES NOT CONSTITUTE LEGAL ADVICE OR A LEGAL OPINION ON ANY MATTER DISCUSSED AND, ACCORDINGLY, IT SHOULD NOT BE RELIED UPON. IT SHOULD NOT BE REGARDED AS A

COMPREHENSIVE STATEMENT OF THE LAW AND PRACTICE IN THIS AREA. IF YOU REQUIRE ANY ADVICE OR INFORMATION, PLEASE SPEAK TO A SUITABLY QUALIFIED LAWYER IN YOUR JURISDICTION. THE AUTHOR DOES NOT

ACCEPT OR ASSUME ANY RESPONSIBILITY OR LIABILITY IN RESPECT OF THIS ARTICLE._