TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Asia Pacific Dashboard Digest | Notes from the Asia-Pacific region, 13 Nov. 2020 Related reading: Roundup: Canada, EU, India, Italy and more

rss_feed

""

Dear, privacy pros.

In his introduction 5 Nov., my colleague Stephen Bolinger highlighted the recently released issues paper from the Australian Attorney General’s Department and areas in the Australian Privacy Act that might potentially be up for review.

We are one step ahead in Singapore, with the recent passing of the proposed amendments to the Personal Data Protection Act during its second reading in Parliament. In this first comprehensive review of the PDPA since it was enacted in 2012, the government has attempted to update the legislation for the new digital economy by way of various amendments, which:

  1. Strengthen consumer trust through organizational accountability.
  2. Ensure effective enforcement.
  3. Enhance consumer autonomy.
  4. Support data use for innovation.

These amendments have been percolating through various stages of the legislative process for some time now and have been the subject of a number of earlier public consultations. As such, there are no real surprises, and readers should already be familiar with the proposed amendments.

These amendments have been extensively covered in various articles and commentary, as well as a number of seminars and workshops, including training sessions held during Privacy Awareness Week 2020 and the last KnowledgeNet meeting of the Singapore chapter. Nevertheless, if a quick primer is necessary, I would highly recommend reading the opening speech of Minister for Communications and Information S Iswaran at the second reading of the Personal Data Protection (Amendment) Bill 2020.

Companies preparing to comply with the amended PDPA would no doubt welcome the minister’s assurance that detailed guidelines and advisories will be promulgated by the Personal Data Protection Commission before certain new requirements kick in. Thus, for example, we would expect the new Data Portability Obligation to be progressively enforced in phases and detailed regulations to be issued before that.  The new regime on financial penalties will also take effect at least one year after the formal enactment of the amendment bill.

Also remaining to be seen is how companies will interpret and leverage broader exceptions in the PDPA to justify innovative uses of data. The new legitimate interests and business improvement exceptions, as well as the possible use of deemed consent by notification, could potentially herald a much more liberal regime for companies seeking to process personal data in support of innovation.

While the onus is ostensibly on organizations to prove that they fall within the regulatory guardrails around these provisions, e.g., by conducting a risk assessment and ensuring that the benefits accruing would likely outweigh potential residual adverse effects, it might be said that in practice more responsibility would fall upon the individual to ensure their personal data is not unduly processed. 

The flipside of consumer autonomy is that individuals would be expected to pay more attention to privacy notices and notifications from companies they interact with regarding the processing of personal data for new purposes to exercise their right to opt-out or withdraw consent. In the absence of proactive audits by the PDPC, it is difficult to see how companies might otherwise be called to task if they were to rely on these new grounds or exceptions for data processing without complying with the relevant safeguards.

At the end of the day, as the minister rightly pointed out, organizations would need to recognize "it is in their self-interest to safeguard personal data, as that will foster consumer trust, strengthen their business reputation and ultimately, their competitiveness and their bottom-line." At the IAPP, we hope to support privacy professionals in Singapore in their quest to guide their companies towards full compliance with the amended PDPA and in line with the accountability principle. In this regard, if you have any suggestions as to resources or training that would be helpful, please let us know through the comment box below.

With that, I wish you happy reading!

Comments

If you want to comment on this post, you need to login.