On May 14, 2020, Singapore's Personal Data Protection Commission and Ministry of Communications and Information released the draft Personal Data Protection Bill with proposed amendments to the Personal Data Protection Act. One of the key amendments, which goes to the heart of the PDPA, is the enhancement of the collection, use and disclosure framework to enable meaningful consent.
Issues of the current regime
Currently, the PDPA provides for consent as the primary basis for collecting, using and disclosing personal data. However, the PDPC found in public consultation papers issued July 27, 2017, April 27, 2018, and May 22, 2019, that there is a need to reshape the present consent model. Some key issues identified in the papers:
- Consent fatigue: With a heavy emphasis on consent-taking, individuals may find themselves overwhelmed by lengthy consent forms and notices. There is then a greater risk of consent not being properly taken, which undermines the premise of obtaining consent itself.
- Consent is not always desirable or appropriate: The current consent approach rests on certain assumptions, including that individuals would weigh their personal costs against public benefits in making an informed choice over their personal data. However, individual consent decisions may not always yield the most desirable societal outcomes (e.g., fraud detection).
- Digital economy: In today’s digital economy, there is an increasing need for the use of data or, more specifically, personal data, from data analytics to artificial intelligence. Given the sheer volume of data needed, vast number of individuals whose personal data is collected, and speed of personal data collection, it is impractical for organizations to seek consent from every individual for every new purpose.
- Research exception: While the PDPA currently provides an exception to consent to facilitate research, respondents requested clarity on the scope of research purpose and its criteria.
- Contractual necessity: A respondent suggested that an organization be allowed to collect, use and disclose personal data without consent to perform its contractual obligations with the relevant individual or with a third party at the individual’s request.
The modern economy requires data for innovation and growth. When used in an optimal and responsible manner, data analytics and machine learning can generate positive changes, such as process efficiency and improved products and services, thus addressing individual or market needs. Therein lies the impetus for reshaping the consent model.
Enhanced framework
While consent remains the cornerstone of the PDPA, the bill introduces parallel bases for collecting, using and disclosing personal data. Accordingly, instead of obtaining consent, organizations might wish to rely on the expanded scope of deemed consent or new exceptions to consent.
Expansion of deemed consent
One of the main changes under the bill is to expand the notion of deemed consent. Instead of implied consent applying if an individual voluntarily provides personal data, consent will also be deemed when necessary to satisfy the individual’s contractual needs or upon notification of the purpose of data processing. Proposed changes include:
- Contractual necessity: Consent may be given for personal data to be collected by, used by or disclosed to or by a third-party organization when it is reasonably necessary for the conclusion or performance of a contract between an individual and an organization. This reduces time in having to obtain consent that is likely to be granted due to its necessity.
- Notification of purpose: Consent may be given if an appropriate notification of the purpose for the intended collection, use or disclosure of the individual’s personal data is given, with a reasonable period for the individual to opt out and the individual did not opt out within that period.
Organizations are required to assess and ascertain that their measures to eliminate, reduce the likelihood of or mitigate the identified adverse effect on the individuals are effective. Consent can also be withdrawn by the individual.
By addressing the impracticality of obtaining consent at every instance for every new purpose, smoother operational flows can be realized in the digital economy. Organizations might thereby be encouraged to play a more active role in protecting individuals from adverse effects. As a result, it is expected that consent fatigue will be diminished.
New exceptions
New exceptions to the consent requirement are also found in the bill to address situations in which there are public or systematic benefits and when obtaining an individual's consent may not be appropriate.
Legitimate interests
Organizations can now collect, use or disclose personal data in circumstances in which it is in the legitimate interest of the organization, and the benefit to the public (or any section thereof) is greater than any adverse effect on the individual.
To rely on this exception, organizations must first:
- Assess any likely adverse effect on the individuals, and implement measures to eliminate, reduce the likelihood of or mitigate the identified adverse effect.
- Determine that the benefit to the public (or any section thereof) outweighs any likely residual adverse effect.
- Disclose their reliance on legitimate interests to collect, use or disclose personal data.
This exception acts as a catch-all provision, tackling situations that may not fall neatly under the current list of exceptions in the PDPA but that should appropriately be exempted from the consent obligation. This might help fortify public confidence in the vigorous data protection regime.
Organizations are also assured that with appropriate safeguards, legitimate interests can be prioritized over consent-taking.
Business improvement
Organizations may now use personal data without consent for business improvement purposes. These purposes include operational efficiency and service improvements, development or enhancement of products/services, and gaining an understanding of the organization's customers.
The use of personal data for business improvement must be what a reasonable person would consider appropriate under the circumstances, and it must not be used to make a decision that is likely to have an adverse effect on an individual.
This is likely to be a useful exception for organizations as it would allow them to improve their business efficacy and their products/services. As a result of these business improvements, individuals will stand to benefit, too.
Revision of research exception
The research exception will also be revised to be less restrictive on organizations in obtaining an individual's consent for research activities. This appears to supplement the new business improvement exception by facilitating greater research and development to be undertaken by organizations that may ultimately benefit the public and individuals alike.
Under the revised research exceptions, the use of personal data or the results of the research will not have an adverse effect on individuals, and research results will not be published in a form that identifies any individual.
Nevertheless, disclosure of personal data for research purposes without consent will continue to be subjected to the existing stringent conditions of showing impracticality in obtaining consent and that the research benefits the public.
Conclusion
With the enhanced framework, consent fatigue is addressed, organizations can be more efficient and innovations are encouraged. However, organizations will bear a heavy responsibility in implementing rigorous internal protocols to ensure that they have done their due diligence when relying on the new exceptions or expanded deemed consent.
Photo by chuttersnap on Unsplash