By: Talia Boiangin, J.D., CIPP/US
Businesses with an International user base may find themselves revising their privacy policies yet again. This week, Singapore Parliament passed a bill that amends the Singapore Personal Data Protection Act (PDPA), which came into effect in 2012. Major amendments to the PDPA include an updated consent framework, a substantial increase in the financial penalties cap, mandatory data breach notification to affected individuals and the Personal Data Protection Commission (PDPC), and data portability obligations. During a public meeting in Parliament, Singapore’s Communications and Information Minister S. Iswaran advocated for the amendments as a way to build trust with consumers in a digital economy with a complex data landscape, “and it will ultimately enhance Singapore’s status as an important node in the global network of data flows and digital transactions.”
The new exceptions to obtaining consent for data collection, use, or disclosure are of particular importance. Organizations will be able to use data without consent for business improvement, such as enhancing or research and development (R&D) of products or services, deploying operational efficiency and service improvements, or learning more about the organization’s customers. Data may not be used if it is likely to cause an adverse effect on the user. The amendment also allows businesses to avoid obtaining consent where the legitimate interests of the organization and the benefit to the public together outweigh any adverse effect on the individual. Legitimate interests include use to prevent fraud, threats to physical safety and security, and use to prevent abuse of services. To utilize this consent exception, Iswaran said that “organizations must conduct an assessment to eliminate or reduce risks associated with the collection, use, or disclosure of personal data, and must be satisfied that the overall benefit of doing so outweighs any residual adverse effect on an individual.” He added that the PDPC will issue detailed guidance on the exception on how to identify an “adverse effect, which generally refers to any physical harm, harassment, serious alarm, or distress to an individual.”
A legitimate interest provision for data collection is nothing new. EU’s General Data Protection Regulation (GDPR) allows organizations to use personal data without consent under Article 6(1)(f), provided they show a legitimate purpose for use of such data. If the organization cannot show a legitimate interest, then the organization does not have a lawful basis for data processing under this provision. GDPR also requires a risk-based assessment of potential data user impacts as well as risk mitigation strategies. UK’s Information Commissioner’s Office (ICO) published guidance on the process for establishing legitimate interests:
1. Purpose test – is there a legitimate interest behind the processing?
2. Necessity test – is the processing necessary for that purpose?
3. Balancing test – is the legitimate interest overridden by individual’s interest, rights or freedoms?
Singapore’s legitimate interest exception seems to differ from GDPR’s, which is no surprise given the complex web of worldwide data privacy regulations. Increasingly, countries are creating or amending data protection laws as an attempt to accommodate future innovation and emerging technologies while balancing the necessary trust needed form consumers.
If you would like guidance to help ensure compliance with the changing privacy landscape and avoid large fines, contact Lalchandani Simon PL at INFO@LSLAWPL.COM or at 305-999-5291.