Speech by Mr. Louis Ng Kok Kwang, MP for Nee Soon GRC, at the Second Reading of the Personal Data Protection (Amendment) Bill
(Bill No. 37/2020)
Introduction
Sir, since we passed the Personal Data Protection Act in 2012, the Personal Data Protection Commission has been busy. It has investigated numerous data breaches and received a record-breaking 4,500 complaints last year.
Data protection has become only more concerning, and this Bill helps address those concerns.
I am heartened by the amendments requiring organisations to inform people who are affected by data breaches and to help people port their data to other services.
These changes will help Singaporeans feel a greater sense of control over their data. Many will welcome these enhancements.
That said, I have three points of clarification on the Bill.
Data breach notification
My first point is on data breaches.
The Bill introduces a requirement for organisations to notify the Commission and affected individuals in certain instances where there is a data breach.
One instance is when the data breach results in, or is likely to result in, significant harm to an affected individual.
I understand the Commission intends to prescribe classes of personal data considered likely to result in significant harm to individuals.
Beyond this, can Minister clarify what other circumstances will be prescribed to help organisations assess whether a data breach may lead to “significant harm” to affected individuals under Section 26B?
Further, can Minister clarify what standard the Commission will apply when it reviews an organisation’s assessment on whether a data breach is notifiable?
An organisation may decide not to notify affected individuals of a data breach because they assess that no significant harm was caused and the breach was not of a significant scale.
If the Commissioner later disagrees with this assessment and reviews the organisation’s assessment, will the Commissioner do so by holding the organisation to the standard of a reasonable person?
Can Minister also clarify whether the Commission will consider a good-faith, systematic assessment by an organisation as a mitigating factor in deciding whether and how much to penalise the organisation for failing to notify the Commission of a data breach?
Adverse effect
My second point is on the definition of adverse effect.
The Bill now allows organisations to avoid asking for consent in certain cases. In several cases, they have to assess whether their actions will have an “adverse effect” on individuals.
Under Section 15A, organisations have to assess the extent of adverse effect to decide whether deemed consent by notification is sufficient consent.
Under Section 17, organisations have to weigh such adverse effect against the “legitimate interests” of the organisation or of other people.
Can Minister define what it means to impose an “adverse effect” on an individual, and what are some examples of it?
Such clarity is important because organisations will likely face practical challenges in identifying every possible adverse effect on an individual, and a wrong assessment may lead to harsher penalties for them.
In line with the Act’s shift to a risk-based accountability approach, I would also suggest applying a standard of reasonableness when determining whether organisations have fulfilled their obligations.
In other words, they should be required to assess the “adverse effect” on an individual only to the standard of a reasonable person.
Finally, can Minister also clarify the intended differences between “significant harm” and “adverse effect” on individuals? It will help organisations comply with the Act.
Data porting
My third point is about the data porting obligation.
This Bill empowers individuals to make data porting requests. This means individuals can ask organisations to send their personal information to other organisations.
Organisations can say no only under conditions outlined in the new Twelfth Schedule.
Will the Commission be releasing guidelines and examples to help organisations understand whether each of the conditions apply to them?
The guidelines should especially clarify three conditions.
First, these guidelines should clarify when the data would “reveal confidential commercial information” that could “harm the competitive position of the organisation”.
I am sure many companies will be keen to cite this condition if they are asked to transfer data to a competitor.
Second, the guidelines should clarify when the data is “trivial”.
Third, the guidelines should clarify when the data porting request is “frivolous” or “vexatious”.
Data porting is a new concept to many organisations in Singapore. Organisations will benefit from greater clarity on what counts as trivial, frivolous or vexatious.
Conclusion
Sir, notwithstanding these clarifications, I stand in support of the Bill.
Watch the speech here