Big Data is Watching You: Surveying Singapore’s Evolving Data Protection Act (Part 1)

In this Explainer, find out...

1. Why was the Personal Data Protection Act 2012 (PDPA) enacted?

2. What challenges did organisations and individuals face under the PDPA?

3. What amendments were introduced to the PDPA in 2020 to address these concerns?

Introduction

The motif “Big Brother is Watching You” from George Orwell’s 1984 is an eerie reminder of the dangers of extensive surveillance used in the protagonist’s world. However accurate that prospect may have been in Orwell’s time, it is difficult to deny that surveillance has permeated today’s everyday reality.

Indeed, immense volumes of information are collected everywhere by everyone, far beyond 1984’s concern of totalitarian governments. Granted, the universal processing of data has brought great benefits—think financial fraud detection and personalised Netflix recommendations. But with it also comes threats of data breach and misuse.

In response to these developments, Singapore has enacted the Personal Data Protection Act 2012 (PDPA) to regulate the processing of personal data by organisations. As we come to the 13th year of the PDPA’s enactment, this Policy Explainer begins by looking back at the rationale for the PDPA and the challenges it posed for organisations and individuals. Thereafter, we discuss how the PDPA was later amended in 2020 (in part) to address these challenges.

The Emerging Data Landscape

In the late 2000s, the use and collection of personal data was becoming more common with the rapid spread of infocomm technology. Then-Minister for Information, Communications and the Arts Yaacob Ibrahim stated in Parliament that a growing number of countries had already started to establish data protection frameworks. Thus, he emphasised the need for Singapore to follow suit in order to retain its competitiveness as a trusted business hub.

Data protection legislation was also especially necessary in light of emerging security threats like data leaks and breaches. A 2012 KPMG study indicated that data breaches suffered by private companies increased by 40 per cent year-on-year, with an estimated 160 million individuals who had their data compromised. Furthermore, the world was rocked by an increasing number of high-profile data leaks. A particularly notorious one was the Sony PlayStation Network data breach in 2011, which compromised the personal details of over 77 million individuals. This raised many concerns about the security of personal data, underscoring the need for robust data protection laws.

However, Singapore did not have any comprehensive data protection framework at that time. Instead, the Government adopted a sector-specific approach to data protection. Data processing by public agencies was governed by laws like the Official Secrets Act 1935, while private businesses voluntarily adopted individualised industry codes of practice. Without a general data protection framework, there was no basic safeguard for personal data in Singapore.

Personal Data Protection Act 2012

To address these risks, Parliament passed the Personal Data Protection Bill on 15 October 2012. In regulating the processing of personal data, this policy sought to balance individual data privacy concerns with organisational interests in data processing. The PDPA thus imposed nine data protection obligations on private organisations, as outlined in Figure 1.

With the above nine obligations, the PDPA sought to achieve several aims. For one, with the Protection and Transfer Limitation obligations (as seen in S/N 6 and 7 in Figure 1), the PDPA established a baseline data protection standard across almost all private sector organisations, mitigating the risk of data breaches and bolstering trust in Singapore’s data security practices. For another, the PDPA safeguarded data privacy (e.g., through the Consent and Retention Limitation obligations as seen in S/N 3 and 7 in Figure 1), ensuring that individuals have control over the way and purposes for which their personal data is processed.

This individual right to privacy was balanced with organisations’ need to process personal data. Under the PDPA, organisations could still process personal data without consent on certain grounds. Two such grounds include using personal data for evaluative purposes (e.g., assessing job suitability) and to secure vital interests (e.g., responding to life-threatening emergencies). By including practical exceptions in its data protection framework, the PDPA supported Singapore’s competitiveness as a hub for reliable commerce and efficient data flows.

Challenges Posed By The PDPA

However, organisations and individuals faced some challenges under the PDPA. These included:

• The complexity of the regulation;

• Concerns with the consent framework; and

• The absence of a right to data portability.

Complexity of the PDPA

The first problem with the PDPA was that it was too complicated to understand. The Data Protection Officer Training Programme, organised by the National Trades Union Congress, took four days to explain just the basics of the PDPA. Meanwhile, the Personal Data Protection Commission (PDPC), which governs data protection in Singapore, issued PDPA guidelines that ran on for over a hundred pages.

The complexity of the PDPA made organisations uncertain of how to interpret it. Banks were unsure if they could send advertisements with bank statements. Other organisations did not know if placing a sign at an event entrance meant that participants consented to their photographs being taken and used. In turn, even organisations who wished to comply with the regulations experienced difficulty in doing so.

On the other hand, some smaller organisations were unaware that the PDPA even applied to them. A 2014 survey by the PDPC revealed that 30 per cent of businesses—a sizable minority—were not aware of their PDPA obligations. In a case where the PDPC fined retailer Bud Cosmetics over its inadequate data protection measures, the firm had claimed that it did not think the PDPA required it to implement a personal data protection policy.

Concerns with the Consent Regime

Second, the PDPA’s reliance on the consent framework posed issues for individuals. In public consultations conducted by the PDPC, respondents expressed concerns about long and complicated forms seeking permission to collect personal data. As a result, many respondents stopped reading through these forms and merely agreed without understanding, which defeated the original purpose of obtaining consent. This phenomenon is referred to as “consent fatigue”, where individuals feel overwhelmed due to the constant need to consent to data collection and processing.

It is of particular concern when blind consent exposes individuals to greater risks of personal data misuse or secondary uses of data that they may otherwise object to. In a telling experiment, the University of Connecticut asked unwitting participants to sign up for a fictitious social networking site. Remarkably, 98 per cent of them agreed to a privacy clause that allowed the site to share all collected data with third parties, with potential consequences for their employment. The results revealed that most participants had skipped reading the privacy policies, with only a handful raising concerns about the data-sharing clause.

No Right to Data Portability

The third issue is that the PDPA did not guarantee the right to data portability. This meant that individuals could not ensure the transfer of their personal data to another organisation upon request, if they wished to switch to a different vendor. This created a case of vendor lock-in, where consumers tended to remain with the same vendor to avoid losing access to their personal data. This, however, constrained consumers’ autonomy and limited their choices and convenience.

The absence of a right to data portability also hindered market competition. Businesses seeking to enter the market would have found it difficult to attract new customers, who faced challenges in transferring their data to these businesses. This created higher barriers to entry for new firms. Meanwhile, incumbent firms saw their competitive advantage enhanced, entrenching their market dominance.

Hence, while the PDPA did lay the foundations for personal data protection in Singapore, it also posed substantial challenges for organisations and individuals alike. In a bid to address these issues, the Government later introduced amendments to the PDPA in 2020.

Personal Data Protection (Amendment) Act 2020

The Personal Data Protection (Amendment) Bill was passed in Parliament on 2 November 2020. Its provisions centred around three main areas of reform:

• Increasing support for legitimate business uses of personal data;

• Measures to ensure accountability in cases of data breach and mishandling; and

• Safeguards to enhance individual autonomy and protect personal data privacy.

Supporting Legitimate Uses of Personal Data

First, the amendments seek to support legitimate business uses of personal data by expanding the legal definition of “deemed consent”. Under the original PDPA, consent was only implied if an individual voluntarily provides personal data or if it is reasonable that they would do so. Now, an individual is also deemed to consent to the collection, use or disclosure of personal data when:

1. The processing of that data is necessary to perform a contract between the individual and an organisation; or

2. An organisation has notified the individual of the data processing and the individual did not opt out within a reasonable time frame.

Additionally, the amendments introduced new exceptions to the consent requirement. Organisations can now process personal data without consent when it is in their legitimate interest and this interest outweighs any adverse effect on the individual. To rely on this exception, organisations have to implement measures to mitigate or eliminate the adverse effect. Another such exception is the processing of personal data for business improvement purposes, including enhancing products, improving operational efficiency and understanding customer preferences.

As a complementary measure, the PDPC regularly updated its Advisory Guidelines to provide organisations with a better understanding of their obligations under the PDPA. The guidelines also functioned as a platform to clarify and communicate the new PDPA amendments to organisations.

Altogether, these changes provide organisations with more legal bases for processing personal data. This not only reduced the reliance on lengthy consent forms, but also granted organisations greater flexibility and certainty in their data practices. To balance this expanded latitude, the amendments set out a range of measures to reinforce organisational accountability.

Ensuring Accountability in Data Practices

A second area of reform is ensuring more accountability when organisations experience data breaches or individuals mishandle personal data. The amended PDPA requires organisations to notify the PDPC and affected individuals of all data breaches of significant scale (i.e., at least 500 individuals) or harm (e.g., leak of account passwords) within three days.

To ensure accountability, the amendments increased the maximum fine for an organisation that lands itself as a victim of a data breach. This penalty cap is now S$1 million or 10 per cent of the organisation’s local annual turnover, whichever is higher. As an additional precaution, private organisations acting on behalf of the Government are no longer exempted from the PDPA.

Further, the amendments extend accountability beyond organisations to individuals. It is now a criminal offence for an individual to knowingly or recklessly use or disclose personal data, or re-identify anonymised data, without authorisation.

By tightening enforcement measures, the Government hopes to signal that data breaches and mishandling will be treated with gravity, thereby strengthening the deterrent effect. This could also bolster individuals’ trust that their personal data is being properly handled.

Safeguarding Autonomy and Privacy

Third, the amendments aim to enhance individual autonomy by introducing a right to data portability. Upon request, an organisation is required to transmit an individual’s personal data to another organisation in a common machine-readable format. The rationale for this obligation is twofold: to give individuals greater control over their data and to support innovative business uses of personal data. Though this provision has been passed in Parliament, it will not take effect until the Government issues the relevant regulations.

As a safeguard for personal data privacy, the PDPA guarantees the right to withdraw consent. If an individual withdraws their given or deemed consent, the organisation is obliged to stop processing their personal data unless it can rely on an exception to the consent requirement.

In granting individuals a measure of control over their personal data, these provisions complement enforcement mechanisms in ensuring that this data is appropriately obtained and responsibly handled. With safeguards in place, individuals may be more assured about organisations having greater discretion to legitimately use their data. The revised PDPA thus reflects a renewed effort to balance the interests of individuals and organisations, intended to advance broader socio-economic outcomes amidst an ever-changing data landscape.

Conclusion

Confronted with the uncertainties of a rapidly developing information economy, Singapore enacted the PDPA in 2012 as a legislative bulwark to safeguard personal data. Since then, the Government has revised the regulation to provide organisations with greater support and individuals with more autonomy over their data.

However, the PDPA represents just one approach to personal data protection—how does it compare to legislation overseas, and what insights can be drawn to mitigate the risks posed by emerging artificial intelligence technologies? Find out in the second part of this Policy Explainer.

This Policy Explainer was written by members of MAJU. MAJU is a ground-up, fully youth-led organisation dedicated to empowering Singaporean youths in policy discourse and co-creation.

By promoting constructive dialogue and serving as a bridge between youths and the Government, we hope to drive the keMAJUan (progress!) of Singapore.

The citations to our Policy Explainers can be found in the PDF appended to this webpage