Delivered in Parliament on 2 November 2020
Mr Speaker, the Personal Data Protection Amendment Bill is a much-welcomed update 8 years after the original bill was introduced in 2012.
8 years is a long time in the digital age. Technology has advanced by leaps and bounds, and such technological improvements have also significantly changed our ways of life.
Singapore has one of the highest internet penetration rates in the world. 88% of the population are internet users, and spend close to 7 hours a day on the internet on average. There are 8.9 million mobile connections, approximately 1.5 times more than the country’s population. The easy access of the internet allows people to engage in content sharing, online shopping, access gaming sites and social media platforms.
The law too, has to keep up with the times. With increasing usage of such digital platforms comes increasing risk of personal data breaches. Most Singaporeans use their smartphones for social networking or to search for information. As a result, the number of scammers, impersonators, and cyber-attacks has jumped nine folds in the last three years, with 672 cases in first 11 months of 2019, with over half the victims in their 20s to 40s.
In fact, just a few days ago, personal information from 1.1 million Red Mart accounts were stolen from Lazada, an e-commerce platform. Personal data such as names, phone numbers, email and physical mailing address, and partial credit card numbers are being sold online.
While I appreciate the effort to enhance the legal framework for the collection, use and disclosure of personal data, and to strengthen the accountability of organisations in respect of handling personal data, I believe that there is still room for further refinement, namely in strengthening protection against unsolicited communication, clarifications on deemed consent and individuals’ rights under data portability.
Firstly, protection against unsolicited commercial messages.
Mr Speaker, there are multiple safeguards in place within the original PDPA law, with the intention to protect the data privacy of the individuals. One of such safeguards is the Do- Not-Call (DNC) registry, where an individual can opt to be excluded from marketing or promotional messages. However, even with such safeguards in place, most Singaporeans still get unsolicited calls and messages from telesales agencies, moneylenders, illegal gambling advertisements, and even phishing scam calls claiming to be from Singpost or DHL to collect parcels.
Improved controls for unsolicited commercial messages under section 43 would thus be welcome by consumers. A few years ago I have personally lodged a police report over persistent unlicensed money-lending messages, but I was subsequently told by the investigation officer that the perpetrators are based overseas, and that there is not much that the police was able to do. I acknowledge that some of these calls and messages are from overseas or even from masked numbers. However, some are actually conducted from local numbers and that since 2005, it is compulsory to present customer details to Telcos when purchasing a prepaid or post-paid SIM card.
With the revised bill, when organisations have breached the PDPA act, they could have to pay a penalty of 10 per cent of their annual Singapore turnover or up to S$1 million, whichever figure is higher. However, I would like to ask how we can better protect Singaporeans against unsolicited messaging, and fraudulent communication from criminal syndicates, especially the elderly who are especially at risk of such scams. In particular, how does the commission intend to take action against parties that are not based in Singapore?
Second is the topic on deemed consent and deemed consent by notification
Mr Speaker, under the section of deemed consent, organizations are allowed to pass information to a third party for the fulfilment of the contract between the person and the organization. While this makes sense, we should question if there are any mitigation factors to prevent the unwanted spreading of personal particulars or info from the third party organization to subsequent parties for their benefit (for example targeted marketing strategies) as well as raising the possible issue of increased risk of the spread of personal info. With personal data held by multiple parties across multiple jurisdictions, the risk of a data leak is much higher, and data protection is only as strong as the weakest link.
Furthermore, in the newly added section 15A Deemed consent by Notification, organizations are now able to collect information on the individual, as long as the organization has taken “reasonable” steps to inform the individual the organization’s intent, purpose to collect, use or disclose the personal data. The organization itself also has to make sure this is not likely to have an adverse effect on the individual. Individuals also have the right to opt out / withdraw consent within “a reasonable period”.
Mr Speaker, this system reduces the power of individuals relative to organisations who have the power to determine if their collection, use, and disclosure of personal data have any adverse effects on the individuals. Section 15A also gives organisations the freedom to determine “whether there is any adverse effect on the individual” – which may not always be interpreted in the individual’s favour.
The new provision thus serves as an exception to the consent obligation and moves the data protection framework away from express and explicit consent, to implicit consent from individuals. For example, online shopping algorithms are designed to identify the types of product a person is interested in and suggest to the person items that he or she may like to purchase. If a person has conditions that decreases his overall well-being with these advertisements (i.e. having compulsive buying disorder), is that deemed as an adverse effect that should be intervened? An organization needs to identify and implement reasonable measures to eliminate or reduce the probability of the adverse effect. What are some of the ways this could be executed in reality?
Further, what is regarded as “a reasonable period” for individuals to opt out – are businesses allowed to determine this or will the commission be providing some guidance on a general time frame?
Perhaps we could adopt a practice from the European GDPR, where there are specific categories of data in which processing such data is prohibited unless explicit consent is given by the individual. The PDPC could consider something similar by carving out exceptional categories of data where deemed consent by notification cannot work and requires express consent.
Lastly, on the new part 6B on data portability (Part VIB)
The introduction of the new data portability obligation is a welcome one, where an organisation must, at the request of an individual, transmit his or her personal data that is in the organisation’s possession or under its control, to another organisation in a commonly used machine-readable format.
However, while the individual can request for his or her data to be transferred from one organisation to another, individuals themselves do not have the specific right to receive a copy of such data in a machine-readable format before it is ported over. This may pose issues for individuals that may want to limit or select the data that they would like to hand over to the receiving organisation. This would be unlike Article 20 of the European GDPR, which gives individuals the right to receive the personal data concerning him or her.
I acknowledge that there is an “access request” under section 21 of the current PDPA, where individuals may be able to get a copy of their personal data that is under the possession of the originating organisation. However, it is unclear to what extent this would apply hand-in-hand with the data portability obligation.
Furthermore in this digital world, it has often been said that “the internet never forgets”. Could we perhaps go one step further, and that in addition to data portability and access to one’s personal data, can the individual be granted the right to request organisations to delete personal data at his or her request? This would then truly give meaning to the phrase under section 26G, and that is to provide individuals with greater autonomy and control over their personal data.
Mr Speaker, to conclude, the updated PDPA act is the right step in ensuring the data security of Singaporeans. What has perhaps not been fully addressed is firstly the ability to enforce such rules to protect against unsolicited messages, especially from overseas based syndicates, secondly the power imbalance between organizations and individuals under a deemed consent opt-out regime, and finally the individual’s rights to his or her data. In this rapidly evolving digital age, it is imperative that we constantly assess and fine-tune the PDPA, in order to maintain the effectiveness of its safeguards. Thank you.