Changes to data protection Act: MPs ask why there’s different law for Govt, concerned about impact on businesses

• 13 MPs debated changes to the Personal Data Protection Act in Parliament on Monday
• MP Gerald Giam asked why the public sector is governed by a separate law
• Dr Janil Puthucheary said unlike private companies, the Government acts as one body
• Still, he stressed that both laws are aligned in standards

SINGAPORE — Changes to legislation on data privacy drew questions from Members of Parliament (MPs) on Monday (Nov 2) as to why government agencies were exempt from the law. This led to an exchange between MP Gerald Giam from the Workers’ Party (WP) and Dr Janil Puthucheary, the Senior Minister of State for Communications and Information.

Mr Giam, who is also MP for Aljunied Group Representation Constituency (GRC), asked during a debate on the amendments to the Personal Data Protection Act (PDPA) why two separate data privacy standards exist for the public and private sectors, instead of a universal one that applies to both.

The laws governing data privacy in the public sector fall under a separate act — the Public Sector (Governance) Act (PSGA).

The PSGA was passed in Parliament in 2018, and sets out directions for data sharing among government agencies. It also prescribes safeguards against abuses.

Mr Giam was not the only MP to raise the issue — Ms Tin Pei Ling from MacPherson Single Member Constituency (SMC) also sought clarification on whether the changes to allow the use of personal data for commercial innovation purposes will be applied consistently to the public sector as well.

This is so as to avoid “double standards” as to how the laws are applied to the Government and private companies, she said.

In his response to Mr Giam, Dr Puthucheary said that the two approaches are necessary because unlike private companies, government agencies need to share data in order to efficiently perform their duties.

“We expect the Government to behave as one service, servicing residents or servicing citizens,” he said. “(But) we expect the private sector to behave as individual entities, and there needs to be an appropriate gap in data sharing between private entities.”

He did emphasise that the PDPA and the PSGA are “aligned to the same expectations and standards”, and the Government will continue to refine the two laws to make sure that this is the case.

Parliament later passed the amendments to the PDPA, which governs companies’ use of customer data, on Monday.

These amendments include stiffer penalties for companies found guilty of breaching the laws, greater protection for customers against unsolicited marketing messages, and the need for companies to notify the authorities of large data breaches.

During the debate on PDPA, which stretched for close to three hours and saw 13 MPs rising to speak, several other issues were raised.

Among other things, they wanted to know how the amendments will impact businesses, how the numerical threshold for reporting breaches was derived, and how the Government will deal with spam and scam syndicates from overseas.

BAD ACTORS OVERSEAS

Several MPs noted that the changes to the law were limited in terms of catching spam as well as scam calls and messages that originate overseas.

They asked how the Government intends to take action against these bad actors, and whether it would consider cross-jurisdictional co-operation with the countries where such syndicates are located.

Responding to them, Mr S Iswaran, Minister for Communications and Information, said that when it comes to overseas spam calls, the Government will continue to take a multi-pronged approach consisting of public education, industry self-regulation and international collaboration.

As for transnational scams, Mr Iswaran said that they will be dealt with by the police as they are serious crimes.

On his ministry’s part, the Infocomm Media Development Authority has required all telecommunications companies to display the “+” prefix for all incoming overseas calls since April this year so that individuals can better identify and reject spoof calls.

Telcos have also blocked international incoming calls that resemble the numbers of government agencies or emergency numbers, he said.

“We can’t prevent these calls from coming in, but we can put up red flags,” Mr Iswaran said.

COST TO BUSINESSES

Mr Desmond Choo (MP for Tampines GRC), Mr Melvin Yong (MP for Radin Mas SMC) and Mr Patrick Tay (MP for West Coast GRC) raised concerns on how the new amendments will impact business operations and costs, especially for small- and medium-sized enterprises that are already financially stretched because of the pandemic.

Under the new amendments, firms found guilty of breaching the law will have to pay up to 10 per cent of their annual Singapore turnover or up to S$1 million, whichever figure is higher.

Acknowledging the strain that the present economic climate has put on some companies, Mr Iswaran said that the revised financial penalty cap will not take effect earlier than one year after the amendments come into force.

The revised cap will therefore apply to breaches that occur after the effective date.

“We will be informed by the overall circumstances because we are conscious of not wanting to unduly burden our companies,” he said.

NOTIFYING CUSTOMERS OF BREACHES

Under the new laws, companies will have to inform the Personal Data Protection Commission (PDPC) of data breaches that result in “significant harm” to an affected individual or affects more than 500 individuals.

Firms will also have to notify the affected individual if there is significant harm caused from the breach.

Mr Shawn Huang, MP for Jurong GRC, sought clarity on how the amendments define “significant harm”.

He also asked how the Government decided on the 500-person threshold to measure whether a data breach is of significant scale.

On the other hand, Ms Joan Pereira, MP for Tanjong Pagar GRC, asked why a breach needs to surpass a certain threshold before the organisation has to inform the PDPC.

Responding to Mr Huang, Mr Iswaran said that “significant harm” refers to the impact of a data breach on affected individuals and is used in the context of a data breach notification.

The numerical threshold was decided based on past enforcement cases and other jurisdictions’ practices.

On Ms Pereira’s question, Mr Iswaran said that the Government’s position was developed in consultation with the public and the benchmarks have also been set against the standards in other countries such as Australia and Canada.

RIGHT TO ERASURE

Tampines GRC’s Mr Choo and Mr Louis Chua, MP for Sengkang GRC, proposed that the Act recognise the right of individuals to erase their personal data, which is a stipulation under the European Union’s General Data Protection Regulation.

To this, Mr Iswaran noted that Section 16 of the PDPA provides for individuals to withdraw their consent at any time.

The organisation will then have to stop the collection, use or disclosure of their personal data unless otherwise required or authorised under any legislation.

The PDPC can also direct an organisation to destroy personal data collected in contravention of the Act, he said.

Though the provisions are not entirely identical to the “right to erasure” laws, Mr Iswaran said that they still give a “substantively similar effect”.