How should personal data be used and shared by firms? New rules on data protection up for review

SINGAPORE — Personal data is now one of the hottest commodities in 21st century commerce — everything from where people shop, to what they buy, where they take holidays, and who their friends are.

Amid the explosion in the commercial harvesting of personal data, the authorities are seeking the public’s views on proposed rules that govern how personal data is shared and used by businesses. This includes a proposed legislative provision which would allow firms to use their customers’ data for “appropriate business purposes” without the customers’ consent.

The idea is to keep Singapore’s relevant legislation — the Personal Data Protection Act 2012 — up to date to reflect the fast-changing developments and opportunities in personal data usage.

The Personal Data Protection Commission (PDPC) on Wednesday (May 22) launched a six-week public consultation as part of an ongoing review of data privacy laws here. It runs till July 3.

Two major changes, aimed at giving people more control over their information and to encourage data-driven business innovation, are up for review.

• Data portability: The first would compel companies to share personal data with another company at the individual’s request, which could make changing service providers a breeze. Such portability regulations are already in place in other markets, said the PDPC. For example, the European Union has mandated that individuals have the right to receive their own data in an accessible format and to port their services from one company to another. Australia, India, Japan and New Zealand have, or plan to implement, data portability rules.

• Data innovation provisions: The second change would remove the need for firms to seek their customers’ consent to use customers’ data for business reasons, such as data analytics. This aspect of the review could be contentious since customers will want to know how their information is used, experts told TODAY.

Apart from the public consultation, the PDPC introduced two guides to strengthen the accountability of organisations during data breaches — an increasingly common phenomenon — and to help them safeguard their data.

Here are the details of the proposals and initiatives: 

DATA PORTABILITY

• In the same way that mobile numbers can be easily ported from one telco to another today, the upcoming data rules will enable consumers to move their personal data across organisations by request.

• For consumers, this could lower the costs of changing service providers. Moving records and important histories — such as their consumer preferences or financial data — can also reduce the hassle of starting from a clean slate each time as well.

• For example, the purchase history of an online shopper could be transferred to a new e-commerce platform, which will then be able to provide a customised experience from the outset. A bank customer could also ask for his transaction data, loan histories or credit repayment details to be transferred to another institution, reaping benefits if their financial history is healthy.

• New businesses, including start-ups, also stand to gain from more access to their new customers’ personal data.

The PDPC is seeking views on these key issues including factors such as the scope of organisations that would be covered by portability provisions, as well as the conditions under which the provisions would apply. It is also keen to hear views on the proposed exception relating to commercially confidential information that could harm an organisation’s competitive position if it were made portable. It also wants feedback on what powers the PDPC should have to review an organisation’s refusal to port data, for example.

DATA INNOVATION PROVISIONS

• There could be some data that are commercially sensitive, such as additional insights garnered through artificial intelligence and data analytic tools that the companies have developed. Giving these up could harm a company’s competitiveness. Hence, the PDPC is proposing a category of “derived data” that will be excluded from the data portability rules.

• Several businesses have queried whether there is a need to seek consent each time they try out a new innovation based on customers’ personal data. This could create an unnecessary burden for businesses.

• The PDPC said a proposed provision would clarify how businesses can use personal data for “specific, defined business purposes” without the need for consent, in response to feedback from these companies. This means customers may no longer need to repeatedly give consent or sign off on new data usage policies by the same company.

WHAT EXPERTS SAY

• Associate Professor Anthony Tung Kum Hoe, deputy director of the Centre for Research in Privacy Technologies at the National University of Singapore, said: “There is no limit to what you can infer from someone’s data. A telco’s data of a customer’s location could also be used to find out inappropriate sensitive data that the customer might not want to be known, such as which hospital he frequents, for example. Therefore, it is important to clearly define what is appropriate for a company to do without the customer’s consent.”

• Mr Steve Tan, partner at law firm Rajah & Tann who specialises in data protection law, said: “One of the core tenets of personal data is that the individual has the right to dictate how their data is used and ported across different companies. Companies which already possess their customers’ data, mind you, with their initial consent, should be allowed to pursue innovation without having to obtain fresh consent each time. These new data portability and innovation rules recognise the importance of how data is driving the digital economy today.”

GUIDES ON MANAGING DATA BREACHES, ENFORCEMENT 

• A new guide was launched by the PDPC to help organisations manage data breaches effectively, by putting in place early detection and warning systems and a data breach management plan.

• The PDPC recommends that internal investigations and assessments of a potential data breach should also take no more from 30 days from when the breach is discovered.

• Large breaches are defined as cases where 500 or more individuals are affected or are likely to be impacted significantly. The PDPC recommends that it must be notified by no later than three days after the company has completed its assessment for these cases.

• The PDPC has also introduced a new guide to active enforcement, setting out its approach to data breach regulations. Cases involving financial penalties will take into account the company’s admission of its role in the incident.