Data privacy laws changing in tune with digital economy

The law on personal data may soon be revised to keep it in step with the rapidly changing digital landscape.

On the one hand, organisations that see any breach of personal data may not be allowed to stay silent on it, as it could be made mandatory for them to inform the affected customers as well as the privacy commission. This is to deepen trust in the growing digital economy.

On the other hand, there is a proposal to cut some slack to businesses and allow them to collect and use the personal data of consumers without their consent, if it is impractical to secure such permission. This will especially benefit those in the Internet of Things (IoT) business - the next big technological revolution in which home devices like security cameras and fridges are connected to the Web.

Some of these moves by the Personal Data Protection Commission (PDPC) follow the lead of mature jurisdictions in the United States, Canada and Australia.

Launching a public consultation on the proposed changes to the Personal Data Protection Act three years after it fully kicked in, Minister for Communications and Information Yaacob Ibrahim said yesterday: "In the event of data loss or breaches, it is important that individuals' interests are protected."

Dr Yaacob added that notifying consumers would allow them to take steps such as change a leaked password or cancel a compromised credit card to protect themselves.

Consumers must be notified as soon as the breach is discovered, though it may not be necessary to inform them if the data is encrypted. "This is to prevent notice fatigue due to over-communication," said Mastercard's senior managing counsel Derek Ho.

If the breach involves 500 or more individuals, the PDPC must be told within 72 hours so that it can manage breaches at the national level.

And if critical infrastructure - including the energy, telecommunications and transport sectors - is involved in the breach, the Cyber Security Agency must also be informed.

Speaking at Singapore's fifth Personal Data Protection Seminar yesterday, where the proposed changes were flagged, Mr Tan Kiat How, Singapore's privacy commissioner, said that the PDPC has taken enforcement action against 300 organisations to date over data breaches.

Most received an advisory notice, though tougher action was taken in 30 serious cases.

Karaoke bar chain K Box was fined $50,000 over an incident in September 2014 that saw the data of 317,000 customers leaked.

The proposed changes will also allow organisations to share blacklists in order to prevent abuse.

For example, if financial or telecommunications firms want to share data among themselves of customers with bad payment track records, they will not be required to seek customers' consent.

Firms will also be allowed to collect and analyse the vast amount of data that flows from IoT devices without the consumers' go-ahead, if they need this to improve services or the user experience.

In all such cases, the businesses must be able to prove that the consumer is not harmed in any way and the data is not abused.

Dr Yaacob said the proposed legislation update reflects Singapore's ambition to become a trusted global hub for innovative uses of data.

The consultation will end on Sept 21.