Companies may use customers’ personal data without consent in certain cases under proposed changes to PDPA

 

Minister for Communications and Information Dr Yaacob Ibrahim announcing a proposed review of the Personal Data Protection Act at the Personal Data Protection Seminar on Thursday (Jul 27). Photo: Tan Weizhen/TODAY 

SINGAPORE – Businesses may be allowed to use consumers’ personal data without getting their consent in cases where it is impractical or inappropriate to do so under a series of proposed changes to the Personal Data Protection Act (PDPA).

Announcing the review of the PDPA at the Personal Data Protection Seminar on Thursday (July 27), Minister for Communications and Information Yaacob Ibrahim noted that the PDPA was crafted in an era where "the majority of data was provided by users who fill in their personal particulars via physical and online forms". A review is therefore necessary, he said, given the rate at which the digital economy is gaining pace and the large amounts of data generated on new digital interfaces,

"Today, data can be generated and mined through online activities and transactions. Mobile apps can make use of our location information to match us to the nearest car ride sharing apps or food delivery options. (Internet of Things) devices stream data from health sensors and home cameras so you can keep track of your loved ones through various apps," he said.

Hence, the Government is looking into allowing businesses to use consumers' personal data without getting their consent in cases where it is impractical to do so, or for legal or business purposes where it is not appropriate to get consent. 

For example, bicycle-sharing services may want to share data among themselves of customers with a bad track record of misusing or damaging bicycles. The proposed changes will allow them to do so without seeking customers’ consent, however, the companies would need to prove that there is a larger benefit, and they could then choose to deny service to such customers. 

In another scenario, a developer of Internet-connected devices such as a smart watch wants to analyse its users' personal data to improve the user experience for its services, but it is unable to get consent through the smartwatch interface. Under the proposed changes, it could be allowed to do so, provided it does not have any adverse impact on consumers.

The proposed new rules would just require them to notify customers in any manner of their choosing, for instance via their website.

The Personal Data Protection Commission (PDPC) also mooted the introduction of a mandatory data breach notification regime under the PDPA.

This means that companies will need to notify affected customers as soon as possible if their data, such as NRIC numbers, credit card information and passwords, has been breached. 

If the scale of the breach is at 500 or more affected consumers, the company would need to inform the PDPC within 72 hours.

The PDPC is seeking views on these proposals through a public consultation from July 27 to Sept  21, with an eye on effecting these changes by 2019.

Urging companies to use data responsibly, Dr Yaacob said whether the potential of data can be realised will boil down to trust, that companies will collect and use data sensibly and protect it well.