Exceptional Exceptions To Consent

On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online consultation on the Personal Data Protection (Amendment) Bill 2020. There are numerous proposed changes that relate to the Consent Obligation in the Personal Data Protection Act, the PDPA.

Here we will look at changes in relation to exceptions from consent. In summary, the draft amendment bill adds two new exceptions from the need for consent, makes some changes in connection with the 'research' exception to consent and re-arranges the Second, Third and Fourth Schedules to the PDPA without making any additional substantial changes to them. In a separate paper, we will look at some 'Consent 101' basics and look at the proposed changes to the Consent Obligation under the PDPA.

The PDPA as a 'consent-first' law

The PDPA is a 'consent-first' law, in the sense that consent to collection, use or disclosure of personal data is always required, unless there is an exception to the need for consent. The PDPA requires actual consent (which may be either express or implied) and provides for deemed consent. It also sets out exceptions from the need for consent (of any type) in its Second, Third and Fourth Schedules.

Some other data protection laws require a 'lawful basis' for collecting, using or disclosing personal data. In at least some such cases, such as the General Data Protection Regulation (GDPR), consent is the correct lawful basis only if none of the other alternatives is available. Such laws might be said to be 'consent-last' laws.

New exception to consent - legitimate interests

Background

The draft amendment bill adds 'legitimate interests' to the purposes for which an organisation may collect, use or disclose personal data about an individual without the consent of the individual.

Before we look at it, it is important to note that:

1. the proposed concept of 'legitimate interests' under the PDPA as an exception from the need for consent and
2. the concept of 'legitimate interests' as a lawful basis for processing under the General Data Protection Regulation (GDPR),

should not be confused with each other and, in particular, must not be assumed to be the same. This is the case even though they appear to have a similar practical outcome - the rights of the individual / data subject under the GDPR differ depending on whether consent or 'legitimate interests' is the correct lawful basis for processing personal data.

First, they are conceptually different functionally, as set out above.

Second, under the GDPR, the legitimate interests of the organisation / data controller must be balanced against the rights and freedoms of individuals in relation to their personal data. This is because the GDPR is based on, among other things, concepts relating to human rights.

The PDPA does not have a human rights basis. Instead, it recognises both the right of individuals to protect their personal data and the need for organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

In the Public Consultation Paper, the Commission says that the circumstances in which this new exception to consent could be used include the purposes of detecting or preventing illegal activities (for example, fraud and money laundering) or threats to physical safety and security, ensuring IT and network security and preventing misuse of services.

Not available in relation to telemarketing, etc.

The legitimate interests exception to the need for consent will not apply to the collection, use or disclosure of personal data about an individual for the purpose of sending a 'specified message' - that is, a marketing message - to a Singapore telephone number.

In other words, 'legitimate interests' cannot be used to 'get around' the Do Not Call provisions in the PDPA.

Legitimate interests exception to consent

Subject to two conditions, the draft amendment bill proposes that an organisation may collect, use or disclose personal data about an individual without their consent if:

1. such collection, use or disclosure of personal data is in the legitimate interests of the organisation and
2. the benefit to the public or any section of the public of such collection, use or disclosure of personal data is greater than any adverse effect on the individual - 'benefit' includes any economic, social or security benefit to the public or a section of the public

'Benefit' is defined only in relation to the above rule. 'Adverse effect' is used several times in the proposed amendments to the PDPA, but is not defined at all. It is not possible to assess whether 'adverse effect' might, too, be defined to include any economic, social or security benefit to the individual or whether it will be a case of 'you recognise it when you see it'. Perhaps the Commission will issue advisory guidelines in due course about how it will assess an 'adverse effect on the individual'.

The first condition is that the organisation must conduct an assessment, before collecting, using or disclosing the personal data, to determine whether both of the above requirements are satisfied. The assessment must include:

1. the identification of any adverse effect that the proposed disclosure, use or collection of personal data about an individual is likely to have on the individual
2. the identification and implementation of any measure to eliminate the adverse effect
3. where it is not possible to eliminate the adverse effect, the identification and implementation of any measure to reduce the likelihood that the adverse effect will affect the individual
4. where it is not possible to eliminate the adverse effect or reduce the likelihood that the adverse effect will affect the individual, the mitigation of the adverse effect

The second condition is that the organisation must inform the individual, in any reasonable manner, that it is collecting, using or disclosing personal data under the legitimate interests exception to consent.

New exception to consent - business improvements

The following exception from the need for consent to collect, use or disclose personal data about an individual applies if, and only if:

1. the purpose for which the organisation uses the personal data cannot reasonably be achieved without the use of the personal data in an individually identifiable form and
2. the use of the personal data by the organisation does not have any adverse effect on the individual to whom the personal data relates

The draft amendment bill proposes that an organisation may use personal data about an individual without their consent:

1. to improve or enhance any goods or services provided by the organisation, or develop new goods or services
2. to improve or enhance the methods or processes, or develop new methods or processes, for the operations of the organisation
3. to learn about and understand the behaviour and preferences of the individual or any other customer of the organisation in relation to the goods or services provided by the organisation
4. to identify goods or services provided by the organisation that may be suitable for the customers of the organisation other than individual customers

In the Public Consultation Paper, the Commission said that this new exception will provide clarity for organisations to confidently harness personal data for business improvement purposes. Such use must be what a reasonable person would consider appropriate in the circumstances (in order to comply with the Purpose Limitation Obligation).

Revisions to the 'research purposes' exception to consent

Background

At present, personal data can be used by an organisation for a research purpose, including historical or statistical research, if

1. the research purpose cannot reasonably be accomplished unless the personal data is provided in an individually identifiable form
2. it is impracticable for the organisation to seek the consent of the individual for the use
3. the personal data will not be used to contact persons to ask them to participate in the research and
4. linkage of the personal data to other information is not harmful to the individuals identified by the personal data and the benefits to be derived from the linkage are clearly in the public interest

In the Public Consultation Paper, the Commission said that the research exception would be revised to introduce conditions that ensure appropriate accountability measures are in place. The revised exception would, it said, impose less stringent restrictions on organisations using personal data for research purposes.

The Commission said this is intended to enable organisations to carry out research beyond the purposes of improving business products or services. For example, it said that the research exception may apply to research institutes carrying out scientific research and development, educational institutes that conduct market research into arts and social science and organisations that carry out market research to understand potential customer segments.

Under the proposed changes, personal data can be used by an organisation for a research purpose (including historical or statistical research) if:

1. the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form - no change from the existing wording
2. the use of the personal data for the research purpose will not have an adverse effect on the individual - CHANGED 
3. the results of the research will not be used by the organisation in any way that has an adverse effect on the individual - CHANGED - and
4. in the event that the results of the research are published, the organisation must publish the results in a form that does not identify any individual - CHANGED

Changed approach to setting out exceptions from consent

At present, the PDPA deals with exceptions to consent by setting out in section 17 of the PDPA that:

• personal data may be collected without consent, as set out in the Second Schedule to the PDPA
• personal data may be used without consent, as set out in the Third Schedule to the PDPA
• personal data may be disclosed without consent, as set out in the Fourth Schedule to the PDPA

This approach resulted in quite a bit of back and forth between the various schedules to understand what could and could not be done and on what conditions. The draft amendment bill introduces significant streamlining that results in the exceptions to consent being considerably easier to understand and, therefore, to use. There has also been some changes to the wording in some cases, so it is worth checking on the exact content of an exception in the future, rather than relying on it being the same as it was in the past.

The draft bill deletes the existing Second Schedule, Third Schedule and Fourth Schedule to the PDPA and replaces them with the following:

1. A new First Schedule - the original first schedule was repealed when the PDPA was amended in 2016 - headed 'Collection, Use and Disclosure of Personal Data Without Consent'

The new First Schedule is divided into the following three parts:

1. Part 1 - Vital Interests of Individuals - this part contains the 'interests of the individual' exception and the 'response to an emergency' exception in more or less the same terms as they exist at present.
2. Part 2 - Matters Affecting the Public - this part contains the 'publicly available information' exception, the 'national interest' exception, the 'artistic or literary purposes' exception and the 'news organisation' exception in more or less the same terms as they exist at present and adds a new 'archival or historical purposes' exception.
3. Part 3 - Legitimate Interests of Organisations - this part contains the new 'legitimate interests' exception outlined above. It also contains the existing exceptions for 'evaluative purposes', 'investigations and proceedings', 'debt recovery', 'legal services', 'credit bureau and credit reporting', 'private trusts', 'personal or domestic services', 'business documents' and 'managing and terminating employment relationships' in more or less the same terms as they exist at present. Finally, it contains the existing 'business asset transactions' exception with reasonably extensive amendments.

2. A new Second Schedule headed 'Additional Bases for Collection, Use and Disclosure of Personal Data Without Individual's Consent'.

The new Second Schedule is divided into the following three parts:

a. Part 1 - Collection of Personal Data - this part provides only for the collection of personal data about an individual without the consent of the individual, if:

1. the personal data was disclosed by a public agency and
2. the collection of the personal data by the organisation is consistent with the purpose of the disclosure by the public agency

This prevents for example, collection of personal data from ACRA without consent for a purpose - such as direct marketing - that is not consistent with the purpose for which ACRA discloses the personal data (which is to enable due diligence to be conducted about companies, their shareholders, their directors, etc.)

b. Part 2 - Use of Personal Data - this part provides for the use of personal data for business enhancement purposes (as set out above), the use of personal data for research purposes (as set out above) and:

1. The use of personal data about an individual without the consent of the individual, if:
2. the personal data was disclosed by a public agency and
3. the use of the personal data by the organisation is consistent with the purpose of the disclosure by the public agency

This prevents, for example, use of personal data disclosed by ACRA without consent for a purpose - such as direct marketing - that is not consistent with the purpose for which ACRA discloses the personal data.

c. Part 3 - Disclosure of Personal Data Without Consent - this part contains the 'public agency' exception, 'student' exception, 'patient' exception, 'disclosure to law enforcement' exception and 'research purposes' exceptions in more or less the same terms as they exist at present.

Written by Lyn Boxall, Director, Lyn Boxall LLC

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.