The Consent Obligation – changes as the good, the bad and the ugly?

2020-06-24
Article Banner

On 2 November 2020, the Singapore Parliament passed the Personal Data Protection (Amendment) Bill 2020. There are numerous changes that relate to the Consent Obligation in the Personal Data Protection Act, the PDPA.

Here we will go back to basics first – some 'Consent 101' – and then go through the proposed changes to the Consent Obligation under the PDPA. In a separate paper, we will look at changes to the exceptions to the need for consent under the PDPA and the addition of new exceptions to the need for consent.

Consent 101

When it published its enforcement decision in a case involving the German European School Singapore (GESS) in June 2019, the Commission made the following points clear about various types of consent:

1. Express consent – where there is express consent an individual specifically signs up – or clicks, say, 'submit' as the electronic equivalent to signing – to something like 'I hereby consent to ________ '

2. Implied consent – as lawyers, we sometimes call this 'consent by conduct'

In the GESS case, the Commission found that by signing to confirm agreement with the school's by-laws annually the student's parent(s) gave implied consent to the rule in those bylaws that provided for random drug testing of students. 

In our everyday lives we may often give implied consent without really knowing that we are doing so. For example, when we receive a new credit card the terms and conditions will always say something like 'By your first use of this credit card, you consent to / accept our terms and conditions of use'.

3. Deemed consent – in the GESS case, the Commission made it clear that deemed consent under the PDPA is 'consent by operation of law'. This means that if the conditions set out in the PDPA are satisfied, consent is given irrespective of the intention of an individual. By contrast, under both express consent and implied consent there is an actual consent with an intention to give it (even while the individual may not be conscious of it in the case of an implied consent).

There are two sets of conditions in which deemed consent operates under the PDPA at present:

(1) first party deemed consent – where

(a) the individual voluntarily provides personal data for a purpose and

(b) it is reasonable that the individual would voluntarily provide personal data for that purpose and

(2) third party deemed consent – where

(a) an individual gives, or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation (a 'disclosing organisation') to another organisation (a 'recipient organisation') for a particular purpose and

(b) the recipient organisation may collect, use or disclose that personal data for that particular purpose

Express consent can be given on either an 'opt-in' basis or on an 'opt-out' basis. (Perhaps there could be occasions when an opt-out basis might apply to implied consent, but examples do not readily come to mind.) 

Whether an individual either opts-in or opts-out of a consent by operation of law – that is, a deemed consent under the PDPA – would not be thought to be conceptually possible. Either the law operates to give rise to the consent or it does not. However, as will be seen below the proposed changes to the PDPA include a deemed consent by notification with the ability for an individual to notify the organisation that the individual does not consent. In the Public Consultation Paper, the Commission refers to the individual being able to opt-out of the deemed consent.

Consent on an 'opt-in' basis requires an individual to do something affirmative (such as tick a box). If the individual does nothing, no express consent is given. Consent on an 'opt-out' basis means that consent is automatic in the sense that if the individual does nothing (such as failing to un-tick a box), express consent is given. Opt-out consent is prohibited by the data protection law in many countries; it is not prohibited by the PDPA, although it is clear from its Advisory Guidelines that the Commission frowns on it.

The PDPA as a 'consent-first' law

The PDPA is a 'consent-first' law, in the sense that consent to collection, use or disclosure of personal data is always required, unless there is an exception to the need for consent. The PDPA requires actual consent (either express or implied), though it also provides for deemed consent. It sets out exceptions from the need for consent (of any type) in its Second, Third and Fourth Schedules.

Some other data protection laws require a 'lawful basis' for collecting, using or disclosing personal data. In at least some such cases, such as the General Data Protection Regulation (GDPR), consent is the correct lawful basis only if none of the other alternatives is available. Such laws might be said to be 'consent-last' laws.

The trinity – the notification obligation, the purpose limitation obligation and the consent obligation

Generally, under the PDPA, in order to obtain the express or implied consent of an individual to collection, use or disclosure of personal data about them an organisation must notify them (the notification obligation) of the purpose or purposes for which the organisation will collect, use or disclose (the purpose limitation obligation) personal data about them. The individual is then equipped to provide their consent (the consent obligation).

Where an organisation relies on deemed consent notification of purpose is not relevant under the PDPA because deemed consent relies on the purpose being obvious – to put it another way, there is no deemed consent unless the purpose is obvious.

With one exception, where an organisation relies on an exception to the need for consent to collect, use or disclose personal data notification of purpose is similarly not relevant under the PDPA. The exception arises where personal data is collected, used or disclosed for the purpose of managing and terminating an employment relationship. In that case, the PDPA specifically requires notification of the purpose(s).

Proposed Changes to the PDPA – expansion of deemed consent

The PDPA contemplates deemed consent – that is, consent by operation of law – first party deemed consent and third party deemed consent, as set out above.

First party deemed consent remains unchanged by the draft amendment bill, while third party deemed consent is explained and, perhaps, expanded by it.

In its Public Consultation Paper, the Commission remarks that the proposed enhancements to consent are broadly similar to approaches under the data protection frameworks in jurisdictions such as Australia, British Columbia, New Zealand and the European Union. The Commission says that these enhancements will also help reduce compliance costs and facilitate organisations' use and processing of personal data for business purposes.

Comparison with the General Data Protection Regulation (GDPR)

By way of background, some readers may be aware that the GDPR requires a 'lawful basis' for processing personal data. There are six possible lawful bases, including:

1. where the individual / data subject has given consent to the processing of their personal data for one or more specific purposes 

2. processing is necessary for the performance of a contract to which the data subject / individual is party or in order to take steps at the request of the data subject / individual prior to entering into a contract

Under the PDPA, the only lawful basis of processing – though the PDPA does not use any such words – is consent. Consent may be actual consent or consent by operation of law / deemed consent. Of course, there are also exceptions from the need for consent.

The proposed changes to the PDPA are an expansion of consent by operation of law / deemed consent. They are not additional law bases for collecting, using or disclosing personal data.

It is worth noting, too, that the lawful basis for processing under the GDPR that relates to contracts refers only to the data subject / individual as one party to the contract and the organisation as the other party to the contract. The proposed changes to the PDPA refer to three parties: (1) the data subject / individual as one part to the contract, (2) the organisation as the other party to the contract and (3) a third party that is another organisation that is not a party to the contract.

Deemed consent for the purpose of entering into a contract

The first change deals with a situation where an individual, (P), provides personal data to an organisation, (A), with a view to P entering into a contract with A. In such a case, consent by operation of law / deemed consent is expanded to a case where P is deemed to consent to:

(a) the disclosure of that personal data by A to another organisation, (B), where the disclosure is reasonably necessary for the conclusion of the contract between P and A

(b) the collection and use of that personal data by B, where the collection and use is reasonably necessary for the conclusion of the contract between P and A

(c) the disclosure of that personal data by B to another organisation where the disclosure is reasonably necessary for the conclusion of the contract between P and A.

However, the deemed consent in paragraph (a) above does not affect any obligation under the contract between P and A that specifies or restricts the personal data provided by P that A may disclose to another organisation.

In addition, the deemed consent in paragraph (a) above does not affect any obligation under the contract between P and A that specifies the purposes for which A may disclose the personal data provided by P to another organisation.

Deemed consent for the purpose of performing a contract

The second change deals with a situation where an individual, (P), enters into a contract with an organisation, (A), and provides personal data to A. In such a case, consent by operation of law / deemed consent is expanded to a case where P is deemed to consent to:

(a) the disclosure of that personal data by A to another organisation, (B), where the disclosure is reasonably necessary:

(i) for the performance of the contract between P and A or

(ii) for the conclusion or performance of a contact between A and B which is entered into:

A. at P's request or 

B. if a reasonable person would consider the contract to be in P's interest

(b) the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a)

(c) the disclosure of that personal data by B to another organisation where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a).

Again, however, the deemed consent in paragraph (a) above does not affect any obligation under the contract between P and A that specifies or restricts the personal data provided by P that A may disclose to another organisation. And, again, the deemed consent in paragraph (a) above does not affect any obligation under the contract between P and A that specifies the purposes for which A may disclose the personal data provided by P to another organisation.

Deemed consent by notification

The third change is to introduce a concept of 'deemed consent by notification', as a substitute for express consent. Presumably, the Commission intends deemed consent by notification to apply where obtaining express consent would be unreasonably burdensome and where the relevant individuals would not be expected to withhold consent in any event – for example, because goods or services (perhaps under the overall umbrella of the Internet of Things (IoT) purchased by an individual would not work without collection, use or disclosure of personal data.

In order for 'deemed consent by notification' to apply an organisation must, before collecting, using or disclosing any personal data about an individual make the following assessment, enable the relevant individual to opt-out of the deemed consent and ensure that the purpose for the collection, use of disclosure of personal data is not a prescribed purpose.

1. The organisation must conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual. In this assessment, the organisation must identify any adverse effect that the proposed collection, use or disclosure of the personal data for the relevant purpose is likely to have on the individual. It must then identify and implement reasonable measures to eliminate that adverse effect or to reduce the likelihood that the adverse effect will occur or to mitigate the adverse effect. It must also comply with any other requirements that are yet to be prescribed.

2. To enable the relevant individual to opt-out of the deemed consent the organisation must take reasonable steps to bring the following information to the attention of the individual:

  • the organisation's intention to collect, use or disclose the personal data
  • the purpose for which the personal data will be collected, used or disclosed
  • a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation's proposed collection use or disclosure of the personal data

3. For deemed consent by notification to apply the collection, use or disclosure of personal data about the individual must not be for any prescribed purpose. Purposes are yet to be prescribed in relation to deemed consent by notification.

However, the Commission states in its Public Consultation Paper that organisations may not rely on deemed consent by notification to obtain consent to send direct marketing messages to individuals, so it may reasonably be expected that marketing will be a prescribed purpose in due course.

An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if:

(a) the organisation has conducted the assessment described above and provided the required information to enable the individual to opt-out of the deemed consent and

(b) the individual does not notify the organisation, before the expiry of the reasonable period within which the individual may notify the organisation that they do not consent to the proposed collection, use or disclosure of the personal data by the organisation.



Written by Lyn Boxall, Director, Lyn Boxall LLC

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.






Unlock these benefits
benefit

Get access to news, enforcement cases, events, and actionable tips and guides

benefit

Get regular email updates and offers

benefit

Job opportunities, mentorship and career guidance

benefit

Exclusive access to Data Protection community - ask questions, network and share knowledge with peers and experts via WhatsApp and Linkedin

Topics
Related Articles