4 reasons why Singapore’s PDPA is not protecting you enough, and how the GDPR could

GDPR has gone live.

With GDPR, is PDPA still relevant to Singapore companies?

Ever since 2014, Singapore’s Personal Data Protection Act or PDPA has become a buzz word among SMEs and businesses in Singapore.

Indeed, personal data protection laws are getting stricter day by day and it’s no longer a surprise to see companies making it to the headlines for being guilty of security breaches. Recently, media marketing firm Social Metric has been fined $18,000 for exposing its data base on the net without proper protection and another 19 companies have fallen under the radar.

While PDPA signifies a huge improvement in data protection, PDPA is unfortunately still a far cry from being sufficient in protecting Singaporeans (especially compared to the General Data Protection Regulations (GDPR) by European Union).

Hence, we have compiled 4 reasons why your personal data have fallen through the cracks despite the seemingly formidable PDPA, and an insight to how the new GDPR could help.

1. Many local companies still do not know how to incorporate data laws to its daily operations.

Even though it has been three years since the law was passed, many companies have yet to integrate adequate security measures into their company’s operation. According to Straits Times, almost all companies that had committed an offence breached the same regulation: lack of the necessary security measures. One good example will be the e-commerce company, ComGateway, that was sentenced for insufficient protection of 108,085 customers information that was easily exposed to hackers. Hence, it’s unfortunate but highly probable that hackers already have their eyes on you.

2. Limited Scope of PDPA

The PDPA has a relatively limited scope and hence, you may not be as protected as you think. The following is a summation of what PDPA excludes (source):

  • PDPA do not apply to organizations acting as an agent for public agencies or for public sector activities
  • Business contact details are entirely excluded from PDPA
  • No minimum age (This means that if young kids who may not fully comprehend the terms and policies might be misled into disclosing their personal information)

3. Data Minimization and Relevancy

Remember that puzzling moment when you wanted to download a gaming app and they requested for access to your photo and contacts? Where’s the link?

Indeed, many companies are collecting way too much of your personal data. According to Article 18 (a) of the PDPA Act, an organization may collect, use or disclose personal data if a reasonable person would consider appropriate in the circumstances.

While this provides a certain level of protection against “unreasonable demands for personal data”, the lack of the need for a “specified, explicit and legitimate purpose” to collect data means that there are many grey areas that the companies can take advantage of to collect more of your data. As long as they can argue that it is “reasonable” to collect the excessive data, you will not have a say over your personal information anymore.

Indeed, this is actually quite worrying – all your private photos and videos are in the hands of companies and data analysts.

4. Vague Consent

Yes, we all have the “rights to privacy”.

  • According to Section 13, consent is required before personal data can be collected, used or disclosed.
  • According to Section 14, consent is only valid if the purpose of collecting of data is first notified to the individual and if no false, misleading or deceptive practice have been utilised. (Source).

However, if you truly think that we have the “rights to privacy”, we urge you to think twice.

The following are the reasons:

  • Firstly, the PDPA acknowledges the validity of “deemed consent”. Deemed consent refers to the act of an individual voluntarily provide his/her data and it is reasonable for them to do so or Voluntarily provided data to one organisation can be passed on to another organisation for a particular purpose. This means that if you unknowingly provide your data to the organization, it may be qualified as “deemed consent”. Hence, the overly ambiguous definition of “consent” puts us into danger.
  • Secondly, there are quite a few notable exceptions where consent is not needed at all (Section 17).

Collection of personal data: Second schedule
Use of personal data: Third schedule
Disclosure of personal data: Fourth schedule

  • Last but not least, we are often confronted with a long list of terms and conditions that we can never find the patience to read. Some companies even have “pre-ticked” boxes to make it easy for us to grant them permission to all our data. Hence, while we did give “consent” to the companies, we actually have no idea what we are doing. Therefore, it seems that PDPA has a long way to go before they can ensure that individuals are truly informed. A possible method would be to enforce positive opt in boxes when giving consent.

What about GDPR?

Before we even get there, let’s ask ourselves, what’s the difference between PDPA and GDPR? Construct Digital wrote an comprehensive comparison article about this, which we will not tackle. What we’ll be doing instead, is to distill how this new GDPR policy will affect you.

Wait, how does the GDPR affect me? Isn’t it a EU legistation?

Well, regardless of where you are in the world, as long as companies processes personal data of subjects residing in the EU, then the GDPR should apply to these companies.

Here’s what we think the 4 main key points for GDPR are:

(i) Consent – Individuals must be given a request for consent form that is intelligible and easily accessible.

In essence, companies need to be a lot more overt in requesting for consent for our data.

(ii) Right to Access – Data subjects must be able to easily access their personal data in the possession of data controllers and be provided a copy in electronic format for free.

Companies will need to give us access to what they collected from us.

(iii) Right to delete – Data subjects have the right to have their personal data forgotten: erased, ceased to be disseminated, or have third parties halt processing of their personal data by the data controller.

Companies will need to delete our data if we request them to, and provide an accessible way to do so.

(iv) Accountability – Companies or data controllers must notify supervisory authority, private individuals affected, or the organisation to which it reports of any privacy breaches without undue delay/within the first 72hrs of having become aware of the breach.

Companies will need to relay to us of any data breaches.

How would GDPR help?

  • It tackles the problem of limited scope in PDPA.

GDPR sets a threshold of 16 years old, which means children will not be unknowingly getting misled to divulge their personal information.

  • Data requests and consent has to be relevant and more specific.

Remember when we said how some apps took personal data that might not even be relevant to their app functions? With GDPR, apps are no longer allowed to have vague or blanket consent for your personal data. What’s more, they are also not allowed to hide their content requests in their terms and conditions.

This means there will be more transparency in the way companies collect and use your data, and making sure that they are relevant.

Written by

JJ Huang

JJ is the Co-Founder of Novocall. When he’s not busy building the Novocall brand, he spends his time watching crime shows and documentaries.

Written by

JJ Huang

JJ is the Co-Founder of Novocall. When he’s not busy building the Novocall brand, he spends his time watching crime shows and documentaries.

Related articles

Best practices for sharing your NovoMeet booking link

Best practices for sharing your NovoMeet booking link

While the dashboard for Novocall and Livecall seem similar with comparable features, several differences can be distinguished upon a closer look. Feature 1: Instant Call-back and Call rescheduling When a potential customer visits your websites or sees your ad...