The Personal Data Protection Act (PDPA) came into effect on 1 July 2014, and was developed with reference to international frameworks, namely the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”) and the APEC Privacy Framework, and data protection laws of jurisdictions such as the European Union, the United Kingdom, Hong Kong, Canada, Australia and New Zealand.
In view of technological advances and global developments, such as Big Data, cybersecurity and cyberterrorism, Internet of Things and Artificial Intelligence, the Personal Data Protection Commission (PDPC) is considering other possible bases for collecting, using and disclosing personal data under the PDPA, as well as the need for mandatory data breach notifications to PDPC and affected individuals under the PDPA. The PDPC is also cognisant that there may be instances where consent is not desirable or appropriate, such as for detection of fraud or security threats.
The PDPC is therefore considering 2 main amendments to the PDPA:
- enhanced framework for the collection, use and disclosure of personal data (the “Enhanced Framework”); and
- mandatory data breach notification framework.