The European Commission has been making massive efforts in achieving more effective data privacy protections for the citizens of the European Union (EU). It was April 2016 when the EU Parliament approved the General Data Protection Regulation (“GDPR”). This came into effect on 25 May 2018.
GDPR has been noted to be the most significant piece of privacy regulation in the European Union in over two decades. It also has been compared to the Personal Data Protection Act (PDPA) which has been introduced in 2010 and is now practiced by various countries and organizations across the globe.
Although both the General Data Protection Regulation and Personal Data Protection Act are regulatory efforts toward data privacy protection, the two work rather differently.
A major difference between GDPR and PDPA is the way “consent” is operated.
In comparison with PDPA, the GDPR stipulates that there should always be a specific, explicit, and clear consent given by the data subject. Consent should be clear and must be stated in plain language, must be intelligible and accessible, and should be easily distinguished from others. It cannot be stressed enough that vague, deemed, or blanket consent is not acceptable by GDPR mandates.
Unlike the GDPR, the PDPA doesn’t require what sort of language should be utilized in order for consent to be given. The PDPA allows “deemed consent” in many contexts, whereby an individual can be deemed to have given consent to the collection and use of personal data without actually having done so—if the data subject voluntarily provides personal data to an organization.
The PDPA also contains an extensive and broad list of exemptions to “data consent” that in many ways reduces the personal data protections found in the regulation. While the GDPR also contains other “lawful bases’ ‘ for the use and collection of personal data beyond consent, which in some ways resemble the PDPA’s exemptions to data consent, the GDPR’s lawful bases are much defined, tighter, and much less prone to circumvention or abuse.
The GDPR strictly indicates that only those data that are necessary to a specified purpose of an organization must be collected and nothing more– also known as the Data Minimization.
Data minimization is unique to the GDPR and is not present in the PDPA. It allows strict restrictions on the collection of personal data wherever and whenever possible.
Concept of Personal Data
Another noteworthy difference between the two is how personal data is defined and collected. According to GDPR, personal data refers to any information related to a person or ‘Data Subject’, that can be used to directly or indirectly identify the person,
While PDPA applies to personal data in terms of commercial uses and purposes and doesn’t apply to business and companies outside of the country where they process the data, the GDPR, on the other hand, impacts any business that offers products, goods, or services to EU citizens regardless of where that business is based.
Fines and Penalties for Noncompliance
Another major difference between the GDPR and PDPA is how the offenses are prosecuted and how penalties are imposed.
For noncompliance of a person or individuals:
- PDPA- Fines not exceeding S$5,000-10,000 (depending on the offense) or imprisonment of up to 12 months
- GDPR- not specified or indicated, as compliance is expected from firms and organizations (not individuals
For organizations in breach of policy:
- PDPA- The Personal Data Protection Commission has the power to direct organizations that are in violation to pay a financial penalty of up to $1million depending on the count of offenses.
- GDPR- Offenders of the GDPR may be fined up to 4% of annual global turnover or EUR 20 million, whichever is higher.