Singapore plans higher fines for data breaches

Out-Law News | 18 May 2020 | 4:22 pm | 2 min. read

The Singapore government is proposing to hike fines for companies breaching data protection laws in the first general review of its data protection legislation since 2012.

The proposed changes to the country’s Personal Data Protection Act (PDPA) would see the fines for breaching laws rise to 10% of a company’s annual turnover, or S$1 million (£1m), whichever is higher. Firms are currently liable for penalties of up to S$1m.

Other amendments to the PDPA include the introduction of a mandatory breach notification requirement; enhancement to the framework for the collection, use and disclosure of personal data; and the introduction of offences for egregious mishandling of personal data.

Data protection expert Bryan Tan of Pinsent Masons, the law firm behind Out-Law, said: “To be fair, this has been anticipated for some time given the very real threat in the realm of all things cyber and how it has affected Singapore. It also brings Singapore closer in line with similar standards in jurisdictions like the EU’s General Data Protection Regulation.”

The proposal to increase fines for data breaches is designed to enhance the effectiveness of the Personal Data Protection Commission’s (PDPC) enforcement powers.

The amendments would see the introduction of a mandatory data breach notification requirement, with organisations required to notify the PDPC within three days of a data breach that results in, or is likely to result in, significant harm to affected individuals. Firms would also be required to notify the affected individuals if the data breach was likely to result in significant harm to them.

The PDPA will be amended to provide the PDPC with the power to establish or approve mediation schemes to resolve disputes between parties

The proposals (26 page / 480KB PDF) expand the definition of ‘deemed consent’ for the use and processing of personal data for business purposes. Consent would be assumed in circumstances where the collection, use or disclosure of personal data is “reasonably necessary” for a contract or transaction; or where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out.

The amendments would introduce new exceptions for legitimate interests and business improvement, enabling organisations to collect, use or disclose personal data for legitimate interests in circumstances where there are larger public or systemic benefits but obtaining consent may not be appropriate.

A new data portability obligation will enable individuals to request a copy of their personal data to be transmitted to another organisation, enabling them to switch service providers more easily.

Meanwhile revised ‘Do Not Call’ provisions will prohibit the sending of unsolicited telephone messages through the use of dictionary attacks and address harvesting software, and the Spam Control Act will be amended to cover commercial text messages sent to instant messaging accounts and in bulk. 

The PDPC will be able to issue directions and impose financial penalties for infringement of the provisions.