Singapore Increases Financial Penalties for Data Breach under New Amendment

Vast amounts of data are collected from or about individuals every day, and then used and transferred by businesses. Thus, any business that handles data, in any form, must abide with certain compliance requirements. The national government of Singapore, in recognition of the issues arising over security and privacy of personal information in the last few years, has assured its citizens that businesses are using their data in a secure and ethical manner.

The Singapore Personal Data Protection Act 2012 (‘PDPA’) governs the collection, use, and disclosure of personal data in relation to Singapore residents. The PDPA was recently updated, with many amendments coming into effect on 1 October 2022. One of the major talking points are the increased financial penalties for data breaches introduced. Penalties for non-compliance have been significantly increased and are severe in nature.

Starting from 1 October 2022, the maximum financial penalty for non-compliance of privacy regulations by a business has now been increased to one million SGD. However, for businesses with a turnover of more than 10 million SGD, the maximum fine is 10% of such business’s turnover. In comparison with the penalties which are imposed in the EU under the General Data Protection Regulations (‘GDPR') in the event of non-compliance of privacy regulations, the PDPA’s penalties remain much lower, however, businesses with significant operations in Singapore could still be at risk of high monetary fines should they not comply with the law.

The amended PDPA now shares many of the same provisions as the GDPR. For a business to be fully compliant with the PDPA and the Singaporean privacy law, there are essentially nine primary data protection obligations, details whereof are outlined below:

• Consent: is always required when collecting, using, or disclosing personal data.
• Purpose Limitation: businesses must be transparent when it comes to informing individuals as to why their personal data is being collected, how it will be used, and in which cases personal data will be disclosed. Furthermore, businesses must not use data for any other reason than its stated purpose.
• Notification: individuals must be notified as to why the business is collecting, using, and disclosing their data before they give their consent.
• Access and Correction: individuals have the right to access the personal data which a business has collected on them. They also have the right to request that corrections be made in the event of an error.
• Accuracy: businesses are required to make a reasonable effort to collect full and complete personal data, especially if decisions are made that may impact how this data is used.
• Protection: businesses must make arrangements to ensure that their data security is of the highest standard. Organisations must prevent leaks, unauthorised access, copying, and modification of the data.
• Retention Limitation: personal data may only be kept for a limited period of time. Once this period elapses, the data must be deleted permanently.
• Transfer Limitation: personal data may not be transferred outside of Singapore to any territory that does not have similar data standards to those of the PDPA.
• National Do Not Call (DNC) Registry: names that have been registered in the DNC must not receive any unsolicited marketing messages.

There were amendments made to the PDPA in 2020, wherein one of the big changes was the compulsory requirement to report of any kind of data breach faced by a Business. In accordance with the amended privacy law of Singapore, businesses must report a breach immediately to both the Personal Data Protection Commission and the individuals impacted accordingly.

The rationale behind the aforesaid amendments and heavier penalty regime for businesses which do not comply with the privacy law regulations, signifies the Singapore government's commitment to striking a careful balance between allowing organisations to harness data for innovation and growth, and ensuring proper safeguards and accountability. Organisations are advised to review and ensure that their data privacy policies comply with the PDPA to avoid attracting hefty penalties.