Following widespread calls for more protection following the lead of the General Data Protection Regulation (GDPR), countries globally are tightening their grip on data privacy. Singapore is no exception. One of the world’s fastest-growing economies, the country has fortified its commitment to safeguarding individuals' personal data by updating its Personal Data Protection Act (PDPA) in 2020. In this article, we delve into the intricate web of data privacy laws in Singapore: Rights available to data subjects, the obligations that define its stance on data privacy, and — the obvious question — how to comply.
Let's cover the basics before looking at the scope, requirements, and how to comply with Singapore's data protection laws.
The Personal Data Protection Act (PDPA) governs Singapore's data privacy regulations. First enacted on October 15, 2012, it was soon updated to keep with the pace of the GDPR per the Personal Data Protection (Amendment) Act 2020 (together, the “Act”). The PDPA defines “personal data” as any data that can be used to identify an individual, either directly or indirectly. This includes but is not limited to name, address, date of birth, credit card number, and email address. Except where data is provided for solely personal purposes, the PDPA doesn’t apply to business contact information. “Anonymized data” does not fall under the scope of the PDPA.
The maximum fine allowed under the PDPA came into force on October 1, 2022. In other news, the unicameral legislature of the Republic of Singapore has passed the right to data portability into law. However, it’s yet to come into force.
Supporting the PDPA are a host of sector-specific laws like the Banking Act of 1970 and the Securities and Futures Act of 2001, protecting banking and commercial data (for instance, particulars of bank customers’ accounts).
Besides providing the minimum threshold for data protection for private sector organizations throughout Singapore, the PDPA also set up a 'Do Not Call' registry in its second round of implementation in 2014. Individuals looking to opt out of receiving telemarketing calls and messages are enjoined to list their Singapore phone numbers in this registry.
The telecommunication industry and media industry in Singapore are also governed by The Info-communications Media Development Authority (IMDA) through the Telecommunications Act 1999 (“the Telecoms Act”) and the Info-communications Media Development Authority Act 2016 (the IMDA Act), respectively.
On 2 May 2022, the IMDA released a consolidated competition code (the “Converged Code”) to regulate the media and telecommunication industry. The Code regulates Facilities-Based Operations (“FBO”) Licensees and Service-Based Operations (SBO) Licencees, including how they use end-user data.
Though not legally binding, resources like the PDPC’s Advisory Guidelines on Key Concepts in the Personal Data Protection Act also offer guidance on how the PDPA is interpreted.
The guidelines prohibit collecting, using, and sharing "sensitive personal data" like National Registration Identification Card Numbers and Other National Identification Numbers (for instance, Foreign Identification numbers, passports, Work Permits, etc.)
Such data can be used, collected, or shared only in particular circumstances provided for in the PDPA.
With no express provisions defining the territorial scope, the PDPA is widely deemed to have an extraterritorial effect. This means it applies to the collection, use, and disclosure of personal data within or outside Singapore, whether the controller has a physical presence in or outside of Singapore.
The PDPA covers individuals, body of persons, and organizations (whether incorporated or not) located outside or within Singapore. It also introduces and provides for “data intermediaries,” the PDPA equivalent of “data processors” under the GDPR.
Per the PDPA, If a data intermediary processes data in line with the terms spelled out in a written contract with another organization, it doesn't have to follow most of the PDPA rules; It’s only bound by data security and retention obligations in the PDPA.
Individuals acting in a personal or domestic capacity are exempted from following obligations set out in the PDPA.
As a matter of public policy, the act also doesn’t apply to the public sector — they’re bound by a special set of regulations outlined in the Government Instruction Manual on Infocomm Technology & Smart Systems Management (previously known as IM8) and the Public Sector (Governance) Act of 2018. These regulations maintain similar standards for data protection when compared to the PDPA, including handling investigations and enforcement actions for data security breaches.
The Act also doesn’t apply to employees acting during their employment with an organization and to any other organization, personal data, or classes of organizations or personal data as prescribed.
Companies can sometimes collect, use, or disclose personal data without consent in cases where the PDPA provides for statutory exceptions. One such instance is where the collection, use, or disclosure of such data is to protect “national interest,” which the PDPA defines to cover issues of national importance like national defense, security, public safety, essential services, or international affairs.
As outlined by the Personal Data Protection Committee of Singapore (PDPC), data protection obligations imposed on companies under the PDPA cover three salient considerations: focus:
Here’s a quick rundown of the critical requirements of the PDPA:
Organizations must inform individuals about the intended purposes of collecting, using, or disclosing their data on or before such collection, use, or disclosure.
Organizations processing personal data can do so after obtaining consent, which can be revoked. When the supply of a product or service is conditional upon consent (for example, through a paywall), such consent must not extend beyond what is reasonable to provide that product or service.
Where consent is revoked, companies must inform the individual about the potential consequences of withdrawal, after which they must stop collecting, using, or disclosing the said data.
An organization can collect, use, and disclose personal data without consent under certain conditions:
In the case of legitimate interest, organizations must take measures such as conducting a Data Protection Impact Assessment (DPIA or PIA), be able to clearly explain the situation or purpose that qualifies as legitimate interest, take measures to reduce the chances of adverse effect and provide reasonable information to the individual.
Organizations are compelled to use personal data only for purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has consented.
Reasonable efforts are required to maintain the accuracy and completeness of collected personal data, especially if it affects decision-making or may be shared with other organizations.
Companies must implement reasonable security arrangements to safeguard personal data against unauthorized access, collection, use, disclosure, and other risks.
Discontinue data retention or dispose of data properly when it is no longer necessary for business or legal purposes.
Companies looking to transfer personal data to another country must do so in accordance with regulations, ensuring a standard of protection comparable to that under the PDPA unless exempted by the PDPC.
Organizations must implement measures to comply with the PDPA. This includes making personal data protection policies, practices, and the complaints process frictionless. A readily accessible Data Protection Officer (DPO) must also be appointed.
Upon request, individuals must be granted access to their personal data and provided information about use or disclosure dating back to a year before the request.
They’re also required to promptly correct any errors or omissions in such personal data and transmit corrected data to other organizations it was disclosed to.
At the individual's request, transmit their data, in a commonly used machine-readable format, from the organization's possession or control to another organization.
Companies must report certain instances of a breach to the PDPC and the individuals affected as soon as possible (where the breach causes them harm or loss).
The breach should be reported no later than 3 (three) calendar days after the day of assessment. Under the PDPA, “notifiable data breaches” are data breaches that:
Following this, in the event of a breach, organizations must immediately conduct a swift assessment to know if such is a “notifiable data breach.”
If you control personal data in Singapore or of Singaporean data subjects, you are bound by specific obligations outlined in Part III to VI of the PDPA:
Part II of the PDPA charges the Personal Data Protection Commission (PDPC) to flex its regulatory muscle in enforcing PDPA standards.
Upon investigating complaints of data privacy breaches, if found guilty, sanctions imposed could range from administrative fines to directions or warnings. In carrying out enforcement, the PDPC may:
PDPC directions can also be registered with the Singapore District Courts to adopt the enforceability of a court order.
In June 2022, the Commission meted out S$750,000 and S$250,000 fines — the largest fines administered yet — on Integrated Health Information Systems and Singapore Health Services for lack of safeguards to protect the medical records of data subjects, which led to a massive breach from a cyberattack.
Per the PDPA, organizations found guilty of misusing personal data or concealing information regarding its collection, utilization, or disclosure may attract financial penalties not exceeding S$50,000 (approximately $36,000).
Obstructing an investigation conducted by the PDPC may attract fines of no more than S$100,000 (around $72,000).
Companies involved in larger-scale breaches may also expect heavy financial sanctions or criminal liability, leading to imprisonment.
Mitigating factors like early detection and response or timely breach notification and aggravating factors like non-cooperation during investigations will be considered.
In the event of a breach of the PDPA's provisions, companies can be liable to individuals suffering harm due to a breach. These individuals can seek the following reliefs:
There are some critical differences between the PDPA and the General Data Protection Regulation (GDPR). For instance:
Across the board, the PDPA and the GDPR are strong data protection laws that protect personal data. However, the GDPR is generally more comprehensive and protective than the PDPA.
Before anything else, Singapore-specific considerations should be front and center of any attempt toward compliance. Data Protection Impact Assessments, for example, should be a priority in light of the sterner sanctions being rolled out and the now-enlarged scope of deemed consent.
Beyond that, organizations that are subject to the PDPA will likely require a Consent Management Platform (CMP). The Didomi multi-regulation CMP allows our customers to comply with data privacy requirements around the world.
To learn how we assist current customers in handling their global data privacy challenges and discuss how we could help you do the same, book a call with one of our experts today:
Individuals can complain to the Personal Data Protection Commission (PDPC) if they believe that their personal data has been collected, used, or disclosed in breach of the PDPA.
The PDPC will investigate the complaint and take appropriate action, including issuing a warning, directing the organization to rectify the breach, or imposing a fine.
Yes. And severe, too. Organizations that breach the PDPA may be fined up to SGD1 million or 10% of their annual turnover, whichever is higher.
Individuals found to have willfully or recklessly breached the PDPA may be fined up to SGD5,000 or imprisoned for up to two years, or both.
Under the Mandatory Data Breach Notification Requirement, organizations that experience a data breach must notify individuals whose personal data has been affected as soon as possible.
They must also take reasonable steps to mitigate the breach's impact on individuals.
Transferring personal data overseas requires companies to take reasonable steps to ensure that the personal data is protected in accordance with the PDPA.
This may include requiring the overseas recipient of the personal data to contractually agree to protect the personal data in accordance with the PDPA.
Companies subject to the PDPA but have no physical presence in Singapore must appoint a representative in Singapore to receive legal notices and other communications on behalf of the organization.
The representative must be located in Singapore and must be able to communicate effectively with the Personal Data Protection Commission (PDPC).
