Introduction

  • On 21 April 2016, the Personal Data Protection Commission released details of the various enforcement actions it has taken against errant organisations that have infringed the Personal Data Protection Act since the data protection provisions of the Act came into force on 2 July 2014.
  • These cases highlight the Commission’s strong stance against breaches of the data protection obligations and provide organisations with key learning points to take note of.
  • The Commission has also issued a new set of Advisory Guidelines on Enforcement of the Data Protection Provisions, providing greater clarity on the Commission’s approach to enforcement actions.

Background to the PDPC and PDPA

The Personal Data Protection Commission (“PDPC”) is the state authority responsible for all data protection-related issues in Singapore as well as the enforcement of the Personal Data Protection Act 2012 (“PDPA”). Since its establishment in January 2013, the PDPC has been actively seeking to engage and educate both individuals and organisations in relation to the data protection obligations found in the PDPA. This has been done through various means such as the publication of advisory guidelines and other guides, and responding to the public’s queries on newspaper forums.

On 21 April 2016, the PDPC released a report outlining the enforcement actions taken with respect to the data protection obligations under the PDPA which came into full force on 2 July 2014. This provides a first look into the PDPC’s approach to the enforcement of the data protection provisions of the PDPA.

PDPC Release Report On Enforcement Actions

The report released by the PDPC highlights 11 instances of enforcement actions being taken by the PDPC. The infringements generally involved the unauthorised disclosures of personal data and the failure by the organisations to implement adequate security measures to protect the personal data in their possession. The penalties meted out by the PDPC for these infringements ranged from a fine of S$50,000 to warnings being issued.

What appears to be evident is that the PDPC has been active on the enforcement front, resolving 92% of the 667 data protection complaints it has received by facilitating a solution between the respective complainants and organisations in question following an investigation into the complaint. For more egregious breaches of the PDPA, however, the PDPC has taken stronger enforcement action, issuing directions and warnings against the offending parties and even imposing financial penalties where the breach was deemed to be particularly severe.

Organisation and Data Intermediary found separately liable for breach

Organisations should pay particular attention to the case involving K Box Entertainment Group Pte Ltd (“K Box”) and Finantech Holding Pte Ltd (“Finantech”). K Box was found to have failed to develop an adequately secure and safe IT security system, which resulted in the personal data of its members being leaked via malware that was installed in its systems. For this failure to comply with the obligation to maintain reasonable security measures to protect the personal data in its possession and for the unauthorised disclosure of personal data, the PDPC imposed a financial penalty of S$50,000 on K Box, the highest among the various cases highlighted in this report.

Further, Finantech, which had been engaged to develop and manage a Content Management System for K Box, was similarly found by the PDPC to have failed to address the aforementioned vulnerabilities in the K Box IT security system. This is notable as Finantech received a financial penalty of S$10,000 despite merely acting as a data intermediary for K Box. This highlights that, while the PDPA exempts data intermediaries from most of the data protection obligations contained in the Act, organisations performing the role  of a data intermediary are still subject to the PDPA  obligations relating to the protection and retention of personal data and are themselves separately and additionally responsible for compliance with these obligations.

Commitments and Undertakings of Compliance

The PDPC also highlighted the fact that one company, Xiaomi Singapore Pte Ltd (“Xiaomi”), was able to resolve the PDPC’s concerns relating to its cloud messaging service by providing commitments to bolster its compliance processes and policies. It is noted that Xiaomi has since carried out the improvement measures set out in its commitments to the satisfaction of the PDPC.

The PDPC also found a separate complaint against Xiaomi to be unfounded.

Factors Determining Severity of Infringement

The PDPC stated in its report that the severity of the infringement was a key consideration in its decision whether to take enforcement action against an infringer or not. In order to provide further insight into this issue, the PDPC has also helpfully highlighted several factors that it would examine in determining the severity of a particular infringement. Such factors broadly include:

  • whether  the  organisation  had  previously  or  subsequently  implemented  any  data  protection policies and processes;
  • whether reasonable measures had been taken to prevent or remedy the infringement;
  • whether the organisation had conducted the necessary due diligence to assess the weaknesses of its system and whether it implemented effective rectification actions thereafter;
  • the time taken to remedy the breach once it was discovered; and
  • the number of persons and the type of data that had been affected by the infringement.

In light of the factors that have been highlighted by the PDPC, it would appear that organisations that pre-emptively put the appropriate data protection policies and processes in place may be able to avoid or reduce the penalty it receives from the PDPA should a breach of the data protection obligations occur.

Advisory Guidelines on the Enforcement of the Data Protection Provisions

The PDPC has also issued an additional set of advisory guidelines relating to the enforcement of the data protection obligations in the PDPA (the “Guidelines”). These Guidelines complement the PDPC’s existing set of published advisory guidelines, and deal with issues relating to the PDPC’s enforcement of the PDPA. Issues that are discussed in the Guidelines include how the PDPC will address, investigate, and resolve complaints of data protection breaches that it receives, the directions and penalties the PDPC can impose following the conclusion of an investigation, as well as the rights of review and appeal available to parties who are aggrieved by a decision of the PDPC.

Conclusion

This report on enforcement actions published by the PDPC represents a clear signal that it will actively and diligently seek to enforce the data protection obligations in the PDPA. Given that the data protection obligations of the PDPA have already been in full force for almost 2 years, the PDPC is likely to have a greater expectation that organisations that deal with personal data would be compliant with the various data protection obligations contained in the PDPA by now. It should also be noted that the PDPC has the power to initiate investigations both on its own accord and upon receiving complaints from individuals.

It is also heartening to note the issuance of the new Advisory Guidelines on Enforcement of the Data Protection Provisions, which provides much clarity on the PDPC’s approach to enforcement actions.