Singapore has recently passed amendments to the Computer Misuse and Cybersecurity Act introducing new criminal sanctions for serious data protection and cybersecurity breaches.

This development reflects similar moves by data protection authorities elsewhere in Asia to impose criminal sanctions for the worst data protection offences, and as such indicates Singapore’s resolve to step up data protection compliance and enforcement. This step also appears to reflect a recent statement by the Personal Data Protection Commission (“PDPC“), Singapore’s data protection authority, that enforcement decisions to date have largely involved data security breaches, as well as the Monetary Authority of Singapore’s focus in recent months on cybersecurity in the financial services and insurance sectors.

The amendments introduce two new offences:

  1. Misuse of personal information obtained from a computer crime: this offence prohibits the obtaining, retaining, supplying, offering to supply, transmitting or making available of personal information which the person knows or has reason to believe has been obtained by committing a computer crime. Exceptions apply if the activity was done with a legitimate purpose (e.g. for undertaking data breach investigations), or if the person lacked the requisite knowledge or belief. In practice, this means that organisations should avoid buying, selling, or in general, processing personal information from an unknown or questionable source.
  2. Misuse of access to computer or any item capable to commit a computer crime: this offence prohibits the obtaining, retention, supply or offering to supply of, or making available, an item or access to a (or part of a) computer to commit, or which is capable of being used to commit, a computer crime. This includes access to devices, computer programs, passwords, access codes or any data offering such access. While the Ministry of Home Affairs of Singapore has made clear that the aim of this new offence is to criminalise illegal access of computers by hackers, this may also serve as a reminder to organisations with operations in Singapore to put in place reasonable security arrangement over the use of electronic devices to avoid becoming an easy target to computer hackers.

The new offences apply regardless of whether the individual or organisation is resident or located in Singapore, or whether the activities are targeting a server in Singapore or overseas. The test is whether the prohibited action causes or creates a significant risk of serious harm in Singapore. That said, how in practice criminal proceedings may be brought against those outside Singapore is unclear.

The amendments significantly increase the potential sanctions for certain serious data protection offences. For a first time conviction for either of the new offences, the offender may be liable to a fine of up to SGD 10,000 and/or imprisonment for a term up to 3 years. Currently the existing data protection framework in Singapore under the Personal Data Protection Act (“PDPA“) allows the PDPC to impose fines of up to SDG 1 million for failing to ensure sufficient security is in place to protect personal data. That said, the heaviest fine imposed to date by the PDPC is just SGD 50,000, and so it remains to be seen whether the Singapore courts and authorities will pursue the highest level of criminal sanctions in such cases under these latest amendments.

The new offences apply to both individuals and organisations, and so data protection officers in Singapore (who strictly under the PDPA are responsible for their organisations’ data protection compliance) should be particularly aware of the potential reach of the new offences.