The provision setting out significantly higher financial penalties for Singapore’s Personal Data Protection Act 2012 (“PDPA”) is now in force.
There is now an increased risk for organisations contravening the PDPA in Singapore.
This means that in relation to any intentional or negligent contravention of:
- the data protection provisions, organisations may now have to pay a financial penalty of up to SGD 1 million or 10% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 10 million), whichever is higher;
- the do-not-call provisions involving the use of dictionary attacks and address-harvesting software:
- individuals may now have to pay a financial penalty of up to SGD 200,000; and
- organisations, a financial penalty of up to SGD 1 million or 5% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 20 million).
To recap, when the Personal Data Protection Commission is deciding whether a financial penalty is warranted, they will, among other things:
- assess the incident based on the principles of harm and culpability:
- “Harm” includes the number of affected individuals, categories of affected personal data, duration of the incident etc.;
- “Culpability” refers to the organisation’s conduct in the incident. The PDPC will consider the nature of the specific breach of the PDPA as well as the organisation’s overall compliance with the PDPA; and
- consider other relevant factors such as whether the organisation or person took any action to mitigate the effects and consequences of the non-compliance.
Given the higher financial penalties, organisations must:
- review their policies and practices for compliance with new provision;
- update employees about the increased penalties and the accompanying increased risk for the organisation.
You may access our previous alert regarding the increased financial penalties here.