All questions

Public and private enforcement

i Enforcement agencies

The PDPC is the key agency responsible for administering and enforcing the PDPA. Its role includes, inter alia, reviewing complaints from individuals,77 carrying out investigations (whether on its own accord or upon a complaint), giving directions to an organisation or a person to ensure compliance with certain provisions in the PDPA,78 and imposing financial penalties for contravention of certain provision in the PDPA.79

To enable the PDPC to carry out its functions effectively, it has been entrusted with broad powers of investigation,80 including the power to require organisations to produce documents or information, and the power to enter premises with or without a warrant to carry out a search. In certain circumstances, the PDPC may obtain a search and seizure order from the state courts to search premises and take possession of any material that appears to be relevant to an investigation.

Where the PDPC is satisfied that there is non-compliance with the data protection provisions, it may issue directions to the infringing organisation to rectify the breach and impose financial penalties of up to S$1 million.81 The PDPC may also in its discretion compound the offence.82 Certain breaches can attract penalties of up to three years' imprisonment.83 In addition to corporate liability, the PDPA may also hold an officer of the company to be individually accountable if the offence was committed with his or her consent or connivance, or is attributable to his or her neglect.84 Further, employers are deemed to be vicariously liable for the acts of their employees, unless there is evidence showing that the employer had taken steps to prevent the employee from engaging in the infringing acts.85

Directions issued by the PDPC may be appealed to be heard before the Appeal Committee. Thereafter, any appeals against decisions of the Appeal Committee shall lie to the High Court, but only on a point of law or the quantum of the financial penalty. There would be a further right of appeal from the High Court's decisions to the Court of Appeal, as in the case of the exercise of its original civil jurisdiction.86

In relation to breaches of the DNC Registry provisions, an organisation may be liable for fines of up to S$10,000 for each breach.

ii Recent enforcement cases

The PDPC published 29 enforcement decisions in 2021, and 17 decisions from January 2022 to July 2022. In the decisions, the PDPC provides substantial factual detail and legal reasoning, and the decisions are another source of information for companies seeking guidance on particular issues.

Several enforcement actions in 2021 and the first half of 2022 set out the PDPC's typical mix of behaviour remedies combined with financial penalties, including the following.

Vhive (June 2022)

The PDPC issued a fine of S$22,000 to Vhive87 for failing to put in place reasonable security arrangements to protect the personal data of 186,281 of its customers (their names, addresses, email addresses, telephone numbers, hashed passwords and customer IDs) in its possession from a ransomware attack. Among other things, the PDPC found that Vhive failed to have a security maintenance policy or conduct any security reviews, and even though Vhive outsourced all of its IT to an outside vendor, the relevant contract failed to stipulate clear written security maintenance and data protection requirements to the vendor.

Love Bonito (May 2022)

The PDPC imposed a fine of $24,000 on Love Bonito88 for failing to put in place reasonable security to protect personal data in its possession. One of Love Bonito's IT systems was hacked, and the personal data of 5,5561 of its customers was accessed and exfiltrated by a malicious actor. In its decision, the PDPA identified a number of significant weaknesses in Love Bonito's host, network, remote access and webpage security, such as failing to follow a robust password policy (the password for the administrator account was 'ilovebonito88').

Toll Logistics (Asia) and others (May 2022)

The PDPC issued warnings to several organisations for breaches of the PDPA in relation to the transfer of employee's personal data to human resources software vendor in London. In its decision, the PDPC noted that the organisations were required to take appropriate steps to ensure that the personal data transferred out of Singapore via its human resource platform for storage in the European Economic Area would be protected to a standard comparable under the PDPA, before any transfer was made, but there was no evidence of any such steps having been taken.

iii Private litigation

Anyone who has suffered loss or damage directly arising from a contravention of the data protection provisions may obtain an injunction, declaration, damages or any other relief against the errant organisation in civil proceedings in court. However, if the PDPC has made a decision in respect of a contravention of the PDPA, no private action against the organisation may be taken for that contravention until after the right of appeal has been exhausted and the final decision is made.89 Once the final decision is made, a person who suffers loss or damage as a result of a contravention of the PDPA may commence civil proceedings directly.90