Increased financial penalties

From 1 October 2022, companies that breach the PDPA may face fines of up to:

  • SGD 1 million; or
  • where the organisation’s annual turnover in Singapore exceeds SGD 10 million, 10% of the organisation’s Singapore turnover.

Penalties imposed under the PDPA could potentially be more stringent compared to the GPDR, which currently imposes fines of up to €20 million or 4% worldwide turnover, whichever is higher.

Given these higher financial penalties, organisations collecting, using or disclosing personal data in Singapore are recommended to carefully review their existing data protection programmes and processes to ensure compliance with the PDPA.

In practice, the Personal Data Protection Commission (“PDPC“) takes a proactive approach in enforcing the PDPA. Enforcement priorities include ensuring compliance with:

  • the Protection Obligation (i.e. putting in place reasonable security arrangements to prevent unauthorised access, collection, use, disclosure etc. of personal data); and
  • the Transfer Limitation Obligation (i.e. the requirement to ensure personal data being transferred outside of Singapore receives a standard of protection comparable to that required under the PDPA).

Given the PDPA has now been in force for some time, the PDPC has been ramping up enforcement efforts and does actively enforce breaches of the PDPA. To date, there have been 201 published decisions from 2016 relating to various breaches of the PDPA.

Thus far, the biggest financial penalty imposed on an organisation for breaches of the PDPA was imposed on an IT vendor for failing to put in place reasonable security arrangements to protect the personal data of individuals. The financial penalty imposed on the IT vendor by the PDPC in that matter amounted to S$750,000.

Other anticipated changes

In addition, in a sign that cyberspace and online safety are becoming an increasing focus of the Singapore government, MCI also announced a review of the Cybersecurity Act and its accompanying Code of Practice as well as plans to introduce codes of practice in areas such as online child safety and platform accountability.

It is expected that public consultation on the Cybersecurity Act will commence in 2023.