An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition

Public and private enforcement

i Enforcement agencies

The PDPC is the key agency responsible for administering and enforcing the PDPA. Its role includes, inter alia, reviewing complaints from individuals,76 carrying out investigations (whether on its own accord or upon a complaint), giving directions to an organisation or a person to ensure compliance with certain provisions in the PDPA,77 and imposing financial penalties for contravention of certain provision in the PDPA.78

To enable the PDPC to carry out its functions effectively, it has been entrusted with broad powers of investigation,79 including the power to require organisations to produce documents or information, and the power to enter premises with or without a warrant to carry out a search. In certain circumstances, the PDPC may obtain a search and seizure order from the state courts to search premises and take possession of any material that appears to be relevant to an investigation.

Where the PDPC is satisfied that there is non-compliance with the data protection provisions, it may issue directions to the infringing organisation to rectify the breach and impose financial penalties of up to S$1 million.80 The PDPC may also in its discretion compound the offence.81 Certain breaches can attract penalties of up to three years' imprisonment.82 In addition to corporate liability, the PDPA may also hold an officer of the company to be individually accountable if the offence was committed with his or her consent or connivance, or is attributable to his or her neglect.83 Further, employers are deemed to be vicariously liable for the acts of their employees, unless there is evidence showing that the employer had taken steps to prevent the employee from engaging in the infringing acts.84

Directions issued by the PDPC may be appealed to be heard before the Appeal Committee. Thereafter, any appeals against decisions of the Appeal Committee shall lie to the High Court, but only on a point of law or the quantum of the financial penalty. There would be a further right of appeal from the High Court's decisions to the Court of Appeal, as in the case of the exercise of its original civil jurisdiction.85

In relation to breaches of the DNC Registry provisions, an organisation may be liable for fines of up to S$10,000 for each breach.

ii Recent enforcement cases

The PDPC published 47 enforcement decisions in 2020, and 15 decisions from January 2021 to August 2021. In the decisions, the PDPC provides substantial factual detail and legal reasoning, and the decisions are another source of information for companies seeking guidance on particular issues.

Several enforcement actions in 2020 and the first half of 2021 set out the PDPC's typical mix of behaviour remedies combined with financial penalties, including the following.

Larsen & Toubro Infotech (June 2021)

The PDPC issued a fine of S$7,000 to Larsen & Toubro Infotech86 for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data of job applicants, and for disclosing personal data of job applicants without their consent.

Chapel of Christ the Redeemer (April 2021)

The PDPC imposed directions on Chapel of Christ the Redeemer87 for its failure to put in place reasonable measures to protect its members' personal data. In its decision, the PDPC directed the organisation to develop and implement internal data protection policies and practices to comply with the PDPA.

Grabcar

The PDPC issued a fine of S$10,000 and a direction to Grabcar88 for its failure to put in place reasonable security arrangements to prevent unauthorised access of drivers' and passengers' personal data via its mobile application.

iii Private litigation

Anyone who has suffered loss or damage directly arising from a contravention of the data protection provisions may obtain an injunction, declaration, damages or any other relief against the errant organisation in civil proceedings in court. However, if the PDPC has made a decision in respect of a contravention of the PDPA, no private action against the organisation may be taken for that contravention until after the right of appeal has been exhausted and the final decision is made.89 Once the final decision is made, a person who suffers loss or damage as a result of a contravention of the PDPA may commence civil proceedings directly.90