As the internet has become increasingly globalized, national authorities have taken steps to protect citizens' personal data. That comes after numerous major data breaches from transnational corporations, in addition to the secretive collection of personal data without regulatory oversight. In Singapore, the law on data protection is the PDPA.
In this article, we'll explain what the PDPA is, how it works, and who it affects?
The Personal Data Protection Act (PDPA) is a data protection law enacted by the Parliament of Singapore on 15 October 2012. The Act came into full effect in July 2014 and was recently updated in November 2020.
It governs all personal data collection use and disclosure by a private organization related to Singaporean citizens. However, the regulation also acknowledges the need for organizations to use and collect personal data in appropriate circumstances.
Under a recent review, a mandatory data breach notification regime was introduced. Here, organizations that suffer a data breach are obligated to notify the Singaporean authorities and data subjects unless an exception applies.
The PDPA defines ten protection obligations, including:
For those already familiar with the GDPR, many of these obligations will seem familiar. However, the PDPA predates the GDPR by several years.
The tenth obligation – Do-Not-Call – is not always regarded as an obligation but rather is part of the PDPA's governing of telemarketing in Singapore. Instead, a tenth (or eleventh) obligation is the requirement to notify the authorities and data subjects following a data breach.
The Personal Data Protection Commission (PDPC) was established under the PDPA as the regulatory authority responsible for governing data protection in Singapore. The PDPC advises the government on future regulations and routinely publishes advisory guidelines for data protection.
The PDPC is part of the converged telecommunications and media regulator, the Infocomm Media Development Authority (IMDA). Both authorities are, in turn, under the purview of the Ministry of Communications and Information.
The creation of the PDPC is part of a push towards a "culture of accountability." For instance, in 2019, the PDPC implemented the Data Protection Trustmark Certification. It is a voluntary enterprise-wide certification program created for an organization to demonstrate its accountable data protection practices.
The PDPC also enforces and prosecutes numerous organizations for PDPA violations: notably including SingHealth following the 2018 SingHealth data breach.
Like other data protection legislation, such as the UK and EU GDPR and Brazil's LGPD, the PDPA contains "extra-territorial effects." That means that organizations not based in Singapore can find themselves obligated to accord with the PDPA if an organization collects, uses, or discloses data within Singapore.
For instance, if a non-Singaporean company – like Facebook – collects data from Singaporeans online, then it is subject to the PDPA. It will also face penalties should it be found to not be in accordance with the regulation.
Should an organization be found to be in violation of the PDPA, then the PDPC reserve the right to enforce several penalties. These include requiring the organization to:
- Stop collecting, using, or disclosing personal data in contravention of the PDPA.
- Destroy personal data collected in contravention of the PDPA.
- Provide access to or correct personal data.
- Pay a financial penalty of up to SGD 1 million (approximately €625,735).
The latter fine is substantially lower than the penalties enforced under the EU GDPR, which can reach €20 million or 4% of the annual global turnover – whichever is highest. However, with the recent amendment, the PDPC now has the power to impose higher financial penalties. That includes a maximum of 10% of the organization's annual turnover in Singapore (if the turnover exceeds SGD 10 million (approximately €6,257,210) or up to SGD 1 million (approximately €625,735).
Furthermore, penalized companies are also likely to suffer from reputational damage and public backlash.
The PDPA is the Singaporean data protection act. It governs the processing of personal data in the private sector. If you are business with dealings in Singapore, it is critical to familiarize yourself with the contents of the bill.
For further information, please refer to the PDPC website.