Skip to main content

Advertisement

Advertisement

Companies face much higher financial penalties for personal data breaches

SINGAPORE — Companies found guilty of breaching Singapore’s personal data laws may face much higher penalties, potentially hundreds of millions of dollars, under legislative changes tabled in Parliament on Monday (Oct 5).

Companies in breach of the Personal Data Protection Act face penalties of up to 10 per cent of their annual revenue, or S$1 million, whichever figure is higher, under proposed changes to the law.

Companies in breach of the Personal Data Protection Act face penalties of up to 10 per cent of their annual revenue, or S$1 million, whichever figure is higher, under proposed changes to the law.

Follow TODAY on WhatsApp

SINGAPORE — Companies found guilty of breaching Singapore’s personal data laws may face much higher penalties, potentially hundreds of millions of dollars, under legislative changes tabled in Parliament on Monday (Oct 5).

The proposed changes to the Personal Data Protection Act (PDPA) mean that firms would have to pay up to 10 per cent of their annual Singapore turnover or up to S$1 million, whichever figure is higher. The current cap is S$1 million. It is not unusual for large companies to have an annual revenue of billions of dollars.

Communications and Information Minister S Iswaran told the media last Thursday that the changes seek to “give consumers greater confidence and assurance about the way in which personal data is being safeguarded, but also how its use is being enabled in a responsible way in our economy”.

Since the PDPA was enacted in 2012, taking effect in 2014, there have been several high-profile data leaks.

Last year, details of more than 14,000 HIV patients in the Singapore’s human immunodeficiency virus (HIV) registry were leaked.

Several large organisations such as public healthcare group SingHealth, ride-sharing firm Grab and gaming hardware firm Razer have been involved in data breaches in recent years, affecting hundreds of thousands of users.

Under the proposed changes, consumers will also gain greater protection from unsolicited marketing messages.

Under the Do Not Call Provisions of the PDPA and the Spam Control Act, platforms that engage in egregious conduct such as “robo-calls” will be subject to higher penalties.

In 2018, the Personal Data Protection Commission (PDPC), which oversees the PDPA, said that it was aiming to merge the Do Not Call Provisions of the PDPA and the Spam Control Act under a single Act governing unsolicited commercial messages.

With the revised laws, consumers will have more protection from messages across all direct communications platforms such as voice calls, SMS, fax, online messages and emails. Direct marketing will also require express consent.

Companies will have to take steps as well to manage data breaches, by notifying the PDPC and affected individuals of more severe cases, for example.

For data breaches that result in significant harm to an affected individual or affects more than 500 individuals, the company will have to notify the PDPC. The company will also have to notify the affected individual if there is significant harm caused from the breach.

If there was remedial action taken to reduce the risk of significant harm, or if the individuals’ personal data was encrypted to a reasonable standard, no notification will be needed.

The Bill will be debated at the next parliamentary sitting.

Related topics

data breach penalty Parliament PDPA

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.