Following widespread calls for more protection following the lead of the General Data Protection Regulation (GDPR), countries globally are tightening their grip on data privacy.
Singapore is no exception. One of the world’s fastest-growing economies, the country has fortified its commitment to safeguarding individuals' personal data by updating its Personal Data Protection Act (PDPA) in 2020.
In this article, we delve into the intricate web of data privacy laws in Singapore: Rights available to data subjects, the obligations that define its stance on data privacy, and — the obvious question — how to comply.
Singapore data privacy law: An overview
Let's cover the basics before looking at the scope, requirements, and how to comply with Singapore's data protection laws.
The Personal Data Protection Act ("The PDPA")
The Personal Data Protection Act (PDPA) governs Singapore's data privacy regulations. First enacted on October 15, 2012, it was soon updated to keep with the pace of the GDPR per the Personal Data Protection (Amendment) Act 2020 (together, the “Act”).
The PDPA defines “personal data” as any data that can be used to identify an individual, either directly or indirectly. This includes but is not limited to name, address, date of birth, credit card number, and email address.
Except where data is provided for solely personal purposes, the PDPA doesn’t apply to business contact information. “Anonymized data” does not fall under the scope of the PDPA.
From 2020, amendments to the PDPA have been rolled out in different stages under the Personal Data Protection (Amendment) Act 2020. Billed to take effect on February 1, 2021, the act:
Established a mandatory notification requirement in instances of a breach.
Introduced criminal offenses,
Expanded the scope of deemed consent; and
Provided for additional exceptions to the obligation to obtain express consent.
The maximum fine allowed under the PDPA came into force on October 1, 2022. In other news, the unicameral legislature of the Republic of Singapore has passed the right to data portability into law. However, it’s yet to come into force.
Other laws in Singapore
Supporting the PDPA are a host of sector-specific laws like the Banking Act of 1970 and the Securities and Futures Act of 2001, protecting banking and commercial data (for instance, particulars of bank customers’ accounts).
Besides providing the minimum threshold for data protection for private sector organizations throughout Singapore, the PDPA also set up a 'Do Not Call' registry in its second round of implementation in 2014. Individuals looking to opt out of receiving telemarketing calls and messages are enjoined to list their Singapore phone numbers in this registry.
The telecommunication industry and media industry in Singapore are also governed by The Info-communications Media Development Authority (IMDA) through the Telecommunications Act 1999 (“the Telecoms Act”) and the Info-communications Media Development Authority Act 2016 (the IMDA Act), respectively.
On 2 May 2022, the IMDA released a consolidated competition code (the “Converged Code”) to regulate the media and telecommunication industry. The Code regulates Facilities-Based Operations (“FBO”) Licensees and Service-Based Operations (SBO) Licencees, including how they use end-user data.
Though not legally binding, resources like the PDPC’s Advisory Guidelines on Key Concepts in the Personal Data Protection Act also offer guidance on how the PDPA is interpreted.
The guidelines prohibit collecting, using, and sharing "sensitive personal data" like National Registration Identification Card Numbers and Other National Identification Numbers (for instance, Foreign Identification numbers, passports, Work Permits, etc.)
Such data can be used, collected, or shared only in particular circumstances provided for in the PDPA.
Scope of application of the PDPA
With no express provisions defining the territorial scope, the PDPA is widely deemed to have an extraterritorial effect. This means it applies to the collection, use, and disclosure of personal data within or outside Singapore, whether the controller has a physical presence in or outside of Singapore.
The PDPA covers individuals, body of persons, and organizations (whether incorporated or not) located outside or within Singapore. It also introduces and provides for “data intermediaries,” the PDPA equivalent of “data processors” under the GDPR.
Per the PDPA, If a data intermediary processes data in line with the terms spelled out in a written contract with another organization, it doesn't have to follow most of the PDPA rules; It’s only bound by data security and retention obligations in the PDPA.
Individuals acting in a personal or domestic capacity are exempted from following obligations set out in the PDPA.
As a matter of public policy, the act also doesn’t apply to the public sector — they’re bound by a special set of regulations outlined in the Government Instruction Manual on Infocomm Technology & Smart Systems Management (previously known as IM8) and the Public Sector (Governance) Act of 2018. These regulations maintain similar standards for data protection when compared to the PDPA, including handling investigations and enforcement actions for data security breaches.
The Act also doesn’t apply to employees acting during their employment with an organization and to any other organization, personal data, or classes of organizations or personal data as prescribed.
Companies can sometimes collect, use, or disclose personal data without consent in cases where the PDPA provides for statutory exceptions. One such instance is where the collection, use, or disclosure of such data is to protect “national interest,” which the PDPA defines to cover issues of national importance like national defense, security, public safety, essential services, or international affairs.
Essential requirements under the PDPA
As outlined by the Personal Data Protection Committee of Singapore (PDPC), data protection obligations imposed on companies under the PDPA cover three salient considerations: focus:
Collection of personal data
Care of personal data
The individual’s right/autonomy over personal data.
Here’s a quick rundown of the critical requirements of the PDPA:
Collection of Personal Data
Duty to notify
Organizations must inform individuals about the intended purposes of collecting, using, or disclosing their data on or before such collection, use, or disclosure.
Duty to obtain consent
Organizations processing personal data can do so after obtaining consent, which can be revoked. When the supply of a product or service is conditional upon consent (for example, through a paywall), such consent must not extend beyond what is reasonable to provide that product or service.
Where consent is revoked, companies must inform the individual about the potential consequences of withdrawal, after which they must stop collecting, using, or disclosing the said data.
Other legal bases
An organization can collect, use, and disclose personal data without consent under certain conditions:
Interests of the data subject: When the collection, usage, or disclosure of personal data is vital for the individual, for example, in an emergency that threatens their life, health, or safety.
Public interest: When the collection, usage, or disclosure of personal data is necessary for the national interest.
Legitimate interests: When the collection, usage, or disclosure of personal data is in the organization's or another person's legitimate interests and outweighs any adverse effect on the individual.
In the case of legitimate interest, organizations must take measures such as conducting a Data Protection Impact Assessment (DPIA or PIA), be able to clearly explain the situation or purpose that qualifies as legitimate interest, take measures to reduce the chances of adverse effect and provide reasonable information to the individual.
Purpose Limitation Obligation
Organizations are compelled to use personal data only for purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has consented.
Care of personal data
Reasonable efforts are required to maintain the accuracy and completeness of collected personal data, especially if it affects decision-making or may be shared with other organizations.
Duty to protect against data breach
Companies must implement reasonable security arrangements to safeguard personal data against unauthorized access, collection, use, disclosure, and other risks.
Retention Limitation Obligation
Discontinue data retention or dispose of data properly when it is no longer necessary for business or legal purposes.
Transfer Limitation Obligation
Companies looking to transfer personal data to another country must do so in accordance with regulations, ensuring a standard of protection comparable to that under the PDPA unless exempted by the PDPC.
The individual’s right/autonomy over personal data
Organizations must implement measures to comply with the PDPA. This includes making personal data protection policies, practices, and the complaints process frictionless. A readily accessible Data Protection Officer (DPO) must also be appointed.
Access and correction obligation
Upon request, individuals must be granted access to their personal data and provided information about use or disclosure dating back to a year before the request.
They’re also required to promptly correct any errors or omissions in such personal data and transmit corrected data to other organizations it was disclosed to.
Data portability obligation
At the individual's request, transmit their data, in a commonly used machine-readable format, from the organization's possession or control to another organization.
Mandatory Data Breach Notification
Companies must report certain instances of a breach to the PDPC and the individuals affected as soon as possible (where the breach causes them harm or loss).
The breach should be reported no later than 3 (three) calendar days after the day of assessment. Under the PDPA, “notifiable data breaches” are data breaches that:
Cause significant harm to the affected individuals and
Are of a significant scale. (i.e., affecting 500 or more individuals)
Following this, in the event of a breach, organizations must immediately conduct a swift assessment to know if such is a “notifiable data breach.”
How to comply with Singapore’s PDPA?
If you control personal data in Singapore or of Singaporean data subjects, you are bound by specific obligations outlined in Part III to VI of the PDPA:
Companies must publish and implement the necessary policies & procedures to fulfill obligations under the PDPA. They should also be made publicly available.
Organizations should delete documents containing personal data, anonymize it, or remove the means through which such data is collected once the initial purpose for collecting such data is met. They must also respond to requests from data subjects within the scope of their statutory rights.
Every organization is accountable for the personal data processed on their behalf by other parties or contractors (data intermediaries). As such, they may be liable if these intermediaries are non-compliant with the PDPA.
Companies should take active steps to safeguard personal data, including implementing security safeguards to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or other related risks. Much like the GDPR, appointing one or more DPOs (Data Protection Officers) to oversee PDPA compliance is also mandated.
Comply with Mandatory Data Breach Notification Requirements once the breach has been assessed and identified as a “notifiable” breach, as explained above.
Companies should not transfer data to a recipient outside the shores of Singapore unless they comply with the requirements regarding transferred personal data in the PDPA while the data is in their custody. Another room for exemption is when such data recipients are bound by legally enforceable obligations relating to transferred personal data of a standard similar to the PDPA.
Enforcement of Singapore’s PDPA
Part II of the PDPA charges the Personal Data Protection Commission (PDPC) to flex its regulatory muscle in enforcing PDPA standards.
Upon investigating complaints of data privacy breaches, if found guilty, sanctions imposed could range from administrative fines to directions or warnings. In carrying out enforcement, the PDPC may:
Ban the collection, use, or disclosure of personal data in violation of the PDPA;
Destroy personal data obtained in violation of the PDPA;
Compel an unconditional release or refusal of access to or correction of personal data;
In line with recent amendments, impose an administrative fine of either up to (i) 10% of an organization’s annual turnover in Singapore for those with an annual turnover in Singapore that exceeds SGD 10 million or (ii) SGD 1 million.
PDPC directions can also be registered with the Singapore District Courts to adopt the enforceability of a court order.
In June 2022, the Commission meted out S$750,000 and S$250,000 fines — the largest fines administered yet — on Integrated Health Information Systems and Singapore Health Services for lack of safeguards to protect the medical records of data subjects, which led to a massive breach from a cyberattack.
Per the PDPA, organizations found guilty of misusing personal data or concealing information regarding its collection, utilization, or disclosure may attract financial penalties not exceeding S$50,000 (approximately $36,000).
Obstructing an investigation conducted by the PDPC may attract fines of no more than S$100,000 (around $72,000).
Companies involved in larger-scale breaches may also expect heavy financial sanctions or criminal liability, leading to imprisonment.
Mitigating factors like early detection and response or timely breach notification and aggravating factors like non-cooperation during investigations will be considered.
In the event of a breach of the PDPA's provisions, companies can be liable to individuals suffering harm due to a breach. These individuals can seek the following reliefs:
An order of injunction
Any other orders, reliefs, or declarations as the court may deem necessary in the circumstances
How does the PDPA stack up to the GDPR?
There are some critical differences between the PDPA and the General Data Protection Regulation (GDPR). For instance:
The PDPA excludes public agencies from its scope, while the GDPR applies to both public and private sector organizations.
The GDPR also defines special categories of personal data (like biometric, health, racial, or ethnic origin data), subject to stricter protection requirements.
The GDPR also gives individuals more control over their personal data, such as the right to have their personal data erased in certain circumstances.
While the PDPA is silent on the right of erasure, it enables data subjects to ask companies to stop collecting, sharing, or disclosing their personal data. The PDPC can also direct companies to destroy data obtained without meeting the legally recognized threshold of valid consent. In that regard, it can be argued that while the fine print of Singapore’s legal framework for ensuring the right to erasure may not be identical to the GDPR, they provide a substantially similar legal effect.
Across the board, the PDPA and the GDPR are strong data protection laws that protect personal data. However, the GDPR is generally more comprehensive and protective than the PDPA.
How can Didomi help you become compliant with Singapore's data privacy law?
Before anything else, Singapore-specific considerations should be front and center of any attempt toward compliance. Data Protection Impact Assessments, for example, should be a priority in light of the sterner sanctions being rolled out and the now-enlarged scope of deemed consent.
Beyond that, organizations that are subject to the PDPA will likely require a Consent Management Platform (CMP). The Didomi multi-regulation CMP allows our customers to comply with data privacy requirements around the world.
To learn how we assist current customers in handling their global data privacy challenges and discuss how we could help you do the same, book a call with one of our experts today:
Frequently Asked Questions (FAQ)
How can individuals complain about a breach of the PDPA?
Individuals can complain to the Personal Data Protection Commission (PDPC) if they believe that their personal data has been collected, used, or disclosed in breach of the PDPA.
The PDPC will investigate the complaint and take appropriate action, including issuing a warning, directing the organization to rectify the breach, or imposing a fine.
Are there consequences for breaching the PDPA?
Yes. And severe, too. Organizations that breach the PDPA may be fined up to SGD1 million or 10% of their annual turnover, whichever is higher.
Individuals found to have willfully or recklessly breached the PDPA may be fined up to SGD5,000 or imprisoned for up to two years, or both.
What are the obligations of organizations that experience a data breach?
Under the Mandatory Data Breach Notification Requirement, organizations that experience a data breach must notify individuals whose personal data has been affected as soon as possible.
They must also take reasonable steps to mitigate the breach's impact on individuals.
How can organizations that transfer data overseas comply?
Transferring personal data overseas requires companies to take reasonable steps to ensure that the personal data is protected in accordance with the PDPA.
This may include requiring the overseas recipient of the personal data to contractually agree to protect the personal data in accordance with the PDPA.
What are the obligations of organizations subject to the PDPA but without a physical presence in Singapore?
Companies subject to the PDPA but have no physical presence in Singapore must appoint a representative in Singapore to receive legal notices and other communications on behalf of the organization.
The representative must be located in Singapore and must be able to communicate effectively with the Personal Data Protection Commission (PDPC).