10 May 2021
The Personal Data Protection (Amendment) Act 2020 (the “Amendment Act”) was passed in Parliament on 02 November 2020, and is partially in force as of 01 February 2021. The Amendment Act marks the first comprehensive review of the Personal Data Protection Act 2012 (“PDPA”) since its enactment, and is the culmination of a series of consultations between the Ministry of Communications and Information (“MCI”), the Personal Data Protection Commission (“PDPC”) as well as public and industry stakeholders.
This article, the final in a 3-part series, highlights some key updates to the PDPA introduced by the Amendment Act, and focuses on updates relating to offences and enforcement, as well as miscellaneous key updates.
Increased Financial Penalty Cap (not yet in force)
Where an organisation is in breach of its data protection obligations, the Amendment Act will empower the PDPC through section 48J of the PDPA to impose a financial penalty of up to S$1 million or 10% of the organisation’s annual turnover in Singapore, whichever is higher. At present, the maximum financial penalty that the PDPC may impose on an organisation is S$1 million.
Section 48J will also empower the PDPC to impose on organisations that have breached the prohibition against the use of dictionary attacks and address harvesting software, financial penalties of up to S$1 million or 5% of the organisation’s annual turnover in Singapore, whichever is higher, or S$200,000 on an individual. At present, the maximum financial penalty for such breaches is S$1 million for organisations and S$200,000 for individuals.
Offences for Mishandling of Personal Data
To hold individuals accountable for the mishandling of personal data in the possession or under the control of an organisation, the PDPA has introduced the following offences at a new Part IXB:
These offences are subject to specified defences, such as where the information is publicly available, where the individual reasonably believes that he had the legal right to do so, or where independent testing of anonymisation of personal data is carried out. An individual found guilty of any of the above offences will be liable on conviction to a fine of S$5,000 and/or imprisonment for a term not exceeding 2 years.
The Amendment Act introduces Part IXC of the PDPA, which empowers the PDPC to accept and enforce voluntary undertakings from organisations where the PDPC has reasonable grounds to believe that an organisation has not complied, is not complying, or is not likely to comply with the PDPA.
A voluntary undertaking is given and accepted in place of the conduct of a full investigation. It may include a commitment to do any of the following:-
If an organisation does not comply with its voluntary undertaking, the PDPC may give the organisation or any person concerned any direction that it thinks fit to ensure the compliance of the organisation with the undertaking.
Alternative Dispute Resolution
The PDPC is now empowered under Part IXC to refer any complaint by an individual against an organisation to mediation under a dispute resolution scheme if it is of the opinion that the complaint may be more appropriately resolved. The PDPC may do so without the individual’s or the organisation’s consent. Both parties will be required to participate in the mediation as directed by the PDPC and must comply with any regulations prescribed by the PDPC.
Removal of Exemption for Organisations Acting on Behalf of Public Agencies
Prior to the Amendment Act, private organisations that acted on behalf of a public agency were exempted from the data protection obligations in the PDPA. With the Amendment Act, all private organisations are now subject to the PDPA, even if they are acting on behalf of a public agency. Public agencies continue to be exempted from the data protection obligations in the PDPA.
Increased Protection from Unsolicited Messages
The new Part IXA relates to the PDPA’s Do Not Call provisions (“DNC Provisions”) and prohibits the sending of unsolicited messages to telephone numbers obtained through the use of dictionary attacks or address harvesting software. The Amendment Act also amends the Spam Control Act to this effect.
In adapting to the amended PDPA, organisations should review their data protection policies and procedures and ensure that they are in line with the new amendments.
In particular, organisations should ensure that they are sufficiently prepared to manage data breach incidents in light of the mandatory data breach notification obligation. Where they update their data protection policies and procedures, they should conduct internal training sessions on the same. Organisations should also review their operations and consider the feasibility of taking advantage of the expanded consent framework.
Please contact us if you need assistance on personal data protection matters.
Read the rest of this series
Director, BR Law Corporation
Trainee, BR Law Corporation
Post date. Edit this to change the date post was posted. Does not show up on published site. 10/5/2021
The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. The authors of the articles are or were employees of BR Law Corporation at the time of publication, but may no longer be, now or in the future, in the employ of the firm.
Subscribe to our Newsletter
Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.