On 4 March 2022, the Singapore Minister for Communications and Information Mrs Josephine Teo announced that the maximum financial penalties for data breaches under the Personal Data Protection Act 2012 ("PDPA") will be raised with effect from 1 October 2022. The maximum for organisations with an annual turnover in Singapore exceeding S$10 million would be 10% of its annual turnover in Singapore. For all other cases, the maximum would be S$1 million.
The annual turnover of the organisation will be ascertained from its most recent audited accounts available at the time the financial penalty is imposed.
Background to the announcement
The existing maximum financial penalty under the PDPA which can be imposed on organisations is S$1 million."
On 2 November 2020, the Personal Data Protection (Amendment) Bill ("Amendment Bill") was passed in Parliament. The Amendment Bill was introduced to strengthen the data protection regime under the PDPA. The key amendments that the Amendment Bill sought to introduce included: (i) a mandatory requirement to notify the Personal Data Protection Commission ("PDPC") of data breaches; (ii) a data portability obligation; (iii) new exceptions for an organisation to collect, use, and disclose personal data without consent; and (iv) an increase to the maximum financial penalties, as mentioned above.
The former Minister for Communications and Information Mr S Iswaran also stated during the Second Reading of the Amendment Bill in November 2020 that the increased financial penalties will be implemented no earlier than one year after the Amendment Bill comes into force.
To-date, only some of the amendments are in force, with the rest to come into effect at a later time.
The latest announcement raises two noteworthy points on Singapore's approach towards data protection.
First, the importance of ensuring deterrence in a proportionate manner.
Depending on the nature of the organisation's business, the enhanced maximum penalties under the PDPA after 1 October 2022 may be potentially higher than several other major jurisdictions:
- Under the EU's General Data Protection Regulation, the maximum financial penalties are €20 million or 4% of the organisation's worldwide annual turnover, whichever is higher (in the UK, under the UK GDPR, the equivalent of the first figure is set at £17.5 million); and
- Under the Hong Kong's Personal Data (Privacy) Ordinance, the Privacy Commissioner for Personal Data can issue an enforcement notice to any party to remedy a contravention of the Ordinance. Anyone who contravenes the enforcement notice may receive a maximum fine of HKD 50,000 and 2 years imprisonment, with a daily penalty of HKD 1,000 for a continued contravention after conviction. The maximum fines are higher for repeat offenders.
The fact that the enhanced penalties under the PDPA may be higher than several other jurisdictions was also discussed in Parliament during the Second Reading of the Amendment Bill. But Mr S Iswaran made the effort to state that the PDPC will ensure that the financial penalties imposed will be proportionate to the severity of the breach. Furthermore, he also noted that the maximum penalties are comparable with other domestic legislation such as the Telecommunications Act and Competition Act – signalling that data protection is of that level of importance to Singapore in the digital economy.
Second, that the PDPA is applied in a manner consistent with commercial realities that some organisations of a different scale handle different volumes and types of personal data.
For larger organisations, the PDPC has previously stated in one of its published decisions that the fact that some organisations may handle large volumes of personal data, disclosure of which may cause exceptional damage to affected persons, may be taken to be an aggravating factor when fixing the quantum of financial penalties.
As for smaller organisations, the members of Parliament have on various occasions voiced concern that SMEs may have difficulties complying with their obligations under the PDPA. This concern comes to the fore with the latest announcement of raised maximum financial penalties. To that end, the Ministry of Communication and Information has timeously announced the launch of a new Data Protection Essentials programme to help SMEs acquire a basic level of data protection and security practices to protect personal data and recover quickly from any breaches.
This article is published for general information only and does not constitute legal advice. Mishcon de Reya LLP, Singapore branch is licensed in Singapore as a Foreign Law Practice and only undertakes Singapore law related work in those areas permitted by its license.