[Last reviewed: 23 December 2022]
☒ administrative remedies from regulators and law enforcement
The PDPC has broad powers to give directions to the infringing organization (regardless of whether the infringements fall within the category of an "expedited decision" or a "full investigation"), including to order the payment of a financial penalty of up to USD 740,000 or 10% of an organization's annual turnover in Singapore where that turnover exceeds SGD 10 million (approximately USD 7.4 million).
The PDPC also has the power to accept an undertaking submitted by an organization for which the organization voluntarily commits to implement its remediation plan (which has already been established) and resolve a data breach upon the early detection of a data breach incident.
☒ criminal penalties from regulators and law enforcement
Non-compliance with certain PDPA's Do Not Call provisions is a criminal offense and punishable upon conviction with a fine not exceeding USD 7,400 and/or imprisonment for a term not exceeding three years and, in the case of a continuing offense, to a further fine not exceeding USD 740 for every day or part thereof during which the offense continues after conviction.
Submitting an access or correction request to obtain access or change the personal data about another individual without the authority of the individual is a criminal offense and is punishable upon conviction with a fine not exceeding USD 3,700 and/or to imprisonment for a term not exceeding 12 months for individuals.
Alteration, falsification, concealment, disposal of or destruction of records containing personal data or about the collection, use or disclosure of personal data with an intent to evade an access or correction request is a criminal offense and is punishable upon conviction with a fine not exceeding USD 3,700 for individuals and USD 37,000 for organizations.
Obstruction or making of false or misleading statements is a criminal offense and is punishable upon conviction with a fine not exceeding USD 7,400 and/or imprisonment for a term not exceeding 12 months for individuals; or a fine not exceeding USD 74,000 for organizations.
Knowing or reckless unauthorized disclosure of personal data; knowing or reckless unauthorized use of personal data for a wrongful gain or wrongful loss to any person; and knowing or reckless unauthorized re-identification of anonymized data is a criminal offense and is punishable upon conviction with a fine not exceeding SGD 5,000 or imprisonment for a term not exceeding two years, or both. Individuals acting under the authority of the organization will not be held individually liable.
☒ private remedies
Individuals who suffer loss or damage as a result of contravention of the data protection obligations in the PDPA have private rights of action and can commence civil proceedings against the organization.
The remedies that the court may grant to an individual who commences a right of private action include relief by way of injunction or declaration, damages, or any other relief as the court thinks fits.
In order to succeed in a private action under the PDPA, the claimant must suffer loss or damage that falls within the common law heads of loss or damage (such as pecuniary loss, damage to property, and personal injury including psychiatric illness) directly as a result of contravention of certain PDPA provisions. Where no such loss or damage is suffered, claimants still have recourse to alternative remedies under the PDPA to end such non-compliance, by requesting the PDPC to impose directions for non-compliance or financial penalties, however such remedies do not seek to compensate the claimant.
Notably, in Reed, Michael v Bellingham, Alex (Attorney-General, intervener)  SGCA 60, it was held that emotional distress directly suffered as a result of a contravention of the PDPA may constitute "loss or damage" for which a private action could be commenced.
If data subjects have private remedies, what form can these remedies take?
☒ individual personal actions
☐ representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)
☐ class actions