Last review date: 15 January 2025
Personal Data Protection Commission (PDPC) for the PDPA
Cyber Security Agency of Singapore for the CSA
Last review date: 15 January 2025
In terms of priorities, we anticipate the PDPC to have a continued focus on artificial intelligence and children's personal data.
For example, on 15 July 2024, the PDPC issued proposed guidance on synthetic data generation to help organizations understand these techniques and their potential use cases, particularly for AI. Additionally, the proposed Advisory Guidelines on the PDPA for children's personal data cover issues such as obtaining children's consent, using children's personal data, and providing higher standards of protection to children's personal data. The issuance of the public consultation papers signals the PDPC's continued commitment to encouraging the responsible development and adoption of AI technology and the need to protect children, especially in a digital environment.
The Cybersecurity Agency is unlikely to prioritize enforcement of the Cybersecurity (Amendment) Bill at this stage and is likely to closely monitor and support key players as they comply with the new requirements.
Last review date: 15 January 2025
The number of cybersecurity incidents, particularly phishing and ransomware attacks, continues to rise. The PDPC has been vigilant in scrutinizing these incidents and their contributing factors. In its enforcement decisions, the PDPC has consistently focused on the failure of organizations to implement robust data protection policies, establish reasonable security measures (e.g., access controls corresponding to the sensitivity of the personal data involved), and ensure that third-party service providers (e.g., IT vendors) comply with security obligations, including their adequate supervision.
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Staying the same
Class actions/group actions under data or cyber regulation are:
☒ Rare
Last review date: 15 January 2025
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
The PDPC has broad powers to give directions to the infringing organization (regardless of whether the infringements fall within the category of an "expedited decision" or a "full investigation"), including to order the payment of a financial penalty of up to USD 740,000 or 10% of an organization's annual turnover in Singapore where that turnover exceeds SGD 10 million (approximately USD 7.4 million).
The PDPC also has the power to accept an undertaking submitted by an organization in which the organization voluntarily commits to implement its remediation plan (which has already been established) and resolve a data breach upon the early detection of a data breach incident.
Under the new Section 37A of the Cybersecurity (Amendment) Act 2024, the CSA may now bring an action in court for civil penalties with the Public Prosecutor’s consent in place of any criminal penalties under Part 3, 3A, 3B, 3C or 3D of the Act. In making a recommendation to the Public Prosecutor, the CSA will consider a range of factors, including the risks created by the non-compliance, the egregiousness, and the facts of the case. Depending on the offense in question, the civil penalties could be up to a sum of 10% of the annual turnover of the person's business in Singapore (for an annual turnover of more than SGD 5,000,000) or USD 500,000 (in all other cases).
☒ criminal penalties from regulators and law enforcement
Non-compliance with certain PDPA's Do Not Call provisions is a criminal offense and punishable upon conviction with a fine not exceeding USD 7,400 and/or imprisonment for a term not exceeding three years and, in the case of a continuing offense, a further fine not exceeding USD 740 for every day or part thereof during which the offense continues after conviction.
Submitting an access or correction request to obtain access or change the personal data about another individual without the authority of the individual is a criminal offense and is punishable upon conviction with a fine not exceeding USD 3,700 and/or to imprisonment for a term not exceeding 12 months for individuals.
Alteration, falsification, concealment, disposal of or destruction of records containing personal data or about the collection, use or disclosure of personal data with an intent to evade an access or correction request is a criminal offense and is punishable upon conviction with a fine not exceeding USD 3,700 for individuals and USD 37,000 for organizations.
Obstruction or making false or misleading statements is a criminal offense and is punishable upon conviction with a fine not exceeding USD 7,400 and/or imprisonment for a term not exceeding 12 months for individuals, or a fine not exceeding USD 74,000 for organizations.
Knowing or reckless unauthorized disclosure of personal data; knowing or reckless unauthorized use of personal data for a wrongful gain or wrongful loss to any person; and knowing or reckless unauthorized re-identification of anonymized data are criminal offenses and are punishable upon conviction with a fine not exceeding SGD 5,000 or imprisonment for a term not exceeding two years, or both. Individuals acting under the authority of the organization will not be held individually liable.
Under the CSA:
- It is an offense to not comply with a notice issued by the Commissioner relating to information about the critical information infrastructure and ascertaining if a computer fulfills the criteria of critical information infrastructure. It is also an offense to no comply with a direction issued by the Commissioner. A fine not exceeding SGD 100,000 and/or to imprisonment for a term not exceeding two years may be imposed. In the case of a continuing offense, a further fine not exceeding SGD 5,000 for every day or part of a day during which the offense continues after conviction may be imposed.
- It is an offense if a notification of any changes in ownership of critical information infrastructure is not made within seven days after the date of the change in ownership. A fine not exceeding SGD 100,000 and/or imprisonment for a term not exceeding two years may be imposed.
- It is an offense if a prescribed cybersecurity incident is not notified to the Commissioner. A fine not exceeding SGD 100,000 and/or imprisonment for a term not exceeding two years may be imposed.
- It is an offense to fail to conduct cybersecurity audits once every two years and risk assessments once every year, or obstruct the audits and assessments from being carried out. A fine not exceeding SGD 100,000 and/or imprisonment for a term not exceeding two years may be imposed. In the case of a continuing offense, a further fine not exceeding SGD 5,000 for every day or part of a day during which the offense continues after conviction may be imposed.
- It is an offense to fail to provide the report of the audit and assessment to the Commissioner within 30 days of the date of the audit and assessment. A fine not exceeding SGD 25,000 and/or imprisonment for a term not exceeding 12 months may be imposed. In the case of a continuing offense, a further fine not exceeding SGD 2,500 for every day or part of a day during which the offense continues after conviction may be imposed.
- It is an offense to fail to comply with a direction to conduct cybersecurity exercises to test the state of readiness of owners of different critical information infrastructures in responding to significant cybersecurity incidents. A fine not exceeding SGD 100,000 may be imposed.
Under the Cybersecurity (Amendment) Act 2024, the aforementioned offenses (with the exception of the duty to conduct cybersecurity audits which is only extended to Part 3A) are extended to:
- Providers of essential services who are responsible for third-party-owned CII under Part 3A
- Owners of systems of temporary cybersecurity concern under Part 3B
- Entities of special cybersecurity interest under Part 3C
- Major foundational digital infrastructure service providers under Part 3D
For offenses under Part 3C and 3D of the Act, the penalties are higher. A fine of up to SGD 200,000 or 10% of the annual turnover of the entity's business in Singapore, will be imposed if found guilty of the offense.
☒ private remedies
Individuals who suffer loss or damage as a result of a contravention of the data protection obligations in the PDPA have private rights of action and can commence civil proceedings against the organization.
The remedies that the court may grant to an individual who commences a right of private action include relief by way of injunction or declaration, damages, or any other relief as the court thinks fits.
In order to succeed in a private action under the PDPA, the claimant must suffer loss or damage that falls within the common law heads of loss or damage (such as pecuniary loss, damage to property, and personal injury including psychiatric illness) directly as a result of contravention of certain PDPA provisions. Where no such loss or damage is suffered, claimants still have recourse to alternative remedies under the PDPA to end such non-compliance, by requesting the PDPC to impose directions for non-compliance or financial penalties; however, such remedies do not seek to compensate the claimant.
Notably, in Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60, it was held that emotional distress directly suffered as a result of a contravention of the PDPA may constitute "loss or damage" for which a private action could be commenced.