Last review date: 29 December 2023
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
The PDPC has broad powers to give directions to the infringing organization (regardless of whether the infringements fall within the category of an "expedited decision" or a "full investigation"), including to order the payment of a financial penalty of up to USD 740,000 or 10% of an organization's annual turnover in Singapore where that turnover exceeds SGD 10 million (approximately USD 7.4 million).
The PDPC also has the power to accept an undertaking submitted by an organization for which the organization voluntarily commits to implement its remediation plan (which has already been established) and resolve a data breach upon the early detection of a data breach incident.
☒ criminal penalties from regulators and law enforcement
Non-compliance with certain PDPA's Do Not Call provisions is a criminal offense and punishable upon conviction with a fine not exceeding USD 7,400 and/or imprisonment for a term not exceeding three years and, in the case of a continuing offense, to a further fine not exceeding USD 740 for every day or part thereof during which the offense continues after conviction.
Submitting an access or correction request to obtain access or change the personal data about another individual without the authority of the individual is a criminal offense and is punishable upon conviction with a fine not exceeding USD 3,700 and/or to imprisonment for a term not exceeding 12 months for individuals.
Alteration, falsification, concealment, disposal of or destruction of records containing personal data or about the collection, use or disclosure of personal data with an intent to evade an access or correction request is a criminal offense and is punishable upon conviction with a fine not exceeding USD 3,700 for individuals and USD 37,000 for organizations.
Obstruction or making false or misleading statements is a criminal offense and is punishable upon conviction with a fine not exceeding USD 7,400 and/or imprisonment for a term not exceeding 12 months for individuals; or a fine not exceeding USD 74,000 for organizations.
Knowing or reckless unauthorized disclosure of personal data; knowing or reckless unauthorized use of personal data for a wrongful gain or wrongful loss to any person; and knowing or reckless unauthorized re-identification of anonymized data is a criminal offense and is punishable upon conviction with a fine not exceeding SGD 5,000 or imprisonment for a term not exceeding two years, or both. Individuals acting under the authority of the organization will not be held individually liable.
Under the CSA:
- it is an offence to not comply with a notice issued by the Commissioner relating to information about the critical information infrastructure and ascertaining if a computer fulfills the criteria of critical information infrastructure; or a direction issued by the Commissioner and a fine not exceeding SGD 100,000 and/or to imprisonment for a term not exceeding 2 years may be imposed. In the case of a continuing offence, a further fine not exceeding SGD 5,000 for every day or part of a day during which the offence continues after conviction may be imposed.
- it is an offence if a notification of any changes in ownership of critical information infrastructure is not made within seven days after the date of the change in ownership. A fine not exceeding SGD 100,000 and/or imprisonment for a term not exceeding two years may be imposed.
- it is an offence if a prescribed cybersecurity incident is not notified to the Commissioner. A fine not exceeding SGD 100,000 and/or imprisonment for a term not exceeding two years may be imposed.
- It is an offence to fail to conduct cybersecurity audits once every two years and risk assessments once every year, or obstruct the audits and assessments from being carried out. A fine not exceeding SGD 100,000 and/or imprisonment for a term not exceeding two years may be imposed. In the case of a continuing offence, a further fine not exceeding SGD 5,000 for every day or part of a day during which the offence continues after conviction may be imposed.
- It is an offence to fail to provide the report of the audit and assessment to the Commissioner within 30 days of the date of the audit and assessment. A fine not exceeding SGD 25,000 and/or imprisonment for a term not exceeding 12 months may be imposed. In the case of a continuing offence, a further fine not exceeding SGD 2,500 for every day or part of a day during which the offence continues after conviction may be imposed.
- It is an offence to fail to comply with a direction to conduct cybersecurity exercises to test the state of readiness of owners of different critical information infrastructure in responding to significant cybersecurity incidents. A fine not exceeding SGD 100,000 may be imposed.
☒ private remedies
Individuals who suffer loss or damage as a result of a contravention of the data protection obligations in the PDPA have private rights of action and can commence civil proceedings against the organization.
The remedies that the court may grant to an individual who commences a right of private action include relief by way of injunction or declaration, damages, or any other relief as the court thinks fits.
In order to succeed in a private action under the PDPA, the claimant must suffer loss or damage that falls within the common law heads of loss or damage (such as pecuniary loss, damage to property, and personal injury including psychiatric illness) directly as a result of contravention of certain PDPA provisions. Where no such loss or damage is suffered, claimants still have recourse to alternative remedies under the PDPA to end such non-compliance, by requesting the PDPC to impose directions for non-compliance or financial penalties, however such remedies do not seek to compensate the claimant.
Notably, in Reed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60, it was held that emotional distress directly suffered as a result of a contravention of the PDPA may constitute "loss or damage" for which a private action could be commenced.
☐ other