Singapore’s Personal Data Protection Commission (PDPC) has updated legislation on how the country will manage data privacy and protections. These new laws include allowing wider enforcement controls for the PDPC, instituting mandatory notifications when data is breached and making the mishandling of data a criminal offense.
This means that if an information collector mishandles personal data in Singapore, either intentionally or accidentally, they open themselves to risk. They may be criminally prosecuted, and if found guilty, face cash fines and imprisonment.
You may wonder why many legal eyes are focused on a country that is only 276 square miles wide and is only about to celebrate its 56th year as a nation, but there are several key reasons for this interest. While most of Europe has human rights as the basis of its data protection laws, Singapore’s laws are centered around securing the country’s place in the global economic marketplace. Singapore is one of the world’s leaders in per capita income, has the highest percentage of millionaires in the world and has the highest ratio of trade to GDP in the world.
Data protection encourages worldwide investment
Singapore has been working on data protection laws for the last 10 years and has been continuously updating regulations throughout the decade. The original PDP law was drawn up in 2012 and was ratified in July of 2014. To comply with the law, companies doing business in Singapore must:
- Notify their customers if their data is being disclosed, collected or used, and only use that data for the purposes defined.
- Ensure consent has been granted by individuals before collecting, using or disclosing their data. According to attorneys at Latham & Watkins LLP, the new amendments from this past February include provisions for implied consent of information release and some exceptions to the PDPA consent requirements, such as “legitimate interests” and “business improvement” exceptions.
- Upon request, an organization must be able to provide information on how a customer’s data has been used in the past 12 months.
- Ensure personal data is complete and accurate.
- Ensure data is kept secure from unauthorized access, modification, use, disclosure.
- Data should only be retained when needed and should be destroyed when no longer needed.
- Ensure that overseas external organizations provide a comparable standard of protection.
- Designate a Data Protection Officer (DPO) and publish his/her business contact information. PDP policies should be made available to the public and employees.
- Not send marketing messages to individuals who are registered in a National DNC (Do Not Call) registry.
Singapore has been working on data protection laws for the last 10 years and has been continuously updating regulations throughout the decade.
Singapore wants the trust of the global market
In short, companies doing business in Singapore must find a balance between respecting an individual’s right to data privacy and the organization’s use of data for legitimate business activities. PDPC Commissioner Chuen Hong Lew has said that when data breaches happen, “it is not only personal data that is lost. Reputations of individuals and organizations are involved as well.”
The PDPC is also moving toward further punitive reprisals if data is leaked or lost. Aside from criminal charges, offenders may be given higher financial penalties based on the seriousness of the data breach and the level of harm caused by the leak. By February 2022, it could cost data breach violators up to $1 million (Singapore currency) or 10% of their annual gross income.
Data portability rules are also on the horizon. This new obligation lets individuals request a copy of their personal data to be transmitted in a commonly used machine-readable format to another organization, enabling consumers to switch to new service providers more easily.
What to watch for next: Data protection in Singapore
If your company works in Singapore, or has an office there, it’s crucial to be aware of the new regulations and to safeguard all data that you collect and hold. It’s important to understand all the nuances of data protection exceptions as well, such as the allowances for business improvements and legitimate interests.