top of page
Search

12 years on: An assessment of Singapore’s Personal Data Protection Act 2012




By Sit Jie Ren


Introduction

The Personal Data Protection Act 2012 (‘PDPA’) was implemented over a decade ago and was last strengthened in 2020. However, despite over a decade of enforcement, Singapore’s data protection regime appears to have had limited success in strengthening personal data protection in Singapore and remains poorly complied with by organisations operating in the country. If anything, there appears to be an increase in data breach incidents, with recent high-profile incidents involving the Law Society of Singapore,[1] Marina Bay Sands[2] and Carousell.[3]

 

Why are laws on personal data protection required?

In today’s modern digital economy, we frequently provide vast amounts of information on our private lives to organisations around the world. From creating accounts on social media platforms to filling up online forms, we exchange personal details about ourselves in exchange for free products and services. In turn, these organisations use our personal information to target their advertisements towards our interests and peculiarities.

 

Often, the information about us on the internet is sufficient to form a complete overview of our lives, including our education, residence and employment.[4] Even without our names or unique identity numbers, we can be rather accurately identified by just a handful of demographic attributes.[5] This can pose a significant risk to our personal security and interests, especially if this data is being misused by organisations which have access to them or is otherwise illegally obtained. The issue is made more acute by the internet’s unfailing memory and any personal data leaked into the public domain will likely remain there in perpetuity. Given this, it is both desirable and necessary that regulations are created to regulate the use of personal data by organisations and oblige them to protect data they hold to improve consumer confidence in the digital economy.

 

Hence, Singapore passed the PDPA in 2012 to safeguard the rights of individuals (or data subjects) to protect and regulate their personal data by organisations for commercial purposes.

 

Obligations under the Personal Data Protection Act 2012

In assessing the effectiveness of the PDPA, it is first helpful to understand the obligations imposed on organisations by the Act. There are a total of 11 data protection obligations created by the Act:[6]


  1. Accountability (section 11 and 12)[7] Organisations must provide information on its data protection policies, practices and complaints process on request. Organisations must also designate an employee as a data protection officer, who will be responsible for ensuring PDPA compliance within the organisation and whose business contact information must be publicly available. The role of data protection officer can be outsourced to an external contractor.

  2. Notification (section 20)[8] Organisations must inform individuals of the purposes for the collection, use or disclosure of their personal data.

  3. Consent (section 13)[9] Organisations collecting, using or disclosing personal data must obtain the express consent of the individual unless relying on the provisions relating to deemed consent (section 15) or an exception to consent (First Schedule and Second Schedule).

  4. Purpose Limitation (section 18)[10] Organisations must confine the purposes for their collection, use or disclosure of personal data to purposes which ‘a reasonable person would consider appropriate in the circumstances’ and which the individuals concerned have been informed of.

  5. Accuracy (section 23)[11] Organisations must make reasonable effort to ensure that the personal data they collect and hold is accurate and complete where that data will be used to affect the individual concerned or will be disclosed to other organisations.

  6. Protection (section 24)[12] Organisations must make reasonable security arrangements to protect personal data they hold to prevent unauthorised access, collection, use, disclosure or similar risks.

  7. Retention Limitation (section 25)[13] Organisations must not retain personal data they hold and ensure its destruction if it no longer serves the purpose it was collected for or is no longer required for any legal or business purposes.

  8. Transfer Limitation (section 26)[14] Organisations must not transfer personal data outside of Singapore to any jurisdiction other than in accordance with regulations under the Act to ensure that the standard of protection is comparable to that under the PDPA.

  9. Access and Correction (section 21 and 22)[15] Organisations must provide individuals with personal data that they hold about them on request and information on the use and disclosure of that data within a year of that request unless an exclusion applies. Organisations are also required to correct any errors or omissions in the personal data about an individual in their possession on request, and to send the corrected personal data to other organisations to which that personal data has been disclosed to within a year of the correction.

  10. Data Breach Notification (Part VIA)[16] Organisations are required to notify the Personal Data Protection Commission (‘PDPC’) of data breaches involving data which will cause significant harm to affected individuals or is of a significant scale (over 500 individuals) within 3 calendar days. Individuals affected must also be subsequently informed in the former case.

  11. Data Portability (Part VIB)[17] Organisations must transmit personal data they hold about an individual to another organisation on request in a commonly used machine-readable format.[18]

 

These obligations build on other sector-specific requirements and serve as a minimum standard of protection for personal data in Singapore.[19]

 

Organisations found in breach of these obligations can be fined up to S$1 million or 10% of their annual turnover, whichever is higher.[20]

 

Limited compliance with the Personal Data Protection Act

However, despite the PDPA being implemented over a decade ago and the strengthening of financial penalties in 2020, PDPA compliance continues to be wanting among Singapore’s organisations. Substantial numbers of small and medium-sized enterprises (‘SMEs’) in Singapore continue to be non-compliant with the PDPA,[21] and prominent large enterprises have been taken to task by the PDPC in recent years, including Love, Bonito (fined $24,000 in 2022),[22] The Law Society of Singapore (issued directions by the PDPC)[23] and Carousell (fined $58,000 in 2024).[24]. In particular, most incidents investigated by the PDPC concerned organisations’ non-compliance with the protection obligation by failing to have sufficient security measures to protect personal data under their control. Despite continuous efforts by the PDPC, as further discussed in the next section, it appears that the PDPA has had limited success in safeguarding the personal data of Singaporeans.

 

Experts have pointed to the limited awareness and understanding of data protection laws in Singapore among local organisations as factors contributing to poor compliance,[25] and where SMEs are aware of PDPA compliance requirements, they frequently face limited resources in ensuring compliance in their business processes.[26]

 

Measures taken by the PDPC

Notably, the PDPC recognises the acute issues faced by SMEs in ensuring compliance with the PDPA and have rolled out a series of measures to assist them. Chiefly, this includes the Data Protection Essentials (DPE) programme, which is jointly offered with the Info-Communications Media Development Authority (IMDA), and serves to assist SMEs in implementing basic data protection measures in their business processes.[27] SMEs which have completed the programme will be given a DPE logo and be listed on the IMDA’s website, which serves as both a mitigating factor in future data breaches and recognises their efforts in implementing basic data protection practices. This is likely to also strengthen consumer trust and confidence in using their services.

 

For larger organisations or more established SMEs, the PDPC and IMDA have developed the Data Protection Trustmark (DPTM), which is a certification for organisations which have implemented sufficient data protection measures to comply with the PDPA.[28] The DPTM would then serve as an indicator to customers and business partners that the organisation is compliant with the PDPA and can serve as a mitigating factor in the event of a future data breach. It is also likely that the DPTM will improve public awareness of data protection matters as more organisations acquire it.

 

Besides certifications, the PDPC has also provided substantial online resources on PDPA compliance matters,[29] and offers several courses[30] as well as a practitioner’s certificate for data protection officers in Singapore.[31]

 

However, these efforts have had limited success among organisations in Singapore. Although increasing numbers of organisations have sought PDPA related certifications in recent years, these remain in the minority and many large local organisations continue to be uncertified. For example, only one law firm[32] and one local university[33] has received DPTM certification,[34] despite the high volume of sensitive personal information handled by these categories of organisations. Evidently, much more needs to be done by the PDPC in raising local awareness of data protection matters and compliance with the PDPA.

 

Further reform of the PDPA

Although the PDPA was only recently amended and strengthened, there remains ample room for further statutory reform. Singapore’s data protection laws continue to be considered inadequate by the European Union[35] and the United Kingdom,[36] which limits the flow of personal data between these jurisdictions and Singapore and impedes organisations operating in Singapore.

 

One notable area which Singapore lags behind its European counterparts is in the scope of the PDPA. The PDPA in Singapore applies exclusively to the private sector and public agencies are excluded from coverage under the Act,[37] which is defined as including the Government, tribunals and specified statutory bodies.[38] In contrast, government bodies are covered by the General Data Protection Regulation (GDPR)[39] in the European Union and the Data Protection Act (DPA)[40] in the United Kingdom. Although a privacy code does exist internal to the public sector in Singapore, this is unenforceable against public agencies and there remains a significant regulatory gap in Singapore’s data protection regime in relation to the public sector.[41] This is concerning given the vast stores of personal information held by government agencies in Singapore. Future revisions to the PDPA may consider deleting or restricting the blanket exclusion for public agencies to improve government accountability and transparency in handling personal data, and further strengthen Singapore’s data protection regime.

 

Some experts have also expressed concern that anonymised data is not considered as personal data under the PDPA and organisations are under no obligation to protect such data.[42] Although individuals cannot be directly identified from anonymised data, multiple sources of anonymous data can potentially be combined to re-identify individuals, which the PDPC has sought to address through its advisory guidelines to organisations.[43] Nevertheless, experts highlight the ease of re-identification from personal data and individuals can be accurately identified from just a small number of demographic attributes or a small amount of personal data,[44] and the non-protection of anonymised data remains a significant weakness in the PDPA. While the GDPR[45] and DPA[46] also does not protect anonymised data, Singapore can consider setting a new global standard by requiring organisations to implement limited data protection measures for anonymised data. The extent of protection required for anonymised data will require a careful balance by policymakers between the cost to business efficiency and the benefit gained by data subjects.

 

Furthermore, the PDPA continues to have no provisions on the right to erasure (also known as the ‘right to be forgotten’), which has been recognised in some jurisdictions as a part of the basic human right to privacy.[47] A right to erasure, which is included in the GDPR[48] and DPA,[49] allows individuals to request organisations to erase personal data that is held about them. This commonly involves requests to internet search engines or news agencies to remove personal information which may be contained about an individual but which is no longer considered relevant, such as articles concerning a spent criminal offence.[50] Including a right to erasure in Singapore’s PDPA will strengthen the privacy rights of individuals in Singapore, as well as the rights of consumers in furthering their control over data held by companies and organisations.

 

Nevertheless, it must be noted that courts have acknowledged that Singapore’s data protection framework is merely intended to afford an ‘adequate level of protection’ for the personal data of individuals in Singapore, balancing between the interests of individuals and various economic interests, rather than seeking to introduce an ‘absolute or fundamental right to privacy’.[51] This approach has been described by BSA The Software Alliance as ‘pragmatic’ and has received plaudits for preserving innovation in the digital economy.[52]  In contrast, the GDPR and DPA builds on the right to privacy contained in Article 7 of the Charter of Fundamental Rights and Article 8 of the European Convention of Human Rights, among other treaty articles.[53] With a different jurisprudential basis for its data protection framework vis-a-vis its European counterparts, Singapore ought to carefully consider the impacts which the above proposed reforms will have on the present equilibrium between individual interests and economic interests, and will have to account for its unique position as an international commercial hub in drafting its laws.

 

Conclusion

Overall, while some efforts have been made towards improving the protection of data in Singapore, much work remains to be done in raising public awareness and organisational compliance with data protection laws. In today’s hyper-connected and digitalised world, the number of malicious actors seeking to exploit our personal information will only continue to grow and so will the pertinence of data protection. Continued outreach and enforcement efforts by the PDPC and further revisions to the PDPA will be necessary to ensure that Singaporeans’ data receive adequate protection.






References

[1] Lee Chong Ming, ‘VPN vulnerability linked to ransomware attack on Law Society: PDPC’ (Channel News Asia, 12 May 2023) https://www.channelnewsasia.com/singapore/law-society-singapore-vpn-vulnerability-ransomware-attack-weak-password-cybersecurity-3483866 accessed 4 March 2024

[2] Firdaus Hamzah, ‘Personal data of 665,000 Marina Bay Sands lifestyle rewards members accessed in data security breach’ (Channel News Asia, 7 November 2023) https://www.channelnewsasia.com/singapore/marina-bay-sands-mbs-customers-personal-data-security-breach-3902491 accessed 4 March 2024

[3] Aqil Hamzah, ‘Carousell fined $58k for data breaches, including one where data of 2.6m users was sold’ (The Straits Times, 24 February 2024) https://www.straitstimes.com/singapore/carousell-fined-58k-for-data-breaches-including-one-where-data-of-26m-users-were-sold-on-hacking-forum accessed 4 March 2024

[4] Ng Jun Sen, ‘The Big Read: What’s the big deal with data privacy? Thorny, complex issues confront citizens and govts’ (Today Online, 26 January 2021) https://www.todayonline.com/big-read/big-read-whats-big-deal-data-privacy-thorny-complex-issues-confront-citizens-and accessed 4 March 2024

[5] Ibid.

[6] Besides the 11 data protection obligations, the PDPA also includes provisions relating to the ‘Do Not Call Registry’.

[7] Personal Data Protection Act 2012, ss 11 and 12.

[8] Personal Data Protection Act 2012, s 20.

[9] Personal Data Protection Act 2012, s 13.

[10] Personal Data Protection Act 2012, s 18.

[11] Personal Data Protection Act 2012, s 23.

[12] Personal Data Protection Act 2012, s 24.

[13] Personal Data Protection Act 2012, s 25.

[14] Personal Data Protection Act 2012, s 26.

[15] Personal Data Protection Act 2012, ss 21 and 22.

[16] Personal Data Protection Act 2012, pt VIA.

[17] Personal Data Protection (Amendment) Act 2020, s 14.

[18] Note: The provisions relating to this obligation have yet to enter into force.

[19] Personal Data Protection Commission Singapore, ‘PDPA Overview’ https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act accessed 4 March 2024

[20] Personal Data Protection Act 2012, s 48J.

[21] Supra note 4.

[22] Dominic Low, ‘Love, Bonito fined $24,000 over 2019 data breach involving over 5,500 customers’ (The Straits Times, 24 May 2022) https://www.straitstimes.com/tech/tech-news/love-bonito-fined-24000-over-data-breach-involving-over-5500-customers accessed 4 March 2024

[23] Personal Data Protection Commission Singapore, ‘Breach of the Protection Obligation by The Law Society of Singapore’ (11 May 2023) https://www.pdpc.gov.sg/all-commissions-decisions/2023/05/breach-of-the-protection-obligation-by-the-law-society-of-singapore accessed 4 March 2024

[24] Supra note 3.

[25] Irene Tham, ‘Privacy watchdog fines 22 in past two years over security breaches’ (The Straits Times, 3 January 2018) https://www.straitstimes.com/tech/privacy-watchdog-fines-22-in-past-two-years-over-breaches?utm_campaign=Echobox&utm_medium=Social&utm_source=Facebook&xtor=CS1-10 accessed 4 March 2024

[26] Supra note 4.

[27] Personal Data Protection Commission Singapore, ‘Data Protection Essentials Programme’ https://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-protection-essentials-programme accessed 4 March 2024

[28] Personal Data Protection Commission Singapore, ‘Data Protection Trustmark’ https://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-protection-trustmark accessed 4 March 2024

[29] Personal Data Protection Commission Singapore, ‘Guidelines & Consultations’ https://www.pdpc.gov.sg/guideline-and-consultation-menu accessed 4 March 2024

[30] Personal Data Protection Commission Singapore, ‘DPO Competency Framework and Training Roadmap’ https://www.pdpc.gov.sg/help-and-resources/2020/03/dpo-competency-framework-and-training-roadmap accessed 4 March 2024

[31] NTUC LearningHub, ‘Practitioner Certificate in Personal Data Protection (Singapore) 2020’ https://pdpc.ntuclearninghub.com/CandidateRegistration accessed 4 March 2024

[32] Crossborders LLC

[33] Nanyang Technological University

[34] Infocomm Media Development Authority, ‘List of Data Protection Trustmark Certified Organisations (as of 1 March 2024)’ https://www.imda.gov.sg/-/media/imda/files/programme/dptm/dptm-certified-organisations.pdf accessed 4 March 2024

[35] European Commission, ‘Adequacy decisions’ https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en accessed 4 March 2024

[37] Personal Data Protection Act 2012, s 4(1).

[38] Personal Data Protection Act 2012, s 2(1).

[39] General Data Protection Regulation (EU) 2016/679.

[40] Data Protection Act 2018.

[41] Privacy Laws & Business, ‘Singapore’ https://www.privacylaws.com/media/3003/singapore.pdf accessed 4 March 2024

[42] Supra note 4.

[43] Personal Data Protection Commission Singapore, ‘Advisory Guidelines on the Personal Data Protection Act for Selected Topics’ (17 May 2022) 13 https://www.pdpc.gov.sg/-/media/files/pdpc/pdf-files/advisory-guidelines/ag-on-selected-topics/advisory-guidelines-on-the-pdpa-for-selected-topics-17-may-2022.pdf accessed 4 March 2024

[44] Supra note 4.

[47] Michael Green, ‘‘Right to be forgotten’- a basic human right?’ (hamlins, 4 October 2021) https://hamlins.com/right-to-be-forgotten-a-basic-human-right/ accessed 4 March 2024

[48] General Data Protection Regulation (EU) 2016/679, Art 17.

[49] Data Protection Act 2018, s 47.

[50] Supra note 37.

[51] Michael Reed v Alex Bellingham [2022] SGCA 60 [87]-[88], [100]

[52] BSA The Software Alliance, ‘Singapore's Review of the PDPA and its Opportunity for Leadership in the Region’ (DPO Connect, 31 August 2020) https://www.pdpc.gov.sg/-/media/Files/PDPC/DPO-Connect/August-20/Singapores-Review-of-the-PDPA-and-its-Opportunity-for-Leadership-in-the-Region accessed 20 March 2024

[53] GDPR hub, ‘Overview of GDPR’ (3.1.2, 1 February 2024) https://gdprhub.eu/Overview_of_GDPR#Article_7_CFR accessed 20 March 2024


bottom of page