SINGAPORE, Oct 5 — Companies found guilty of breaching Singapore’s personal data laws may face much higher penalties — potentially hundreds of millions of dollars — under legislative amendments tabled in Parliament today.

The amendments mean firms would pay up to 10 per cent of their annual Singapore turnover or up to S$1 million, whichever figure is higher. The current cap is S$1 million. It is not unusual for large companies to book annual revenue of billions of dollars.

The amendments to the Personal Data Protection Act (PDPA) had their first reading in Parliament today.

Communications and Information Minister S Iswaran told the media last Thursday that the amendment seeks to “give consumers greater confidence and assurance about the way in which personal data is being safeguarded, but also how its use is being enabled in a responsible way in our economy”.

Advertisement

Since the PDPA was enacted in 2012, taking effect in 2014, there have been several high-profile data leaks.

Last year, details of more than 14,000 HIV patients in the Singapore’s human immunodeficiency virus (HIV) Registry were leaked.

Several large firms such as Singhealth, ride sharing firm Grab and gaming hardware firm Razer have also been involved in data breaches in recent years, affecting hundreds of thousands of users.

Advertisement

Under the proposed changes, consumers will also gain greater protection from unsolicited marketing messages.

Under the Do Not Call Provisions of the PDPA and the Spam Control Act, platforms that engage in egregious conduct such as “robo-calls” will be subject to higher penalties.

In 2018, the Personal Data Protection Commission (PDPC), which oversees the PDPA, said it was aiming to merge the Do Not Call Provisions of the PDPA and the Spam Control Act under a single Act governing unsolicited commercial messages.

Under the proposed amendments, consumers will have more protection from messages across all direct communications platforms such as voice calls, SMS, fax, online messages and emails. Direct marketing will also require express consent.

Companies will also have to take steps to manage data breaches, by notifying the PDPC and affected individuals of more severe cases, for example.

For data breaches that result in significant harm to an affected individual or affects more than 500 individuals, the company will have to notify the PDPC. The company will also have to notify the affected individual if there is significant harm caused from the breach.

If there was remedial action taken to reduce the risk of significant harm, or if the individuals’ personal data was encrypted to a reasonable standard, no notification will be needed.

The Bill will be debated at the next Parliamentary sitting. — TODAY