The 2017 Global Smart City Performance Index places Singapore at the top as a global hub for technology. In order to become the leading digital economy and a Smart Nation, the city-state has also launched the Digital Economy Framework for Action. A key component of Singapore's digital goals is cloud computing. The city-state topped the Asia-Pacific region in the 2018 Cloud Readiness Index of the Asia Cloud Computing Association as a result of significant government encouragement of cloud use across the sector. Based on its legal and regulatory environment, especially its data protection system, Singapore was ranked sixth out of 24 global IT economies for its cloud computing preparation in the 2018 BSA Global Cloud Computing Scorecard.
According to the official Quick Guide to the PDPA, Singapore's Personal Data Protection Act (PDPA) regulates the gathering, use, disclosure, and maintenance of personal data. The 9 Main Data Protection Obligations, which seek to strike a balance between individuals' rights to have their personal data protected and organisations' demands for this data for lawful and reasonable business objectives, form the basis of the PDPA.
The Singaporean Parliament approved the PDPA on October 15, 2012, and it was implemented in three stages. On January 2, 2013, the general provisions' first phase went into force. The Data Protection Advisory Committee's establishment, the establishment of the Do-Not-Call Registers by the PDPC, the scope and interpretation of the PDPA, the establishment of the PDPC, the authority that administers and enforces the PDPA, and other general PDPA provisions are all covered by these clauses. The provisions pertaining to the DNC Registry went into effect on January 2, 2014, marking the start of the second phase. The third and final phase saw the main provisions relating to the protection of personal data - specifically Parts 3 to 4 of the PDPA - come into effect on 2 July 2014.
Even when an organization might collect the personal data abroad and transfer it to the city-state of Singapore, the PDPA nevertheless applies to the processing of personal data by organizations there. The PDPA is controlled, promoted, and enforced by the Personal Data Protection Commission (the Commission). Personal information is defined by the act as information that "regardless of whether true or not, enables the identification of a living individual from that data; or from that data and additional information to which the organization has or is expected to have access."
Data intermediaries, on the other hand, are described as "organizations that process personal data on behalf of another organization but do not involve an employee of that other company."
The Personal Data Protection (Amendment) Bill 2020 (referred to as "the Amendment Bill"), which was passed on November 2, 2020, and formally enacted as the Personal Data Protection (Amendment) Act 2020 (referred to as "the Amendment Act"), marked the PDPA's most recent and most thorough revision since it was enacted in 2012. On February 1, 2021, the majority of the Amendment Act's provisions went into force. The most notable change was the introduction of a mandatory data breach reporting system, which mandates that enterprises that experience a data breach notify the PDPC and any affected parties of that breach unless an exception exists.
Notably, not all of the Amendment Act's provisions have taken effect. For instance, the enhanced financial penalty regime, which will go into effect on October 1, 2022, allows the PDPC to impose financial penalties of up to 10% of an organization's annual turnover in Singapore (if that turnover exceeds SGD 10 million, or approximately ?6.85 million), or SGD 1 million, whichever is higher. The requirements relating to the new data portability requirement will also go into effect later.
The PDPA has also been taken into consideration by the Singapore courts in addition to the enforcement judgments made by the PDPC (see the section below on enforcement decisions). A claim for defamation and a violation of the PDPA against the Singapore Swimming Club was dismissed by the State Courts of Singapore on February 19, 2019. Even though the PDPC had not rendered a decision regarding any alleged violations of the PDPA, this case is notable because it appears to be the first instance in which Singapore courts were asked to assess whether there had been a breach of the PDPA.
Additionally, the District Court had to decide on a claim based on the individual's right to bring a private action under the previous Section 32 of the PDPA in IP Investment Management Pte Ltd and others v. Alex Bellingham [2019] SGDC 207, a judgement of the District Court delivered on 3 October 2019. (now Section 48O of the PDPA). The District Court determined that relevant Data Protection Provisions had been broken and that the defendant's improper use of the third plaintiff's personal information had caused loss and harm. Consequently, the District Court issued a prohibition against the defendant utilizing, disclosing, or communicating any personal data of the third plaintiff and ordered the defendant to undertake the destruction of all personal data of the third plaintiff.
Conclusion
The PDPC has issued a number of enforcement rulings since 2016 that have been useful in elaborating on the requirements under the PDPA with regard to personal data protection. The PDPC website often provides access to these enforcement rulings. A considerable majority of these instances included violations of the Protection Obligation, as defined in Section 24 of the PDPA, and as of 1 March 2022, the PDPC has issued a total of 203 grounds of judgments or summaries of grounds of decisions. The willful publication of personal data, lax technical security measures, lax physical security measures, mistakes in bulk email and/or postal mail, and insufficient data protection policies are the most frequent types of protection obligation violations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
