Data breaches: Stiffer fines, mandatory notification proposed

Changes to Act seek to give consumers more assurance on how personal data is protected

COMMUNICATIONS AND INFORMATION MINISTER S. ISWARAN, on the Personal Data Protection (Amendment) Bill.
COMMUNICATIONS AND INFORMATION MINISTER S. ISWARAN, on the Personal Data Protection (Amendment) Bill.

A company found guilty of a data breach can be fined up to 10 per cent of its annual turnover in Singapore, under a change in the law that protects personal data.

The stiffer fine, however, will be imposed only on companies with an annual turnover that exceeds $10 million. Currently, the maximum a company can be fined for a data breach is $1 million.

The proposed amendment to the Personal Data Protection Act was introduced in Parliament yesterday by Minister for Communications and Information S. Iswaran to strengthen data protection standards and enforcement.

Other prospective changes include making it mandatory for organisations to notify the Personal Data Protection Commission of data breaches that are likely to harm the affected individuals.

Also, it is mandatory that they notify those affected so that the individuals can take steps to protect themselves where possible, such as changing their passwords or cancelling their credit cards.

The Bill seeks to give consumers greater confidence and assurance about the way their personal data is safeguarded, and also how its use is being enabled in a responsible way in Singapore's economy, said Mr Iswaran. "Key to this are the requirements in terms of the accountability... of enterprises or other entities who are collecting information for its use, and the enforcement measures and other tools available to regulators to ensure compliance," he added.

"We also want to give businesses greater certainty as to what they need to do to ensure that they are meeting their obligations... and in the event that an incident were to occur, what measures and steps they need to take."

The Personal Data Protection (Amendment) Bill, which was among four Bills introduced in Parliament yesterday, also allows organisations to collect, use or disclose personal data without the consent of individuals in circumstances classified as "legitimate interests".

Such situations include using the data from security cameras or other Internet of Things devices to help in investigations or legal proceedings, or to recover/pay a debt.

HELPFUL FOR BUSINESSES TOO

We also want to give businesses greater certainty as to what they need to do to ensure that they are meeting their obligations... and in the event that an incident were to occur, what measures and steps they need to take.

COMMUNICATIONS AND INFORMATION MINISTER S. ISWARAN, on the Personal Data Protection (Amendment) Bill.

Under the Bill, consumers must also be allowed to opt out of having their personal data used by companies, such as e-commerce platforms Amazon and Shopee, to recommend specified items. Such recommendation engines typically analyse customers' browsing habits or previous purchases, for example, to automatically suggest items they would be more likely to buy.

A version of this article appeared in the print edition of The Straits Times on October 06, 2020, with the headline 'Data breaches: Stiffer fines, mandatory notification proposed'. Print Edition | Subscribe