Parliament: Proposed changes to PDPA include stiffer fines for data breaches, mandatory notification when they occur

Currently, the maximum a company can be fined for a data breach is $1 million.
Currently, the maximum a company can be fined for a data breach is $1 million.PHOTO: THE NEW PAPER

SINGAPORE - A company found guilty of a data breach can be fined up to 10 per cent of its annual turnover in Singapore, under a change in the law that protects personal data,

The stiffer fine, however, will be imposed only on companies with an annual turnover that exceeds $10 million. Currently, the maximum a company can be fined for a data breach is $1 million.

The proposed amendment to the Personal Data Protection Act (PDPA) was introduced in Parliament on Monday (Oct 5) by Minister for Communications and Information S. Iswaran to strengthen data protection standards and enforcement.

Other prospective changes include making it mandatory for organisations to notify the Personal Data Protection Commission (PDPC) of data breaches that are likely to harm the affected individuals.

Also, it is mandatory that they notify those affected so that they can take steps to protect themselves where possible, like changing their passwords or cancelling their credit cards.

The Bill not only seeks to give consumers greater confidence and assurance about the way their personal data is safeguarded, but also how its use is being enabled in a responsible way in Singapore's economy, said Mr Iswaran.

"Key to this are the requirements in terms of the accountability... of enterprises or other entities who are collecting information for its use, and the enforcement measures and other tools available to regulators to ensure compliance," he added.

"We also want to give businesses greater certainty as to what they need to do to ensure that they are meeting their obligations... and in the event that an incident were to occur, what measures and steps they need to take."

The Personal Data Protection (Amendment) Bill, which was among four Bills introduced in Parliament on Monday, also allows organisations to collect, use or disclose personal data without the consent of individuals in circumstances classified as "legitimate interests".

 
 
 

Such situations include using the data from security cameras or other Internet of Things devices to help in investigations or legal proceedings, or to recover/pay a debt.

Under the Bill, consumers must also be allowed to opt out of having their personal data used by companies, such as e-commerce platforms Amazon and Shopee, to recommend specified items.

Such recommendation engines typically analyse customers' browsing habits or previous purchases, for example, to automatically suggest items the customers could be more likely to buy.