Proposals to amend data protection law include stiffer fines

Fines of up to 10% of annual gross turnover or $1m, whichever is higher, for data breach

In case of a data breach, organisations may soon be slapped with fines of up to 10 per cent of their annual gross turnover or $1 million, whichever is higher, if proposed amendments to the Personal Data Protection Act go through.

Currently, companies are liable for a fine of up to $1 million, but the authorities are seeking stronger deterrents for data breaches.

The stricter penalty will be aligned with the law in other jurisdictions, such as the European Union, the Ministry of Communications and Information and privacy watchdog Personal Data Protection Commission (PDPC) said yesterday in their fourth public consultation exercise to amend the Act.

The General Data Protection Regulation in the EU, for instance, provides a revenue-based maximum financial penalty of 4 per cent of an entity's global annual turnover or €20 million (S$30.7 million), whichever is higher.

Slapping potentially higher fines in Singapore is among a list of proposed amendments in the draft Personal Data Protection (Amendment) Bill, which will be tabled in Parliament later this year.

The public consultation exercise on the ministry's website ends on May 28 at 5pm.

Other key proposed amendments that the authorities are inviting feedback on include mandating organisations to notify PDPC of a data breach that involves 500 or more individuals, or that is likely to result in harm to affected individuals, as well as to notify the affected individuals themselves.

Notifying affected individuals allows them to take steps to protect themselves where possible, such as changing their passwords or cancelling credit cards.

Individuals may also be able to request a copy of their personal data to be transmitted to another organisation under a new Data Portability Obligation, so that users can switch service providers easily.

In some circumstances, organisations may be able to collect, use or disclose personal data for "legitimate interests" - including the creation of a blacklist, say, by healthcare service providers and insurers to detect potential misuse of services and healthcare fraud.

This draft Bill also includes related amendments to the Spam Control Act (SCA), which has been in force since 2007.

The SCA, for example, will be amended to cover commercial text messages sent in bulk to instant messaging accounts such as WhatsApp and Facebook Messenger, to protect users from unsolicited messages. This expands the scope of the Act beyond e-mail and SMS.

If an individual mishandles personal data in the possession or under the control of an organisation or public agency, he shall be guilty of an offence, and could be fined up to $5,000 or jailed for up to two years, or both.

Such penalties will align with the public sector's internal rules for public officers who mishandle government data.

PDPC deputy commissioner Yeong Zee Kin said in a statement: "The amendments...will support our organisations' efforts as they transform and grow in the digital economy to better serve consumers."

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on May 15, 2020, with the headline Proposals to amend data protection law include stiffer fines. Subscribe