Proposed changes to Singapore's data protection law seek stiffer penalties for info leaks

Currently, companies are only liable for financial penalties of up to $1 million. PHOTO: THE NEW PAPER

SINGAPORE - In case of a data breach, organisations may soon be slapped with fines of up to 10 per cent of their annual gross turnover, or $1 million, whichever is higher, if proposed amendments to Singapore's Personal Data Protection Act go through.

Currently, companies are liable for a fine of only up to $1 million, but the authorities are seeking stronger deterrents for data breaches.

The stricter penalty will be aligned with the law in other jurisdictions, such as the European Union, said the Ministry of Communications and Information (MCI) and privacy watchdog Personal Data Protection Commission (PDPC) in their fourth public consultation exercise to amend the Act on Thursday (May 14).

The EU's General Data Protection Regulation, for instance, provides a revenue-based maximum financial penalty of 4 per cent of an entity's global annual turnover, or €20 million (S$30.7 million), whichever is the higher.

Slapping potentially higher fines in Singapore is among a list of proposed amendments to the draft Personal Data Protection (Amendment) Bill.

Other key proposed amendments on which the authorities are inviting feedback include mandating organisations to notify PDPC of a data breach that involves 500 or more individuals, or that is likely to result in harm to affected individuals, as well as to notify the affected individuals themselves.

Individuals will also be able to ask for a copy of their personal data to be transmitted to another organisation under a new Data Portability Obligation, so that users can switch service providers easily.

This draft Bill also includes related amendments to the Spam Control Act (SCA), which has been in force since 2007. The SCA, for example, will be amended to cover commercial text messages sent in bulk to instant messaging accounts, such as WhatsApp and Facebook Messenger, to protect users from unsolicited messages.

If an individual discloses personal data in the possession or control of an organisation, he shall also be guilty of an offence, and could be fined up to $5,000 or jailed for up to two years, or both. Such penalties will align with the public sector's internal rules for public officers who mishandle Government data.

PDPC deputy commissioner Yeong Zee Kin said in a statement that the public's trust in organisations' management of their data is "especially important" when digital services such as e-commerce are becoming increasingly prevalent. This comes as the digital economy generates a large amount of data, including in recent weeks when many activities have moved online, he said.

"The amendments... will support our organisations' efforts as they transform and grow in the digital economy to better serve consumers," he added.

The public consultation on MCI's website ends on May 28 at 5pm.

Join ST's WhatsApp Channel and get the latest news and must-reads.