What You Should Know About Singapore’s New Stricter Data Privacy Laws
article
Singapore’s Personal Data Protection Commission (PDPC) has updated legislation on how the country will manage data privacy and protections. These new laws include allowing wider enforcement controls for the PDPC, instituting mandatory notifications when data is breached, and making the mishandling of data a criminal offense.
This means that if an information collector mishandles personal data in Singapore – either intentionally or accidentally – they open themselves to risk. They may be criminally prosecuted and, if found guilty, face cash fines and imprisonment.
You may wonder why many legal eyes are focused on a country that is only 276 square miles wide, but there are several key reasons for this interest. While most of Europe has human rights as the basis of its data protection laws, Singapore’s laws are centered around securing the country’s place in the global economic marketplace. Singapore is one of the world’s leaders in per capita income, has the highest percentage of millionaires in the world, and has the highest ratio of trade to GDP in the world.
Data Protection Encourages Worldwide Investment
Singapore has been working on data protection laws for the last 10 years and has been continuously updating regulations throughout the decade. The original PDP law was drawn up in 2012 and was ratified in July of 2014. To comply with the law, companies doing business in Singapore must:
- Notify their customers if their data is being disclosed, collected, or used, and only use that data for the purposes defined.
- Ensure consent has been granted by individuals before collecting, using, or disclosing their data. According to attorneys at Latham & Watkins LLP, the new amendments include provisions for implied consent of information release and some exceptions to the PDPA consent requirements, such as “legitimate interests” and “business improvement” exceptions.
- Upon request, an organization must be able to provide information on how a customer’s data has been used in the past 12 months.
- Ensure personal data is complete and accurate.
- Ensure data is kept secure from unauthorized access, modification, use, and disclosure.
- Data should only be retained when needed and should be destroyed when no longer needed.
- Ensure that overseas external organizations provide a comparable standard of protection.
- Designate a Data Protection Officer (DPO) and publish his/her business contact information. PDP policies should be made available to the public and employees.
- Not send marketing messages to individuals who are registered in a National DNC (Do Not Call) registry.
Singapore has been working on data protection laws for the last 10 years and has been continuously updating regulations throughout the decade.
Singapore Wants the Trust of the Global Market
In short, companies doing business in Singapore must find a balance between respecting an individual’s right to data privacy and the organization’s use of data for legitimate business activities. PDPC Commissioner Chuen Hong Lew has said that when data breaches happen, “it is not only personal data that is lost. Reputations of individuals and organizations are involved as well.”
The PDPC is also moving toward further punitive responses if data is leaked or lost. Aside from criminal charges, offenders may be given higher financial penalties based on the seriousness of the data breach and the level of harm caused by the leak. As of February 2022, it could cost data breach violators up to $1 million (Singapore currency) or 10% of their annual gross income.
Data portability rules are also on the horizon. This new obligation lets individuals request a copy of their personal data to be transmitted in a commonly used machine-readable format to another organization, enabling consumers to switch to new service providers more easily.
What to Watch for Next: Data Protection in Singapore
If your company works in Singapore, or has an office there, it’s crucial to be aware of the new regulations and to safeguard all data that you collect and hold. It’s important to understand all the nuances of data protection exceptions as well, such as the allowances for business improvements and legitimate interests.
Other Related Posts
The Second Circuit Considers a $2.7 Million Discovery Sanction in a $20,000 Case
In Klipsch Group v. ePRO, the Second Circuit demonstrated that sanctions for discovery misconduct must be proportional to the misconduct’s impact rather than the value of the case
Social Media Screenshots No Substitute for Spoliated Native Files
A United States District Judge finds screenshots of social media messages an inadequate substitute for spoliated native files and excludes all related evidence and testimony
Cloud Watching: Strategies and Best Practices for Microsoft 365 Discovery
Microsoft 365 was already widely-used before 2020, and the rise of remote work since then has caused adoption of this cloud-based solution to rapidly increase. Today, understanding the functionalities – and limitations – of the Microsoft 365 environment and its discovery tools has become essential for legal teams.
Cross-Border Discovery: A Guide to Practical Challenges for US Counsel
As the world’s economies continue to reach across borders, US counsel representing companies of all sizes are more frequently required to gather data from other countries. This paper provides those counsel with practical guidance regarding the logistical and operational challenges that arise in a typical matter requiring cross-border discovery.