Singapore’s Parliament has passed new amendments to the Personal Data Protection Act (‘PDPA’) which include, among other things, enhanced individual rights, stronger enforcement powers for the Singapore's Personal Data Protection Commission (‘PDPC’), and new penalties for non-compliance. The PDPA regulates the processing of personal data by organisations in Singapore and seeks to achieve a balance between protection of individuals’ personal data, and fostering innovation through enabling organisations’ operational requirements to process personal data.

The Singaporean government sought to emphasise the importance of data and the capacities for using data analytics in the digital economy, and to offset the risks of this exponential increase in innovation with the potential risks to individuals’ personal data through an enhanced legislative framework. These steps were taken by the government after examining changes to data protection regulatory requirements in other jurisdictions including Australia, Canada, Hong Kong, New Zealand and also at the European Union level.

Following the passing of the proposed amendments to the PDPA, the PDPC has also published new draft guidelines which seek to clarify key provisions of the latest changes to the PDPA. Key areas covered by the guidance includes:

  • An enhanced framework for the collection, use, and disclosure of personal data, including  obtaining consent from individuals, exceptions to the consent regime and also assessments for relying on the expanded concept of deemed consent;
  • Mandatory breach notification requirements to the PDPC and impacted individuals, including on the duty to conduct an assessment of a data breach, the criteria for data breach notification, and timeframes required for notification;
  • Financial penalties for non-compliance, up to 10% of an organisation’s annual turnover in Singapore or SGD 1,000,000, whichever is higher;
  • Offences for egregious mishandling of personal data, including applicable defences and re-identification of anonymised data.

The draft Advisory guidelines to these amendments are not intended to provide an exhaustive overview of all amendments in the PDPA, however they provide valuable insight into the key changes and the PDPC’s interpretation of them. The draft guidance is likely to be finalised in 2021.