While Singapore was abuzz with the return of the F1 races this weekend, there was a little noticed (or perhaps forgotten) development in the data protection space as the new financial penalty regime under Singapore's Personal Data Protection Act 2012 (PDPA) came into effect on 1 October 2022. Under section 48J of the PDPA, the Personal Data Protection Commission (PDPC) can now impose financial penalties on organisations of up to S$1 million or 10% of the organisation's annual turnover in Singapore, whichever is higher, for breaches of the Data Protection Provisions under the PDPA.
Previously, the PDPC could only impose financial penalties of up to S$1 million for breaches of the Data Protection Provisions under the PDPA. This change to enhance the penalties was introduced in 2020 when the PDPA was amended but only came into force on 1 October 2022 to allow organisations time to prepare.
To herald the coming into force of the new financial penalties, the PDPC issued updates to its Advisory Guidelines on Enforcement of Data Protection Provisions and Guide on Active Enforcement on 1 October 2022 (the Enforcement Guides).
Among other things, the Enforcement Guides set out the factors PDPC takes into consideration when assessing the appropriate financial penalties to be imposed on an organisation for a breach of the Data Protection Provisions, and the situations in which alternative enforcement options may be considered by the PDPC.
In a related development, the Court of Appeal in Singapore handed down a significant decision in September 2022 clarifying that emotional distress can constitute the “loss or damage” required to found a private action under the PDPA. Read more about this develop in our article: Singapore’s Court of Appeal Clarifies Right of Private Action under Singapore’s Personal Data Protection Act | Global law firm | Norton Rose Fulbright
Organisations should keep abreast of these developments and ensure that their data protection frameworks are up-to-date and data risks are appropriately managed.