Singapore cracks down on privacy breaches

Singapore’s data protection regulator, the Personal Data Protection Commission (PDPC), has been cracking down on breaches of the Personal Data Protection Act (PDPA). It has just released a set of Data Protection Enforcement Cases, which includes a list of enforcement actions taken against 11 organisations for breaching the PDPA. This provides an insight into the approach the authorities will take to enforcing what is still a relatively new law.

According to the reported enforcement cases, four organisations were fined, ranging from S$5,000 to S$50,000 (about USD 3,700 to USD 37,000), and seven others were issued warnings or directions.  The PDPC looked at various factors when determining severity of breaches, such as to what extent the organisations had data protection policies and processes in place, the time taken to remedy the breach, the number of affected individuals and the type of personal data involved.  The highest fine of S$50,000 (about USD 37,000) was imposed on K Box Entertainment Group for failing to have in place adequate security measures to protect its members’ personal data, resulting in details of 317,000 members being leaked online in September 2014.  An IT vendor, Finantech Holdings, which was engaged by K Box to develop and manage K Box’s Content Management System, was also found liable and fined S$10,000 (about USD 7,400), as a data intermediary for K Box.  As with all published enforcement actions, the reputational implications tend to be at least as significant as any other penalties.

Since the PDPA came into force in July 2014, the PDPC has received 667 complaints in total, of which 92% were resolved by investigation and facilitation between the respective complainants and organisations. Common issue with these complaints involved unauthorised personal data processing and lack of data protection measures in place.

So what does this mean for organisations in Singapore? These enforcement cases confirm that although the PDPA is generally regarded a “business-friendly” regulation which is not intended to stifle data innovation, the PDPA is clearly willing to intervene when organisations fall short of the required standards. Given the reputational and financial implications of these high-profile enforcement actions, organisations will need to look carefully at their processes and policies to ensure they are compliant.

Daniel Jung

Author: Daniel Jung

Daniel is an Associate qualified in New Zealand and New South Wales, Australia. Daniel joined the firm in 2014 and is working across the Commercial and Dispute Resolution teams on a wide range of contentious and non-contentious matters with a focus on the Technology, Media and Telecom sectors. Daniel advises our international clients in the technology, media and telecoms sectors on a cross-border commercial transactions and regulatory compliance in relation to sales/acquisition deals, media buying/creative services, cloud computing, e-commerce, data protection and privacy and telecom regulations. Daniel's commercial experience also includes a secondment as an in-house lawyer to an international media company, A+E networks Asia, where he developed particular expertise in digital media. Daniel has significant experience on managing multi-jurisdicitional projects which cover most of the APAC countries (and often involve other parts of the world). Daniel is fluent in English and Korean.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *