Harsher penalties for data breaches under amended PDPA, Latest Singapore News - The New Paper

Harsher penalties for data breaches under amended PDPA

This article is more than 12 months old

Companies will be penalised more heavily for data breaches while also getting more freedom to use personal data to innovate under changes to Singapore's data protection laws passed in Parliament yesterday.

This tension between keeping consumers' trust high and supporting data use for innovation was acknowledged by Communications and Information Minister S. Iswaran during the debate on changes to the Personal Data Protection Act.

"It's important that we first recognise that this is a delicate and dynamic balance.

"It's delicate because if we overcorrect in one direction, consumers may not retain their confidence and trust in the system," Mr Iswaran said.

"If we swing the other way, then we shackle our businesses and the very benefits that we seek to create for our consumers, for our economy, will diminish."

A key change in the Bill increases the maximum amount that a company can be fined for a data breach to 10 per cent of its annual turnover in Singapore or $1 million, whichever is higher.

Currently, the maximum a company can be fined for a data breach is $1 million.

Mr Iswaran addressed concerns raised about the higher fines during public consultations prior to the passing of the Bill, as well as by Mr Desmond Choo (Tampines GRC) yesterday.

Mr Choo had said that the revised maximum penalty might "artificially" create the impression that penalties under Singapore's data privacy regime are much harsher than those of the country's neighbours, and cause foreign companies to choose other Asian countries over Singapore to set up operations instead.

Mr Iswaran, however, said the penalties imposed are proportionate to the severity of the breach, adding the raised cap will take effect a year after the amended Act comes into force.


The Bill also allows organisations to collect, use or disclose personal data without the consent of individuals in circumstances classified as "legitimate interests".

Such situations include using personal data to detect anomalies in payment systems to prevent fraud, or the data from security cameras or other Internet of Things devices to help in investigations or legal proceedings.