Financial penalty cap for data breaches by organisations under Personal Data Protection Act 2012 to increase from 1 October 2022

11 March 2022

On 4 March 2022, in her inaugural Committee of Supply (“COS”) speech as Minister for Communications and Information and Minister-in-Charge of Cybersecurity delivered in Parliament, Josephine Teo announced that the increased maximum financial penalties for data breaches by organisations as stipulated under the 2020 amendments to the Personal Data Protection Act 2012 (“PDPA”) are to take effect from 1 October 2022. Under these new changes, the maximum financial penalty that may be imposed on an organisation whose annual turnover in Singapore exceeds S$10 million is 10% of the annual turnover in Singapore of the organisation. In any other case, the maximum financial penalty is S$1 million.

By way of background, the Personal Data Protection (Amendment) Bill was passed in Parliament on 2 November 2020, following its introduction for first reading on 5 October 2020. On 10 December 2020, the Personal Data Protection (Amendment) Act 2020 (“Amendment Act”) was gazetted. The Amendment Act partially commenced on 1 February 2021 to, among others, implement the mandatory data breach notification requirement and introduce offences relating to egregious mishandling of personal data. The provisions relating to data portability, imposition of higher financial penalties and some consequential amendments are to take effect later.

For more about the key changes under the Amendment Act, please refer to the following Allen & Gledhill articles:

• Regulations and advisory guidelines under Personal Data Protection Act 2012 amended to provide for how business contact information of data protection officers may be set out
• Personal Data Protection (Amendment) Act 2020 gazetted, PDPC issues draft advisory guidelines to clarify key amendments

• Expected date of commencement of Personal Data Protection (Amendment) Bill, and preparatory steps for organisations
• Personal Data Protection (Amendment) Bill passed to introduce mandatory data breach notification, data portability requirement and increased financial penalty cap

The COS speech and related press release are available on the Ministry of Communications and Information (“MCI”) website www.mci.gov.sg.

MCI’s plans to build a “Digitally Secure, Economically Vibrant, and Socially Stable Singapore”

The press release also provides information, including useful links to relevant factsheets and other COS speeches, on MCI’s plans to build a Digitally Secure, Economically Vibrant, and Socially Stable Singapore as outlined in the various COS speeches delivered in Parliament on 4 March 2022. Such plans include:

• Review of the Cybersecurity Act 2018 to improve awareness of threats over Singapore’s cyberspace, protect virtual assets (e.g. systems hosted on the cloud) that support essential services, and secure important digital infrastructure and services beyond Critical Information Infrastructures (CIIs).
• New Alternative Dispute Resolution scheme in April 2022 to provide an affordable and effective dispute resolution alternative for consumers and small businesses facing contractual disputes with telecommunication and media services providers.
• New Data Protection Essentials programme from 1 April 2022 to help businesses protect their consumer data and enable them to recover quickly from a data breach. 
• New Codes of Practice to create a safer online environment with a focus on child safety, user reporting and platform accountability.