On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.
One area of emphasis is strengthening the effectiveness of enforcement of the Personal Data Protection Act, the PDPA, by the Commission.
There are various initiatives in the proposed amendment bill that are directed at enforcement. A notable example is a proposal to increase the financial penalty cap.
I am fond of saying in training courses that, while no one likes to write out a cheque to pay a financial penalty, the costs of an investigation in terms of both lost time in dealing with the investigation instead of getting on with business and in terms of external costs, such as consultants and other experts can be much higher than the amount of any fine.
Still, in most organisations it is the amount of a potential fine that many Data Protection Officers tell me catches the attention of senior management. The SingHealth case helped in focusing their attention too. So perhaps this is a change to the PDPA that Data Protection Officers who have trouble getting sufficient resources to do their job well will welcome.
Under section 29 of the PDPA the Commission has the power to give 'such directions as the Commission thinks fit in the circumstances to ensure compliance with' any provision in Parts III to VI of the PDPA. (These are the data protection provisions. The amendment bill proposes extending section 29 so that directions may cover failures to comply with the Do Not Call rules too.)
The directions may include a range of operational matters and we see in various enforcement decisions published by the Commission directions to appoint a data protection officer, directions to put policies and procedures in place and directions to have staff trained. The Commission can also issue directions to stop collecting, using or disclosing personal data in contravention of the PDPA and directions to destroy personal data collected in contravention of the PDPA.
The 'big one' of course, is the power of the Commission to issue a direction to an organisation to pay 'a financial penalty of such amount not exceeding $1 million as the Commission thinks fit'.
A higher maximum penalty is proposed in the amendment bill. The Commission says in the Public Consultation Paper that the higher cap will serve as a stronger deterrent and provide the Commission with more flexibility in meting out financial penalties based on the circumstances and seriousness of a breach.
It goes on to say that the higher cap will also be closer to that of other jurisdictions, such as the European Union and Australia.
The draft amendment bill therefore amends section 29 of the PDPA so that the maximum amount of a financial penalty imposed by the Commission will be the greater of:
As is well-known, penalties under the General Data Protection Regulation, the GDPR, in the European Union can be 20 million or four percent of an entity's global annual turnover, whichever is the higher. As is perhaps less well-known, the GDPR specifically states that the fines imposed by supervisory authorities 'should be effective, proportionate and dissuasive'.
So far, with the notable exception of the SingHealth breach, the penalties imposed by the Commission in Singapore have generally been less than $50,000 often quite a lot less than $50,000 with a few between $50,000 and $100,000.
However, we have seen that the total fines imposed in 2019 (after deducting $1 million in connection with the SingHealth breach) exceeded the total fines imposed in the three years from 2016 to 2018.
Is the total of fines in 2019, coupled with the proposed increase in maximum fines, a signal that the Commission intends to 'take off its gloves' in the coming months and impose much higher fines than in the past? Wise organisations will make sure that they are not in the firing line in case this is exactly what is going to happen.
Written by Lyn Boxall, Director, Lyn Boxall LLC
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
The novel coronavirus, or COVID-19, has been receiving global attention, and co…
On Wednesday, 11 March 2020, the World Health Organisation (WHO) declared COVID…
Here are some general tips that your organisation can follow at each stage of i…