In 2014, Singapore’s personal data protection law came into full force, and there has been active enforcement of the law since its passing. The law applies to all organizations operating in Singapore, regardless of their size and the nature of their business. Companies that employ personnel in Singapore must take note of how Singapore data protection law applies to them.
Is there data protection law in Singapore? What are the penalties for noncompliance? How active is the authority in enforcing the law?
- Yes, there is comprehensive data protection law in Singapore. All private sector organizations that collect, use, or disclose (collectively process) personal data in Singapore have to comply with Singapore’s Personal Data Protection Act 2012 (Act).
- The Act came into full force in July 2014. The Act is expected to undergo significant amendment in 2020. Please contact the authors below to be included in our mailing list to receive timely updates on these developments.
- The maximum financial penalty for a breach of the Act is S$1 million. The highest penalty imposed to date was for the data breach involving SingHealth, where the responsible parties were fined a total of S$1 million.
- The Act is actively enforced by the Personal Data Protection Commission of Singapore (Commission). As of March 10, 2020, the Commission has published 135 of its enforcement decisions. As not all decisions by the Commission are published, the total number of enforcement cases that the Commission has investigated is likely to be significantly higher.