Singapore enacted the Personal Data Protection Act of 2012 (No. 26 of 2012) on October 15, 2012, and it was subsequently amended / enhanced via the Personal Data Protection (Amendment) Act 2020 (together, the “Act”).
The Act has extraterritorial effect, meaning it applies to organizations collecting, using or disclosing personal data in Singapore whether or not the organization itself has a physical presence or is registered as a company in Singapore.
In addition to the Act, the Singapore data protection regime consists of various general or sector / industry-specific guidelines issued by the Personal Data Protection Commission (“Commission”). While these guidelines are advisory in nature and not legally binding, they indicate the manner in which the Commission will interpret the Act. Therefore, it is best practice to carefully observe and follow these guidelines.
The data protection obligations under the Act do not apply to the public sector, to whom separate rules under the Government Instruction Manual 8 (“IM8”) and the Public Sector (Governance) Act apply. Collectively, these rules provide comparable standards of data protection compared to the Act, including similar investigations and enforcement actions taken against data security breaches. The Public Sector Data Security Review Committee was convened on March 31, 2019 to conduct a comprehensive review of data security policies and practices across the public sector. The Government implemented its recommendations and adopted changes to its data security measures. Examples include:
- Requiring officers to password-protect files containing sensitive data when sending out; and
- Enhancing the data incident management framework with standardized process to notify affected individuals in data incidents and conduct post-incident inquiry.
United States privacy law is a complex patchwork of national, state and local privacy laws and regulations. There is no comprehensive national privacy law in the United States. However, the US does have a number of largely sector-specific privacy and data security laws at the federal level, as well as many more privacy laws at the state (and local) level. In recent years, beginning with California, states have begun to introduce their own comprehensive privacy laws, and other states are expected to follow and enact their own comprehensive state privacy laws. Although a bipartisan draft bill (the ‘American Data Privacy and Protection Act’) was introduced in 2022, several senators were in opposition of the bill, and comprehensive privacy law on the federal level is not expected to pass any time soon.
Federal and State Privacy Laws and Regulations
Federal laws and regulations include those that apply to financial institutions, telecommunications companies, credit reporting agencies and healthcare providers, as well as driving records, children’s privacy, telemarketing, email marketing and communications privacy laws.
There are also a number of state privacy and data security laws that overlap with federal law—some of these state laws are preempted in part by federal laws, but others are not. US states have also passed privacy and data security laws and regulations that apply across sectors and go beyond federal law—such as data security laws, secure destruction, Social Security number privacy, online privacy, biometric information privacy, and data breach notification laws. Generally, each state’s laws apply to personal information about residents of that state or activities that occur within that state. Thus, many businesses operating in the United States must comply not only with applicable federal law, but also with numerous state privacy and security laws and regulations.
For example, California alone has more than 25 state privacy and data security laws, including the California Consumer Privacy Act (CCPA) and its regulations as recently amended by the California Privacy Rights Act (CPRA), collectively referred to as the CCPA. The CCPA, as amended, introduced additional definitions and individual rights, and imposed additional requirements and restrictions on the collection, use and disclosure of personal information. The CCPA is also unique among state comprehensive privacy laws in that, as of January 1, 2023, it applies to HR and B2B personal information. Enforcement of the CPRA amendments to the CCPA commenced on July 1, 2023 for violations of the new provisions that occur on or after that date.
Notably, updated CCPA regulations based on the CPRA amendments were finalized on March 29, 2023, with enforcement by the California Attorney General and the newly established California Privacy Protection Agency (‘CPPA’ or ’Agency’) expected to begin on July 1, 2023. However, following a suit filed by the California Chamber of Commerce, the Sacramento district court ruled that the Agency was required to give businesses 12-months between finalizing a CCPA regulation and commencing enforcement, effectively delaying enforcement of the amended regulations to March 29, 2024. This delay does not affect the Agency or the California Attorney General’s ability to enforce the version of the CCPA amended by the CPRA (effective July 1, 2023) or the existing (i.e., pre-2023-amendment) CCPA regulations (effective August 14, 2020).
In late 2022, the California legislature also passed the California Age-Appropriate Design Code, which was slated to take effect July 1, 2024 and would apply to companies that meet the definition of “business” under the CCPA and that provide online services that are likely to be accessed by individuals under 18 years of age. However, on September 18, 2023, a California District Court issued an injunction blocking the law from coming into effect on First Amendment grounds. Following an appeal to the Ninth Circuit by the California Attorney General's office, the fate of the law is currently uncertain. More information on the California Age-Appropriate Design Code can is available at https://www.dlapiper.com/en-us/insights/publications/2023/05/californias-age-appropriate-design-code-act
Beyond California, Colorado's Attorney General finalized the Colorado Privacy Act (CPA) Rules on March 15, 2023, which add significantly to the CPA’s obligations on businesses. Both the CPA and the CPA Rules went into effect July 1, 2023. Connecticut, Utah, and Virginia’s privacy laws also took effect in 2023.
While not identical, the Colorado, Connecticut, Utah, and Virginia state privacy laws are substantially similar to each other in most key aspects. Further, unlike the CCPA, all are also generally inapplicable to personal information collected about, and processed in the context of, employee and business relationships. On the other hand, while the CCPA has some practical similarities with these state laws, it adopts more granular definitions, requirements, and restrictions that vary considerably from these laws, and, notably, applies to personal information collected from California residents in employment and B2B contexts.
2023 brought a significant development in the health data space, with Washington passing the My Health My Data Act (MHMD). The law ostensibly applies only to consumer health data, but its exceptionally broad definitions and scope combined with its private right of action may mean its enforcement touches on data many companies may not typically consider “health” data. More information on the MHMD Act is available at https://www.dlapiper.com/en/insights/publications/2023/04/washington-state-passes-my-health-my-data-act
Finally, the pace of state privacy legislation accelerated in 2023 overall, with the following states passing their own comprehensive privacy laws or variations thereof:
- Florida (effective July 1, 2024)
- Oregon (effective July 1, 2024)
- Texas (effective July 1, 2024)
- Montana (effective Oct. 1, 2024)
- Delaware (effective Jan. 1, 2025)
- Iowa (effective Jan. 1, 2025)
- Tennessee (effective Jan. 1, 2025)
- New Jersey (effective Jan. 15, 2025)
- Indiana (effective Jan. 1, 2026)
More information on the US state privacy laws is available at https://privacymatters.dlapiper.com/state-privacy-laws/
Enforcement of Unfair and Deceptive Trade Practices
In the United States, consumer protection laws, which prohibit unfair and deceptive business practices, provide another avenue for enforcement against businesses for their privacy and security practices.
At the federal level, the US Federal Trade Commission (FTC) uses its authority to protect consumers against unfair or deceptive trade practices, to take enforcement actions against businesses for materially unfair privacy and data security practices. The FTC uses this authority to, among other things, take enforcement actions and investigate companies for:
- Failing to implement reasonable data security measures
- Making materially inaccurate or misleading privacy and security statements, including in privacy policies
- Failing to abide by applicable industry self-regulatory principles
- Transferring or attempting to transfer personal information to an acquiring entity in a bankruptcy or M&A transaction, in a manner not expressly disclosed on the applicable consumer privacy policy
- Violating consumer privacy rights by collecting, using, sharing or failing to adequately protect consumer information, in violation of standards established in their prior enforcement precedents
Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states. State attorneys general also sometimes work together on enforcement actions against companies for actions that broadly affect the consumers of multiple states (such as data breaches).
Privacy class actions also continue to be a key risk area in the United States, including in the context of biometric privacy (under the Illinois Biometric Privacy Act), text messaging (under the federal Telephone Consumer Privacy Act) and call recording, wiretapping and related claims under the California Invasion of Privacy Act and other state laws. Online monitoring and targeting activities—including via cookies, pixels, chat bots, and so-called “session replay” tools—are an area of particular focus in the United States from a regulator and enforcement perspective and are also a developing litigation risk area.
Singapore enacted the Personal Data Protection Act of 2012 (No. 26 of 2012) on October 15, 2012, and it was subsequently amended / enhanced via the Personal Data Protection (Amendment) Act 2020 (together, the “Act”).
The Act has extraterritorial effect, meaning it applies to organizations collecting, using or disclosing personal data in Singapore whether or not the organization itself has a physical presence or is registered as a company in Singapore.
In addition to the Act, the Singapore data protection regime consists of various general or sector / industry-specific guidelines issued by the Personal Data Protection Commission (“Commission”). While these guidelines are advisory in nature and not legally binding, they indicate the manner in which the Commission will interpret the Act. Therefore, it is best practice to carefully observe and follow these guidelines.
The data protection obligations under the Act do not apply to the public sector, to whom separate rules under the Government Instruction Manual 8 (“IM8”) and the Public Sector (Governance) Act apply. Collectively, these rules provide comparable standards of data protection compared to the Act, including similar investigations and enforcement actions taken against data security breaches. The Public Sector Data Security Review Committee was convened on March 31, 2019 to conduct a comprehensive review of data security policies and practices across the public sector. The Government implemented its recommendations and adopted changes to its data security measures. Examples include:
- Requiring officers to password-protect files containing sensitive data when sending out; and
- Enhancing the data incident management framework with standardized process to notify affected individuals in data incidents and conduct post-incident inquiry.
Definition of personal data
Personal data is defined in the Act to mean data, whether true or not, about an individual (whether living or recently deceased*) who can be identified from:
- that data; or
- that data and other information to which the organization has, or is likely to have access.
*The Act's application to recently deceased individuals is limited to disclosure and protection of personal data where such data is about an individual who has been deceased for ten years or fewer.
The data protection obligations under the Act do not apply to business contact information. This excludes from the Act the following if provided solely for business purposes:
- Name
- Position name or title
- Business telephone number
- Business address
- Business electronic mail address
- Business fax number
It is important to note that the Act still governs business contact information provided by individuals solely in their personal capacity. Where the purposes of provision of business contact information are mixed (that is, for both business and personal purposes), the Act does not apply.
Definition of sensitive personal data
There is no definition of sensitive personal data in the Act.
However, non-binding guidance from the Commission indicates that sensitivity of data is a factor for consideration in implementing policies and procedures to ensure appropriate levels of security for personal data. For example, encryption is recommended for sensitive data stored in an electronic medium that has a higher risk of adversely affecting the individual should it be compromised. Where any personal data collected is particularly sensitive (e.g. regarding physical or mental health), as a matter of best practice, such data should only be used for limited purposes and the security measures afforded to such data should take into account the sensitivity of the data.
In addition, the non-binding guidelines issued by the Commission also provide that, in its calculation of financial penalties for breaches of the Act, the Commission would consider whether the organization in question is in the business of handling large volumes of sensitive personal data, the disclosure of which may cause exceptional damage, injury or hardship to an individual (such as medical or financial data), but it has failed to put in place adequate safeguards proportional to the harm that might be caused by disclosure of such personal data.
The Commission has also issued a set of advisory guidelines to impose restrictions on the collection, use and disclosure of National Identification Registration Card (“NRIC”) numbers, due to the sensitive nature of the information contained in NRICs (and other similar forms of identification). Organizations are not permitted to collect either the NRIC number or the physical cards or other similar forms of identification unless the organization is permitted to do so under the law or if the collection is necessary for the verification of an individual's identity to “high degree of fidelity” (where it is extremely important the individual’s identity is verified, and failure to do so may, for example, pose a significant safety or security risk).
Personal Data Protection Commission
Address
10 Pasir Panjang Road #03-01
Mapletree Business City
Singapore 117438
Telephone
+65 6377 3131
Fax
+65 6577 3888
Website
There are no registration requirements under the Act.
While not a requirement, the Commission strongly encourages organizations to register their Data Protection Officers ("DPOs") with the Commission via the Commission's website, to assist DPOs in keeping up to date with developments in the law. Organisations may also choose to register their DPOs’ business contact information as part of their Accounting and Corporate Regulatory Authority (“ACRA”) Bizfile details, so that these will show up in search results on the ACRA website.
It is mandatory for each organization to appoint one or more DPOs to be responsible for ensuring the organization’s compliance with the Act. An organization may appoint one person or a team of persons to be its DPO. Once appointed, the DPO may in turn delegate certain responsibilities, including to non-employees of the organization. The business contact information of the DPO must be made available to the public.
While there is no requirement for the DPO to be a citizen or resident in Singapore, the Commission suggests that the DPO should be readily contactable from Singapore, available during Singapore business hours and, where telephone numbers are provided, these should be Singapore telephone numbers.
Failure to appoint a DPO may lead to a preliminary investigation by the Commission. If an organization or an individual fails to cooperate with the investigation, this will constitute an offence. As a result, an individual may be subject to a fine of up to SGD 10,000 or imprisonment for a term not exceeding 12 months, or to both. An organization may be subject to a fine of up to SGD 100,000.
Organizations may only collect, use or disclose personal data in the following scenarios:
- They obtain express consent from the individual prior to the collection, use, or disclosure of the personal data (and such consent must not be a condition of providing a product or service, beyond what is reasonable to provide such product or service; and must not be obtained through the provision of false or misleading information or through deceptive or misleading practices), and have also provided the relevant data protection notice (notifying purposes of collection, use and disclosure) to the individual before, or at the time when they are collecting, using or disclosing the personal data. It is also possible to obtain the deemed consent of the individual to the collection, use, or disclosure of the personal data in accordance with the relevant conditions of the Act (see the Personal Data Protection Regulations 2021).
- Where the limited specific exclusions prescribed in the Act apply (if no consent or deemed consent is given). Such exclusions include vital interests of individuals, matters affecting public, legitimate interests, business asset transactions, business improvement purposes and other additional bases.
The Act currently in force expanded the concept of “deemed consent” to cover circumstances where: (i) the collection, use or disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or (ii) (a) where individuals have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to opt-out, and have not opted out, and (b) the organization has conducted an assessment on the likely adverse effect on such individuals, and identified and put in place reasonable measures to eliminate, reduce the likelihood of or mitigate any such adverse effect.
An individual may at any time withdraw any consent given, or deemed given under the Act, upon giving reasonable notice to the organization.
Further, any collection, use or disclosure of the personal data must only be for the purposes that a reasonable person would consider appropriate in the circumstances, and for purposes to which the individual has been notified of. Such notification must be made in accordance with the requirements of the Act.
An organization must also do all of the following:
- Make information about its data protection policies, practices and complaints process publicly available.
- Cease to retain personal data or anonymize it where it is no longer necessary for any business or legal purpose. Ensure personal data collected is accurate and complete if likely to be used to make a decision about the individual or disclosed.
- Respond to requests by data subjects under their statutory rights, including a new right of data portability (this right is expected to come into force soon).
Data intermediaries that process personal data on behalf of another organization (i.e. data controller) pursuant to a written contract are exempt from most of the data protection obligations under the PDPA. However, data intermediaries are directly liable under two specific obligations relating to the retention (see above) and protection (see Security) of personal data.
Data protection management program (“DPMP”) and data protection impact assessment (“DPIA”) guides were published by the Commission in November 2017 and updated in September 2021.
In disclosing or transferring personal data to onshore third parties (including affiliates), an organization should ensure that it has obtained the individual's deemed or express consent to such transfer (unless exemptions apply) and, if this was not done at the time the data was collected, additional consent will be required (unless exemptions apply).
It is also a requirement under the Act for organizations to enter into written agreements with their data intermediaries to whom they transfer personal data and who process such data on behalf of the organizations.
The Act also contains offshore transfer restrictions, which require an organization to ensure that the receiving organization has in place "comparable protection" to the standards set out in the Act when transferring personal data outside of Singapore. Mechanisms to achieve this include (this is not a comprehensive list): data transfer agreements (for which the Commission has released suggested sample clauses); the individual has given consent (provided required notices have been given to the individual setting out the basis upon which their data will be protected in the country or territory to which their personal data will be transferred); and where transfers are considered necessary in certain prescribed circumstances (which include in connection with performance of contracts between the transferring organization and the individual, subject to certain conditions being met). An organization may apply to be exempted from any requirement prescribed under the Act in respect of any transfer of personal data out of Singapore. An exemption may be granted on such conditions as the Commission may require.
The Amendment Act provides for a new right of data portability on electronic data (this right is expected to come into force soon). Individuals may request an organization (“Porting Organization”) to transmit certain data about them to another organization. The Porting Organization must have an ongoing relationship with the individual, and have collected or created such data.
The Commission has published guides to data sharing (covering intragroup and third party sharing) with practical nonbinding guidance on data transfer / sharing for organizations, as well as DPMP and DPIA guides (see Collection & Processing).
Organizations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, the loss of any storage medium or device on which personal data is stored, or similar risks. Data intermediaries are also directly liable and subject to the same security obligation. The Act does not specify security measures to adopt and implement, however the Commission has issued best practice guidance which provides specific examples, including with respect to cloud computing and IT outsourcing.
Under the current Act, where an organization has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, it must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a “notifiable data breach” (as defined in the current Act). A data breach means (a) the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data, or (b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur. A data breach constitutes a “notifiable data breach” if:
- it results in, or is likely to result in, significant harm to the affected individuals (including one that compromises personal data prescribed under the Personal Data Protection (Notification of Data Breaches) Regulations 2021); or
- it is of a significant scale (i.e. one that affects 500 or more individuals).
An organization must notify the Commission as soon as practicable and in any case no later than three calendar days after the day the organization makes the above assessment of a notifiable data breach. If the data breach results in, or is likely to result in, significant harm to the affected individual(s), an organization must also notify each affected individual in any manner that is reasonable in the circumstances.
The Personal Data Protection (Notification of Data Breaches) 2021 sets out the list of information to be included in notifications to the Commission and affected individuals.
Where a data breach is discovered by a data intermediary, the data intermediary must notify the organization (i.e. data controller) without undue delay from the time the data intermediary has credible grounds to believe that a data breach has occurred in relation to personal data that it is processing on behalf of and for the purposes of the organization. Upon notification by the data intermediary, the organization must conduct an assessment of whether the data breach is a notifiable data breach.
In addition, the Cybersecurity Act 2018 (“CSA”) was passed in Singapore in early 2019. The CSA primarily contains obligations applicable to organizations which have been designated as owners of critical information infrastructure. In particular, if your organization has been designated by the Cybersecurity Commissioner as the owner of a critical information infrastructure, additional obligations will apply to your organization in relation to data breach incident handling and notification. Amendments were proposed to the CSA in December 2023, with the Cybersecurity (Amendment) Bill (Bill) made available for public consultation until early January 2024. The Bill proposes imposing obligations on other operators of digital infrastructure and technology, to ensure that the CSA keeps pace with technological developments and industry practices.
Enforcement of the Act is carried out by the Commission, which include giving directions to an organization to do any of the following:
- Stop collection, use or disclosure of personal data in contravention of the Act;
- Destroy personal data collected in contravention of the Act;
- Provide or refuse access to or correction of personal data;
- Pay a financial penalty of either up to (i) 10% of an organization’s annual turnover in Singapore for those with annual turnover in Singapore that exceeds SGD 10 million, or (ii) SGD 1 million.
These directions may be registered with the Singapore District Courts so that they may have the force and effect of an order of court.
The Commission issued revised Advisory Guidelines on Enforcement Data Protection Provisions on 1 February 2021.
Further, new criminal offences are in force to hold individuals accountable for egregious mishandling of personal data, including knowing or reckless unauthorized disclosure, unauthorised re-identification of anonymized data, or use of personal data for a gain or to cause harm or loss to another person.
Guidelines published by the Commission indicate how in practice the Commission proposes to handle complaints, reviews and investigations of breaches of the data protection rules under the Act, and to approach enforcement and sanctions. Amongst other things, they set out the Commission's enforcement objectives, and guidance regarding the mitigating and aggravating factors that the Commission will take into account when issuing directions and sanctions (for example, prompt initial response and resolution of incidents; cooperation with investigations; and breach notification). The Commission has in the past couple of years stepped up its efforts to enforce the Act, highlighting the growing risks of non-compliance with the Act in Singapore.
Directions or decisions given are subject to reconsideration by the Commission, upon written application by any aggrieved party.
Directions, decisions or reconsiderations of the Commission may also be subject to appeal to a Data Protection Appeal Committee, unless the direction or decision to be appealed is the subject of an application for reconsideration, in which case such appeal would be deemed withdrawn.
Directions may only be appealed to the High Court and Court of Appeal with regard to the following:
- A point of law arising from a direction or decision of the Appeal Committee
- Any direction of the Appeal Committee as to the amount of a financial penalty
Any person who has suffered loss or damage directly as a result of a contravention of the Act is also entitled to pursue a private action in court. However, where the Commission has made a decision with regard to the said loss or damage, a right of private action will only be possible after the decision has become final as a result of there being no further right of appeal. The court may grant to the plaintiff all or any of the following:
- Relief by way of injunction or declaration
- Damages
- Such other relief as the court thinks fit
The data protection principles in the Act apply to any marketing activities (including electronic marketing) which involve the collection, use or disclosure of personal data.
In addition, any organization or person that wishes to engage in any telemarketing activities will need to comply with the "Do Not Call" provisions under the Act. Generally, a person or organization who wishes to send marketing messages to a Singapore telephone number should first obtain the clear and unambiguous consent of the individual to the sending of the messages to such Singapore telephone number. The consent must:
- be evidenced in written or other form so as to be accessible for subsequent reference;
- not be a condition for supplying goods, services, land, interest or opportunity; and
- not be obtained through the provision of false or misleading information or through deceptive or misleading practices.
In the absence of such consent, organizations must check and ensure that the telephone number is not on a Do-Not-Call register maintained by the Commission (“DNC Register”). There are also other requirements, including a duty to identify the sender of the marketing message and provide clear and accurate contact information, as well as a duty not to conceal the calling line identity of any voice calls containing such marketing messages. An individual may at any time apply to the Commission to add or remove his Singapore telephone number on the DNC Register.
Further, the current Act provides the role of “checkers” which are entities that provide information for gain on whether a Singapore telephone number is listed in the DNC Register for the purposes of another organization’s obligations under the Act. It imposes obligations on third party checkers, and checkers will be liable for DNC infringements resulting from any erroneous information provided by them.
The Act will apply to marketing messages addressed to a Singapore telephone number in the following circumstances:
- The sender of the marketing message is present in Singapore when the message was sent.
- The recipient of the marketing message is present in Singapore when the message is accessed.
Electronic marketing activities are also regulated under the Spam Control Act 2007 ("SCA"), to the extent that such activities involve the sending of unsolicited commercial communications in bulk by electronic mail or by SMS or MMS to a mobile telephone number.
The DNC provisions under the current Act include a prohibition on sending messages to telephone numbers generated or obtained through dictionary attacks (generating telephone numbers by combining numbers into numerous permutations) or address-harvesting software. Related amendments to the SCA to prohibit sending unsolicited electronic messages to instant messaging accounts are also in force.
The Commission issued the revised Advisory Guidelines on the Do Not Call Provisions on February 1, 2021.
Currently, there are no specific requirements relating to online privacy (including cookies and location) under the Act. Nevertheless, an organization that wishes to engage in any online activity that involves the collection, use or disclosure of personal data will still need to comply with the general data protection obligations under the Act. For example, if an organization intends to use cookies to collect personal data, it must obtain consent before use of any such cookies. For details of the consent required, please see Collection & Processing. The Commission has published nonbinding guidelines providing practical tips on pertinent topics such as securing electronic personal data, building websites, the capture of IP addresses and the use of cookies.
