Data Protection Enforcement in Singapore

Since it began publishing its enforcement decisions in 2016, Singapore's Personal Data Protection Commission has made public 76 of its decisions: 22 in 2016, 19 in 2017, 29 in 2018 and a relatively sedate six so far in 2019 (but with undoubtedly more to come).

As one might expect for a subject which was largely unknown to us until the advent of the internet, the chief culprits among those who have come under the PDPC's scrutiny have been the providers of IT services (mainly those involved in website design and hosting). Other sectors which feature prominently in the decisions are intensive users of personal data: retailers, financial services, real estate (primarily real estate management) and, perhaps surprisingly, professional associations (inadvertently disclosing member details), as the chart shows below.

Spotlight on Health.png

Spotlight on Health Services

Health services do not figure highly in the number of enforcement actions, but dwarf all other sectors in terms of the magnitude of fines the sector has attracted. Following a well-publicised incident involving SingHealth last year, for example, the fines imposed by the PDPC exceeded all those imposed between 2016 and 2018 put together. We can expect the health services sector to come under further scrutiny when the PDPC's investigation of a data breach involving the disclosure of 800,000 blood donors held by Singapore’s Health Sciences Authority is concluded.

Recurring Themes

One of the recurring themes to emerge from the PDPC's decisions is the common misconception, amongst smaller businesses, in particular, that a privacy policy, on its own, is enough to comply with the obligation to develop and implement policies and practices with respect to the handling and processing of personal data. Many small businesses fall into the trap of thinking that if they develop a privacy policy they have complied with the law. They haven't. Bud Cosmetics were fined SGD 11,000 for that mistake, and we can expect the PDPC to increase the fines it imposes for this type of error, in order to, as Voltaire has put it: 'encourager les autres' ('encourage the others'). It is, sadly, inevitable that someone will be made a costly example.

Another theme likely to feature more prominently in future decisions is cross-border data transfer. Many businesses are understandably keen to develop online trading, and are only too happy to engage the services of a website hosting service outside of Singapore, but fail to consider the implications of doing so. Do the laws governing a website hosted outside of Singapore provide protection comparable to Singapore data protection law, for example? If not, that is, in itself, a breach of section 26 of Singapore's Personal Data Protection Act, as the hapless Bud Cosmetics recently found to its regret.

Patience has its limits

It is worth noting that the PDPC is still being relatively generous with the penalties it imposes, often issuing warnings and directing remedial steps, if they have not already been taken by the time its decision is issued. That will undoubtedly change over time, however. What remains to be seen is how much patience the PDPC is prepared to exercise as it waits for Singapore's business community to get its data protection house in order. An uneducated guess is that, more than six years after the Personal Data Protection Act came into force, that patience is now starting to wear a bit thin.

If you have any questions or concerns, please email us at