Amendments to the PDPA significantly change Singapore’s data protection landscape, including mandatory data breach notification and criminal offences for mishandling of personal data.

By Farhana Sharmeen, Esther Franks, and Gen Huong Tan

On 1 February 2021, certain sections of the Personal Data Protection (Amendment) Act 2020 (the Act) took effect, implementing the following changes to the Personal Data Protection Act in 2012 (PDPA):

   •  Strengthened enforcement powers for the Personal Data Protection Commission (PDPC)

   •  New criminal offences for individuals for egregious mishandling of personal data

   •  Mandatory data breach notification requirements

   •  New provisions for “deemed” (i.e., implied) consent and exceptions to the PDPA consent requirements, namely the “legitimate interests” exception and “business improvement” exception

Other changes from the Act have yet to take effect but are expected to be introduced in phases. These include:

• Increased financial penalties for companies in breach of the PDPA
• A new right of data portability for individuals