Increased maximum financial penalties under Personal Data Protection Act 2012 from 1 October 2022

2 November 2022

With effect from 1 October 2022, the maximum financial penalties which the Personal Data Protection Commission (“PDPC”) may impose have increased as follows:

• Data protection provisions: In the case of contravention of Parts 3, 4, 5, 6, 6A or 6B of the Personal Data Protection Act 2012 (“PDPA”), which set out the obligations of organisations relating to data protection (including the obligation to protect and care for personal data, and to conduct assessments of data breaches), the maximum financial penalty that may be imposed:
  • on an organisation whose annual turnover in Singapore exceeds S$10 million is 10% of the organisation’s annual turnover in Singapore, if the contravention occurs on or after 1 October 2022; and
  • in any other case is S$1 million.
• Do Not Call provisions: In the case of contravention of Part 9 of the PDPA, which relates to obligations of organisations relating to the sending of certain marketing messages to Singapore telephone numbers, the maximum financial penalty that may be imposed:
  • in the case of an individual is S$200,000; and
  • in any other case is S$1 million.
• Using dictionary attacks and address-harvesting software: In the case of contravention of section 48B(1) of the PDPA, which prohibits the sending of messages to any telephone number that is generated or obtained through the use of address-harvesting software, and the use of dictionary attacks or similar automated means to send messages indiscriminately, the maximum financial penalty that may be imposed:
  • in the case of an individual is S$200,000;
  • on a person whose annual turnover in Singapore exceeds S$20 million is 5% of the person’s annual turnover in Singapore; and
  • in any other case is S$1 million.

An organisation’s annual turnover in Singapore will be ascertained by PDPC from the organisation’s most recent audited accounts available at the time the financial penalty is imposed.

Following these latest amendments to the PDPA, PDPC has updated the Advisory Guidelines on Enforcement of the Data Protection Provisions and the Guide on Active Enforcement which articulate PDPC’s interpretation and enforcement approach to help organisations in their compliance with the PDPA.

By way of background, the Personal Data Protection (Amendment) Act 2020 (“Amendment Act”) was gazetted on 10 December 2020. While most of the provisions in the Amendment Act have since come into force on 1 February 2021, there are different dates of commencement for several sections, for example in relation to these increased financial penalties.

On the new data portability obligation (new Part 6B of the PDPA), the commencement date has yet to be announced. For more information, please refer to our previous article titled “Expected date of commencement of Personal Data Protection (Amendment) Bill, and preparatory steps for organisations” on our recommendations on preparatory steps for organisations to consider undertaking.

Reference materials 

The following materials are available on the PDPC website www.pdpc.gov.sg and Singapore Statutes Online sso.agc.gov.sg:

• Personal Data Protection Act 2012
• Personal Data Protection (Amendment) Act 2020 (Commencement) Notification 2022
• Personal Data Protection (Amendment) Act 2020
• Personal Data Protection (Enforcement) (Amendment) Regulations 2022
• Personal Data Protection (Enforcement) Regulations 2021
• Advisory Guidelines on Enforcement of the Data Protection Provisions (revised on 1 October 2022) 
• Guide on Active Enforcement (revised on 1 October 2022)