Singapore finally passes personal data protection bill

The Singapore parliament on Monday night finally passed the personal data protection bill that is designed to safeguard an individual's personal data against misuse. It encompasses a national Do-Not-Call registry and a new enforcement agency will be tasked to regulate the management of personal data by businesses and impose financial penalties.

In his speech, Yaacob Ibrahim, the Minister for Information, Communications and the Arts (MICA), said Singapore had adopted a sectoral approach to data protection, but there was need for a general data protection framework to ensure a baseline standard of protection for personal data across the economy.

Personal data is defined as data that relates to an identifiable individual, whether the data is stored in electronic or non-electronic form.

Singapore's personal data protection law will give individuals more control over their personal data, since they have to give consent and be informed of the purposes for which organizations collect, use, or disclose the information.

They can seek compensation for damages directly suffered from a breach of the data protection rules through private rights of action.

The Bill applies to all organizations across the private sector, but does not cover the public sector which already has its own set of data protection rules with which all public officers must comply, MICA said.

In order to tackle the issue of unsolicited telemarketing calls and messages, a National Do-Not-Call (DNC) Registry will be created by early 2014. The registry prohibits organizations in Singapore from sending specified messages to any Singapore telephone number registered with the DNC, unless the owner of the telephone number has given consent to be contacted for marketing purposes.

A Personal Data Protection Commission (PDPC) will also be set up to serve as the country's main authority on matters relating to personal data protection and enforce data protection rules. If an organization is non-compliant, the PDPC may impose a maximum financial penalty of S$1 million (US$818,150).

Companies found to have violated the data protection rule may be fined up to S$10,000 (US$8,181) per customer complaint.

To give time for businesses to adjust, the data protection law will be implemented in a phased approach, Yaacob said. It is slated to become an official Act by January next year, while enforcement is scheduled to begin mid-2014.

The minister added that a data protection law will enhance the country's competitiveness and strengthen its position as a trusted business hub. He said this put Singapore on par with others that had already enacted data protection legislation, such as Canada, New Zealand, Hong Kong, which data protection frameworks were studied by MICA.

The Singapore Data Protection Law had been a long time coming. The government's review of data protection legislation in the country was first mooted during the early 2000s and was finally completed in February 2011 to be put up for parliamentary debate.

The Bill went through three rounds of public consultations for input, conducted by MICA, where the third and final round was held in March this year and finalized on Apr. 30.

It was only last month that the proposed Personal Data Protection Act (PDPA) got its first reading in Parliament.