1. Failure to Appoint a Data Protection Officer (DPO): The company collected personal data from over 100,000 customers and used it for its core business operations but did not appoint a DPO as required by law. This failure hindered the company’s ability to address data breaches effectively.
2. Inadequate Security Measures: The company lacked appropriate security measures as mandated by the PDPA, leading to data leaks to call center gangs and causing widespread damage.
3. Failure to Report Data Breaches: The company ignored complaints from data subjects and delayed reporting the breaches to the PDPC, preventing timely remediation.

In addition to the 7 million baht fine, the second expert committee ordered the company to enhance its security measures to prevent future data leaks. The company must also train its staff, update security measures to keep pace with technological changes, and report these improvements to the PDPC within 7 days of receiving the order.

This administrative fine is the first of its kind imposed on a major private company by the second expert committee since the PDPA came into effect. It aligns with the principles of the European Union’s General Data Protection Regulation (GDPR).

Minister Prasert emphasized that the fine aims to protect the public from call center scams and data leaks, which have been major issues in Thailand over the past two years. The fine serves as a warning to both public and private entities to report data breaches to the PDPC as required by law. This case sets a standard for handling data leaks in the future.

The minister also noted that this enforcement action will raise awareness among public and private sectors about the importance of complying with the PDPA. It is part of broader measures to combat call center scams that misuse personal data. Additionally, these measures will help mitigate the damage to data subjects and build public trust in the use of personal data online.

Increased financial penalties

From 1 October 2022, companies that breach the PDPA may face fines of up to:

• SGD 1 million; or
• where the organisation’s annual turnover in Singapore exceeds SGD 10 million, 10% of the organisation’s Singapore turnover.

Penalties imposed under the PDPA could potentially be more stringent compared to the GPDR, which currently imposes fines of up to €20 million or 4% worldwide turnover, whichever is higher.

Given these higher financial penalties, organisations collecting, using or disclosing personal data in Singapore are recommended to carefully review their existing data protection programmes and processes to ensure compliance with the PDPA.

In practice, the Personal Data Protection Commission (“PDPC“) takes a proactive approach in enforcing the PDPA. Enforcement priorities include ensuring compliance with:

• the Protection Obligation (i.e. putting in place reasonable security arrangements to prevent unauthorised access, collection, use, disclosure etc. of personal data); and
• the Transfer Limitation Obligation (i.e. the requirement to ensure personal data being transferred outside of Singapore receives a standard of protection comparable to that required under the PDPA).

Given the PDPA has now been in force for some time, the PDPC has been ramping up enforcement efforts and does actively enforce breaches of the PDPA. To date, there have been 201 published decisions from 2016 relating to various breaches of the PDPA.

Thus far, the biggest financial penalty imposed on an organisation for breaches of the PDPA was imposed on an IT vendor for failing to put in place reasonable security arrangements to protect the personal data of individuals. The financial penalty imposed on the IT vendor by the PDPC in that matter amounted to S$750,000.

Other anticipated changes

In addition, in a sign that cyberspace and online safety are becoming an increasing focus of the Singapore government, MCI also announced a review of the Cybersecurity Act and its accompanying Code of Practice as well as plans to introduce codes of practice in areas such as online child safety and platform accountability.

It is expected that public consultation on the Cybersecurity Act will commence in 2023.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.