Given this, the Cyber Security Agency of Singapore (CSA) launched a public consultation on the draft Cybersecurity (Amendment) Bill (Draft Bill) on 15 December 2023 to address the evolving cyber threat landscape. The public consultation will close on 15 January 2024.

Key changes proposed in the Draft Bill

• Introducing a new category of “non-provider-owned Critical Information Infrastructure (CII)”: The Draft Bill acknowledges the paradigm shift in the business models of essential service providers, which are increasingly leveraging third-party vendors’ computer systems rather than owning their own CIIs.
  
  The Draft Bill distinguishes between conventional “provider-owned CII” (Provider-owned CII) and “non-provider-owned CII” (Non-provider-owned CII).
  
  Under the new Part 3A of the Draft Bill, essential service providers utilizing Non-provider-owned CII will be ultimately responsible for the cybersecurity of Non-provider-owned CII. They will be required to obtain legally binding commitments from their computing vendors to ensure that they can fully meet their cybersecurity obligations under the Draft Bill.
  
• Broadening incident reporting requirements for CIIs: The CSA is proposing to expand the incident reporting framework to improve its awareness of cyber threats.
  
  The current focus of the Act is on CIIs and their connected systems. The Draft Bill aims to go extend the notification requirements to the Commissioner of Cybersecurity (Commissioner) to include incidents involving other computer or computer system which are controlled by owners or essential service providers (as the case may be) – regardless of whether those systems are interconnected to or communicate with CIIs.
  
• Widening oversight of the Commissioner beyond CII owners: The CSA proposes broadening its regulatory reach beyond owners of CIIs to include other pivotal systems that underpin Singapore’s’ cyber ecosystem. The Draft Bill introduces three new categories for CSA oversight:
  
  • Foundational Digital Infrastructure (FDI): This category includes digital infrastructure, namely cloud computing and data facility services that enhance the availability, latency, throughput, or security of digital services, which, while not currently designated as CII, are integral to Singapore’s technology stacks. The compromise of these FDI could have a cascading effect on a wide range of systems.
    
    The Commissioner will designate a provider a “major FDI service provider” if the Commissioner is satisfied that the FDI service is provided to or from Singapore, and its impairment or loss could lead to or cause disruption to a large number of businesses or organisations. If passed, these provisions are likely to affect leading data centre operators and cloud service providers in the market.
    
  • Entities of Special Cybersecurity Interest (ESCI): These are entities that handle sensitive data or perform critical functions for Singapore that, if disrupted, would have a significant detrimental effect on Singapore’s defence, foreign relations, economy, public health, safety, or order. For example, entities collaborating with the Singapore Government and holding sensitive data may potentially fall under the ambit of the provisions.
    
  • Systems of Temporary Cybersecurity Concern (STCC): These are computer systems that are temporarily critical to the nation’s interests, for instance, when they provide support for key international events like the World Economic Forum. Such systems are at heightened risk of cybersecurity threat or incident that would have a serious detrimental effect on the national security, defence, foreign relations, economy, public health, safety or order of Singapore.
    
    The Commissioner may designate a system as a STCC for up to one year with the option for extensions, which differs from the typical 5-year term for other designations.
    
    Generally speaking, regardless of categorisation, designated providers/entities under these new categories are expected to adhere to duties comparable to those imposed on CII providers, including providing the Commissioner with system information, complying with prescribed codes of practice and standards, and notifying the CSA of relevant cybersecurity incidents.
    
    Notably, while non-compliance with obligations concerning FDI and ESCI might result in financial penalties, the Draft Bill proposes that non-compliance in relation to an STCC would be a criminal offence.

• Expanding jurisdiction to cover offshore CIIs and FDIs: The CSA has proposed to confer power upon the Commissioner to designate computers or computer systems as CIIs/major FDIs, even if the computer systems are located wholly outside Singapore. 
  
  Providers which have infrastructure offshore may soon  be caught by the expanded territorial scope if the Bill is passed unamended.

Conclusion

The Draft Bill represents a proactive and adaptive response by the CSA to the dynamic and rapidly evolving cybersecurity landscape and associated challenges.

Companies in the business of digital infrastructure and systems may soon find that they will be subject to new and onerous obligations under the CSA, thereby increasing compliance cost. It is vital for businesses to remain agile and adopt proactive measures to steer through the evolving regulatory waters.

The Draft Bill may be accessed here: cybersecurity-(amendment)-bill-2023_for-public-consultations.pdf (csa.gov.sg)

Please contact Carolyn Bigg (Partner), Lauren Hurcombe (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.

Singapore’s Personal Data Protection Commission (“PDPC”) has issued its first decision on the Legitimate Interests Exception under the PDPA.

While the PDPA remains largely a consent-based regime, the Legitimate Interests Exception is one of the exceptions from consent available under the PDPA.

This RedMart decision illustrates how organisations may rely on the Legitimate Interests Exception to collect personal data, as well as the steps which must be taken by the organisation in order to rely on the Legitimate Interests Exception.

The decision concerned a complaint against RedMart Limited (“RedMart”) for collecting the photographs of identification documents (“ID Photographs”) of its suppliers delivering goods and produce to its warehouses without obtaining the consent of its suppliers. RedMart is an online grocery company, selling a range of dry household products.

In the PDPC’s preliminary decision, RedMart was given directions to assess its collection of the ID Photographs.

However, the PDPC was subsequently satisfied that RedMart had not breached the PDPA, as RedMart’s collection of ID Photographs had met the requirements under the Legitimate Interests Exception:

1. RedMart had a legitimate interest in deterring food security incidents at the warehouses, in which there were areas storing dry food and fresh produce that were vulnerable to contamination and tampering;
2. RedMart may have a legitimate interest in implementing enhanced identification requirements (collection of ID Photographs) in order to establish/verify the identifies of visitors to a high degree of fidelity and to regulate access to areas with higher risk of food security incidents – RedMart has an interest in deterring and investigating potential food security incidents which could cause harm to the public and damage to RedMart’s reputation; and
3. RedMart had implemented a range of measures and enhanced access controls (e.g. restricting access to the tablets used for data collection, limiting access to the ID Photographs to designated personnel, retaining the ID Photographs on their database for a limited period only) to significantly lower the risks of unauthorised access, use and/or disclosure of information of a sensitive nature such as the ID Photographs.

Key takeaways

Organisations intending to rely on the Legitimate Interests Exception must:

• establish a standardised process for conducting and assessing the basis upon which they will be relying on this exception; and
• ensure that appropriate measures are implemented to mitigate against any risks and adverse effects on individuals.

To recap, in order to rely on the Legitimate Interests Exception, organisations must:

1. evaluate whether the collection of such data is reasonably necessary for the organisation’s legitimate interest;
2. identify whether the collection of such data is likely to have an adverse effect on the individual(s), and if so, identify reasonable measures that could be implemented to eliminate, mitigate, or reduce the likelihood of occurrence of any such adverse effect(s);
3. determine whether the organisation’s legitimate interest served by the collection of such data outweighs the adverse effect(s) to the individual(s) after implementing reasonable mitigation measures; and
4. provide the individual(s) with reasonable access to information about the organisation’s collection, use or disclosure of such personal data (e.g. by way of disclosure in its public data protection policy).

The PDPC’s decision may be accessed here.

Please contact Carolyn Bigg (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.

The provision setting out significantly higher financial penalties for Singapore’s Personal Data Protection Act 2012 (“PDPA”) is now in force.

There is now an increased risk for organisations contravening the PDPA in Singapore.

This means that in relation to any intentional or negligent contravention of:

1. the data protection provisions, organisations may now have to pay a financial penalty of up to SGD 1 million or 10% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 10 million), whichever is higher;
2. the do-not-call provisions involving the use of dictionary attacks and address-harvesting software:
   • individuals may now have to pay a financial penalty of up to SGD 200,000; and
   • organisations, a financial penalty of up to SGD 1 million or 5% of the organisation’s annual turnover in Singapore (where the organisation’s annual turnover in Singapore exceeds SGD 20 million).

To recap, when the Personal Data Protection Commission is deciding whether a financial penalty is warranted, they will, among other things:

1. assess the incident based on the principles of harm and culpability:
   • “Harm” includes the number of affected individuals, categories of affected personal data, duration of the incident etc.;
   • “Culpability” refers to the organisation’s conduct in the incident. The PDPC will consider the nature of the specific breach of the PDPA as well as the organisation’s overall compliance with the PDPA; and
2. consider other relevant factors such as whether the organisation or person took any action to mitigate the effects and consequences of the non-compliance.

Key takeaways

Given the higher financial penalties, organisations must:

• review their policies and practices for compliance with new provision;
• update employees about the increased penalties and the accompanying increased risk for the organisation.

You may access the revised financial penalties here, and the Advisory Guidelines on Enforcement of the Data Protection Provisions here.

You may access our previous alert regarding the increased financial penalties here.

Please contact Carolyn Bigg (Partner) or Yue Lin Lee (Senior Associate) if you have any questions or to see what this means for your organisation.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.

Increased financial penalties

From 1 October 2022, companies that breach the PDPA may face fines of up to:

• SGD 1 million; or
• where the organisation’s annual turnover in Singapore exceeds SGD 10 million, 10% of the organisation’s Singapore turnover.

Penalties imposed under the PDPA could potentially be more stringent compared to the GPDR, which currently imposes fines of up to €20 million or 4% worldwide turnover, whichever is higher.

Given these higher financial penalties, organisations collecting, using or disclosing personal data in Singapore are recommended to carefully review their existing data protection programmes and processes to ensure compliance with the PDPA.

In practice, the Personal Data Protection Commission (“PDPC“) takes a proactive approach in enforcing the PDPA. Enforcement priorities include ensuring compliance with:

• the Protection Obligation (i.e. putting in place reasonable security arrangements to prevent unauthorised access, collection, use, disclosure etc. of personal data); and
• the Transfer Limitation Obligation (i.e. the requirement to ensure personal data being transferred outside of Singapore receives a standard of protection comparable to that required under the PDPA).

Given the PDPA has now been in force for some time, the PDPC has been ramping up enforcement efforts and does actively enforce breaches of the PDPA. To date, there have been 201 published decisions from 2016 relating to various breaches of the PDPA.

Thus far, the biggest financial penalty imposed on an organisation for breaches of the PDPA was imposed on an IT vendor for failing to put in place reasonable security arrangements to protect the personal data of individuals. The financial penalty imposed on the IT vendor by the PDPC in that matter amounted to S$750,000.

Other anticipated changes

In addition, in a sign that cyberspace and online safety are becoming an increasing focus of the Singapore government, MCI also announced a review of the Cybersecurity Act and its accompanying Code of Practice as well as plans to introduce codes of practice in areas such as online child safety and platform accountability.

It is expected that public consultation on the Cybersecurity Act will commence in 2023.

DLA Piper Singapore Pte. Ltd. is licensed to operate as a foreign law practice in Singapore. Where advice on Singapore law is required, we will refer the matter to and work with licensed Singapore law practices where necessary.