The Personal Data Protection Commission (PDPC) released its Guide to Active E...

Insights

PDPC Issues Guide to Active Enforcement

Date
May 31, 2019
Author
OrionW

On 22 May 2019, the Personal Data Protection Commission (PDPC) released its new Guide to Active Enforcement (Guide), which provides an overview of the PDPC’s active enforcement framework for breaches of the Personal Data Protection Act 2012 (PDPA).  The Guide promotes facilitation and mediation between parties to a dispute, introduces an expedited breach decision process and sets out the factors to be considered by the PDPC when imposing financial penalties on erring organisations.

Facilitation and Mediation

The PDPC encourages communication between parties to resolve private data protection issues.  If the issue is not resolved, the PDPC may refer the matter for mediation with the parties’ consent.  If the PDPC deems facilitation or mediation to be inappropriate based on the circumstances, the PDPC may conduct a full investigation at the outset.

Types of Enforcement Actions

The PDPC may implement or impose one of the following enforcement actions as appropriate:

  • Suspension or discontinuation of the investigation

The PDPC will issue an advisory notice that an investigation is suspended or discontinued when the impact of a potential breach is assessed to be low or the circumstances provided for under Section 50[1] of the PDPA exist.

  • Undertaking

The PDPC or an organisation may initiate an undertaking process in certain cases.  The undertaking process includes a written agreement between the PDPC and the relevant organisation wherein the organisation promises to rectify the breach(es) and implement measures to prevent recurrence.  The minimum contents of the written agreement are listed in the Guide.

If an organisation initiates the undertaking process, it must do so immediately after it becomes aware of the incident, i.e., at the start, or during the early stages, of an investigation and must have a remediation plan ready.

In determining whether to accept an undertaking, the PDPC shall consider the effectiveness of the organisation’s remediation plan and the organisation’s willingness to implement it.  The request may also be denied under certain circumstances as listed in the Guide, including where an organisation does not accept responsibility for the data breach.

  • Expedited Breach Decision

If an organisation admits liability for violating the PDPA, it may, at the start of an investigation, request the PDPC to issue an expedited decision.  The PDPC may grant such request under the following circumstances:

  • the violation is limited to the organisation’s failure to appoint a Data Protection Officer or to have a Privacy Policy; or
  • the data breach is similar to previous cases with similar categories of facts (such as personal data disclosed via email, poor password policies, etc.).
  • Full Investigation Process

If a case is not resolved during facilitation and mediation, or if it is a high impact case, the PDPC may conduct a full investigation.  High impact cases are cases which affect a large number of individuals and cause significant harm.

If a breach is determined, the PDPC may impose the following actions on erring organisation: warning, directions only, financial penalties only or directions and financial penalties.

Financial Penalties

Financial penalties are imposed to penalise erring organisations and prevent non-compliance; they are only imposed for particularly serious breaches.

The PDPC has adopted the following principles to determine the amount of a financial penalty:

  • The amount should be proportionate to how serious the breach is and should sufficiently deter against breaches or non-compliance.
  • The amount should account for any aggravating or mitigating factors which may increase or reduce the financial penalty.
  • The cooperativeness of the organisation and the implementation of available remedial actions should be considered.
  • Whether there was timely voluntary notification of data breach or whether the organisation freely admitted to its liability.
  • Whether the organisation reached out to the affected individuals to offer a remedy or other similar assistance, and whether the individual accepted the offer.

[1] Under Section 50(3) of the PDPA, the PDPC may suspend, discontinue or refuse to conduct an investigation if it thinks fit, including but not limited to any of the following circumstances:

  1. The complainant has not complied with a direction under Section 27(2);
  2. The parties involved in the matter have mutually agreed to settle the matter;
  3. Any party involved in the matter has commenced legal proceedings against another party in respect of any contravention or alleged contravention of the PDPA by the other party;
  4. The PDPC is of the opinion that the matter may be more appropriately investigated by another regulatory authority and has referred the matter to that authority; or
  5. The PDPC is of the opinion that-
  6. a complaint is frivolous or vexatious or is not made in good faith; or
  7. any other circumstances warrant refusing to conduct, suspending or discontinuing the investigation.

Newsletter

Subscribe to
our newsletters

To subscribe, select the newsletter options that interest you (TMT, FinTech or DPC - Data Protection and Cybersecurity) and provide your details.

  • TMT - Technology, Media and Telecommunications
  • FinTech
  • DPC - Data Protection & Cybersecurity
Please read our Privacy Policy. You can unsubscribe at any time.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
contact us
OrionW LLC
Level 37, 16 Collyer Quay
Collyer Quay Centre
Singapore 049318

OrionW is a boutique law firm specialising in Singapore and cross-border corporate, commercial and regulatory matters, with a focus on technology, media and telecommunications (TMT) and financial technology (FinTech). We are dedicated to providing excellent legal service to clients at the leading edge of their markets.

OrionW LLC (UEN 201505714C) is a Singapore law practice incorporated with limited liability.