PDPA – Singapore’s data protection law, in brief
Singapore’s Personal Data Protection Act (PDPA) is one of the veteran data privacy laws of the world. Passed in 2012 and fully effective since 2014, it predates the EU’s General Data Protection Regulation (GDPR) and shares with the earlier EU ePrivacy Directive some of the same requirements behind its personal data protection and governance.
In short, Singapore’s PDPA regulates the collection, use and disclosure of personal data in Singapore by giving enforceable rights to users, placing the responsibility of lawful data processing on the shoulders of websites, companies and organizations anywhere in the world that process personal data from inside Singapore, regulating the transfer of personal data outside of Singapore, and establishing the Personal Data Protection Commission (PDPC) as main enforcement authority.
Singapore’s PDPA quick breakdown –
- Singapore’s PDPA took full effect on July 2, 2014.
- Singapore’s PDPA governs all collection, use and disclosure (e.g. sharing with third parties) of personal data from inside Singapore. It applies to any organization located anywhere in the world (websites, companies, associations etc.) that handle personal data from users located inside the territory of Singapore.
- Singapore’s PDPA empowers users in Singapore with the right to give and revoke consent to the processing of their personal data, the right to access personal data already collected, and the right to correct inaccurate personal data.
- Singapore’s PDPA defines consent as an informed action on part of the user, either affirmatively or deemed (implied).
- Singapore’s PDPA defines personal data broadly as data about an individual who can be identified from that data or from other information that is accessible to an organization. However, the PDPC has decided that certain types of personal data are more sensitive in nature and requires a higher standard of protection.
- Singapore’s PDPA establishes the Personal Data Protection Commission (PDPC) as its main authority, with responsibilities of enforcement, supervision, data privacy consultancy and government advisory.
- Singapore’s PDPA prohibits transfers of personal data outside Singapore, unless the place of transfer is able to ensure the same level of data protection as under the Singapore PDPA.
- Singapore’s PDPA was amended in 2020 to include mandatory data breach notifications, an expanded deemed consent framework, exceptions to consent for legitimate interests, increased financial penalties for non-compliance and a new right to data portability for users inside Singapore.
Singapore’s PDPA and Consent Obligation
The consent obligation is a key part of Singapore’s PDPA – a crucial compliance requirement that websites anywhere in the world processing personal data from users in Singapore must be aware of.
In short, the consent obligation (spelled out in PDPA sections 13-17) means that your website is only allowed to handle personal data from users inside Singapore if users give, or is deemed to have given, their prior consent.
Under Singapore’s PDPA, consent can either be affirmative or deemed, meaning that if users have already been informed by you about your website’s intended collection and purposes for collection, but have not opted out of the processing, you are safe to deem their inaction as consent.
In general, for user consents to be valid under the PDPA –
- you must first inform users about your website’s intended processing (collection, use or disclosure of their personal data),
- you must inform users about the purposes of processing, including any other purpose that the users haven’t been informed about in the initial collection notification,
- you must notify users at or before the time of collection,
- users must be able to withdraw their consent at any given time,
- and you are not allowed to make consent conditional for providing a product or service.
Using cookies and trackers, especially third-party cookies from popular third-party services, means that your website collects and shares personal data, such as IP addresses, unique IDs, search and browser history and much more.
If a visitor to your website is from inside Singapore, you are required to first obtain their consent before activating any of these cookies and trackers (any but the ones strictly necessary for the function of your domain).
Scan your website for free with Cookiebot CMP
Test to see which cookies and trackers are in use on your website, what kind of personal data they process and where in the world you send it to by using the free Cookiebot GDPR compliance test.
Simply enter the URL of your website and receive a free scan of up to five subpages, detecting all cookies in operation on these pages.
Most website owners and operators are surprised to find out that their domain hosts many more cookies, trackers and trojan horses than they thought, because –
72% of all trackers on websites are secretly loaded by third-party cookies.
18% of cookies on websites are so-called trojan horses that hide as deep as within eight other trackers, making them undetectable without a powerful scanning technology.
50% of trojan trackers will change between repeated user visits, meaning they can have changed provider, purpose and be collecting totally different kinds of personal data than what the user initially consented to.
Source: Beyond the Front Page, a 2020 research paper on website cookies.
Singapore’s PDPA amended in 2020
On November 2, the Singapore Parliament passed an amendment bill to the Personal Data Protection Act (PDPA). While the amendments await royal assent to become fully effective, the changes to the PDPA come with no grace period and websites will need to comply straight away once the amended PDPA takes effect.
The new PDPA amendments include –
- Deemed consent by notification – expanding the framework around deemed consent to include a requirement to notify users of new purposes for collection and enable users to opt out.
- Mandatory data breach notification – requiring websites, companies and organizations to notify users and the PDPC of data breaches within three days.
- Exception to consent for legitimate interests – organizations can rely on the exception provided by legitimate interests to collect, use or disclose personal data, but must follow the PDPC’s advisory guidelines to do so.
- Increased financial penalties – increasing the fine of non-compliance with PDPA to 10% of the annual turnover of the organization with an annual turnover exceeding $10 million, or $1 million, whichever is highest.
- New data portability right – users in Singapore will be able to have collected data made portable and transferable to other organizations upon request.
On November 20, following the passing of the PDPA amendments in Parliament, the Personal Data Protection Commission (PDPC) issued a set of draft advisory guidelines on key provisions of amendments that altogether clarify the changes and specify how to be in PDPA compliance going forward.
PDPA compliance with Cookiebot CMP
Cookiebot CMP automatically controls all user consent on your website
Cookiebot CMP is the world’s leading consent management platform that ensures full compliance for your website with all major data privacy laws, such as EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA and Singapore’s PDPA.
Built around a powerful scanner that detects all cookies and trackers in operation on your domain, our solution automatically manages all user consents on your website through highly customizable interfaces that meet all PDPA requirements on information, notification and consent.
Using our CMP on your website gives you –
- auto-blocking of all cookies and trackers for true prior consent for users in Singapore
- granular consent interface for easy user consent to cookies
- cookie declaration for PDPA notification requirements, including provider, purpose, duration and type of each cookie
- automatic renewal of user consents
If your website has users from Singapore, Cookiebot CMP will automatically geotarget their location and present the correct consent framework in compliance with the PDPA.
Singapore’s PDPA, in detail
Let’s take a closer look at the different aspects of Singapore’s Personal Data Protection Act (PDPA) – how personal data is defined, how consent is defined (with 2020 amendments) and how the PDPA regulations clarify compliance.
Singapore’s PDPA and data privacy regime
Singapore was one of the first countries to implement a data privacy law that not only protects the collection and processing of personal data inside of its territory, but also puts enforceable responsibility on “organizations” (defined in the PDPA to include individuals, websites, companies, associations and more, located anywhere in the world).
The PDPA, drafted in 2012 and in full effect since July 2014, also serves as a so-called “spam law”, establishing the Do Not Call (DNC) Registry that Singaporeans can use to opt-out of unsolicited marketing.
Even though the PDPA shares key provisions with the EU’s ePrivacy Directive and the later GDPR, Singapore is not recognized by the EU as having an adequate level of data protection and ranks as a third country in regard to the flow of data between the two territories.
Want to know more about Singapore’s PDPA vs EU’s GDPR?
Take a look at Singapore’s Personal Data Protection Commission (PDPC) handy infographic comparison of the PDPA and EU’s GDPR that details the differences between the two data privacy laws’ consent requirements and exceptions.
Personal data under Singapore’s PDPA
Personal data is defined in Singapore’s Personal Data Protection Act very broadly as “data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organization has or is likely to have access,” including but not limited to –
- Names, addresses, email addresses, telephone numbers,
- IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data,
- Information about age, gender, race, health, sexual orientation, appearance, political and religious convictions.
Exempt from the PDPA is personal data entered into a business contract (defined instead as business contract information), personal data that is more than 100 years old and personal data about an individual, if the person has been dead for more than 10 years.
Unlike EU’s GDPR, Singapore’s PDPA does not create a special category of sensitive personal data.
However, the Personal Data Protection Commission (PDPC) decided in October 2017 that certain kinds of personal data are of a sensitive nature and require a higher level of protection than other kinds of personal data.
Examples of personal data of a sensitive nature includes –
- Any kind of personal data about minors (individuals under the age of 21),
- Identification data (e.g. from passports and National Registration Identity Cards),
- Financial data (e.g. credit cards, bank accounts, payments and transactions),
- Insurance data (e.g. policy, sums, premiums),
- Certain sensitive medical data,
- Certain criminal data on prior drug use.
If your website, company or organization processes personal data of a more sensitive nature from users inside Singapore, the PDPC requires you to implement security safeguards appropriate to the sensitivity of the information.
Singapore’s PDPA consent obligations and its 2020 amendments
In November 2020, Singapore amended the PDPA to include, among other things, a more detailed set of specifications on how deemed consent works.
Deemed consent is the valid type of consent that means that the inaction of users constitutes a form of implied consent. However, users must still be able to revoke their consent at any given time, even though the consent is deemed.
In the PDPA before the 2020 amendment (section 15), deemed consent works like this –
- A website must, before any collection, use or disclosure of personal data, determine whether their collection, use or disclosure is likely to have an adverse effect on the individual.
- A website must then inform the individual about its intention to collect, use or disclose their personal data, the purpose for which the personal data will be collected, used or disclosed, as well as enable the individual to not give their consent and in so doing opt-out of having their personal data collected, used or disclosed.
The new and amended PDPA (section 15A) expands the consent obligations to include deemed consent by notification, meaning that –
- Websites, companies and organizations can collect, use or disclose personal data if the individual does not make clear that they don’t consent. However, it is now required that some form of notification is shown to the individual about the collection of their personal data and given an opportunity to not give their consent.
- If users don’t express their dissent towards their personal data being collected, used or disclosed by a website, the website is allowed to start collection, use and disclosure (e.g. transferring data to Google or Facebook) based on deemed consent, i.e. that the website can deem that the user – by not explicitly dissenting or opting out of the collection – is okay with the collection.
The PDPA’s deemed consent by notification is close to the previous EU personal data protection regime under the ePrivacy Directive, which also allowed for the implied consent of EU users. This, however, has been effectively ruled out by the European Data Protection Board (EDPB) based on the newer GDPR’s requirement for valid consent to consist of an affirmative, explicit action on part of the user.
Singapore’s PDPA regulations
The Personal Data Protection Regulations of 2014 clarify the practical aspect of how websites and organizations are supposed to set up their PDPA compliance.
In short, the PDPA regulations –
- specify that requests (to gain access or to correct or to dissent from further personal data collection) must be made by users in writing
- clarify that websites, companies and organizations receiving requests from users must respond within 30 days
- make it clear that organizations may charge a fee in exchange for processing requests from users
- explain the rules around international transfers of personal data outside of Singapore
Summary: Singapore’s PDPA
PDPA compliance with Cookiebot CMP
Singapore’s Personal Data Protection Act (PDPA) is one of the world’s strong data privacy laws that requires your website, if it has visitors from inside Singapore, to comply with its obligations for obtaining user consent, giving timely user notifications and enabling users to request access to and correction of already collected personal data.
Cookiebot CMP is the world’s leading solution for cookie control and consent management, offering plug-and-play compliance with all major data privacy laws such as EU’s GDPR, California’s CCPA, Brazil’s LGPD, South Africa’s POPIA – and Singapore’s PDPA.
Sign-up for free to Cookiebot CMP today for all-round, fully automatic data privacy compliance.
Try a free limited scan of your website to see what cookies are in operation, what kinds of personal data your website collects and where it sends data to.
What is Singapore’s PDPA?
Singapore’s Personal Data Protection Act (PDPA) is a national data privacy law that governs all collection, use and disclosure (e.g. sharing with third parties) of personal data in Singapore. It took effect in 2014 and was amended in 2020 to strengthen protection for users and tighten requirements for websites, companies and organizations.
Who does Singapore’s PDPA apply to?
Singapore’s PDPA applies to any website, company or organization anywhere in the world that collects, uses or discloses personal data from inside the territory of Singapore. If your website has visitors from Singapore, you are required to comply with its consent obligation and other key provisions. Fines for non-compliance can reach $1 million.
What is personal data under Singapore’s PDPA?
Singapore’s PDPA defines personal data very broadly and includes names, addresses, email addresses, telephone numbers, IP addresses, cookie identifiers, unique IDs, search history, browser history, device data, location data. Data on financials and health, among others, are regarded by the Personal Data Protection Commission (PDPC) as being of a more sensitive nature, which requires additional protection.
How can my website be PDPA compliant?
Singapore’s PDPA requires your website to obtain the consent of users before collecting, using or disclosing their personal data. You must notify users about your intended collection and the purposes for collection and enable users to opt-out. Users need also to be able to revoke their consent at any given time, if they choose so.
What is valid consent under Singapore’s PDPA?
Valid consent under Singapore’s PDPA means to first inform users of your website’s intended collection, including the purposes for collection, and enabling users to opt-out before any processing has begun. If users have been notified and still haven’t opted-out, you’re allowed to deem their inaction as implied consent and begin collection, use or disclosure of their personal data.
Try Cookiebot CMP free for 14 days – or always if you have a small website