Singapore: Adopted Personal Data Protection Act (PDPA) including personal information protection in electronic commerce

On 15 October 2012, the Personal Data Protection Act (PDPA) including personal information protection in electronic commerce was adopted by the Parliament of Singapore. The adoption and implementation of a legal framework that provides for the protection of the personal information of the users of electronic commerce is the result of an obligation stipulated in provision 14.8(2) of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a trade agreement between Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam. The PDPA stipulates various obligations for organisations operating in Singapore, including making information about their data protection policies, practices, and complaints process available upon request and designating a data protection officer (DPO) and make the officer's contact information public. Organisations are further obligated to notify individuals of the purposes for which their personal data is being collected, used, or disclosed. They can only collect, use, or disclose personal data for purposes for which the individual has given consent to. According to the Act, organisations cannot require individuals to consent to the collection, use, or disclosure of their personal data beyond what is reasonable to provide a product or service. Individuals must be allowed to withdraw consent with reasonable notice, and informed of the likely consequences of withdrawal. Upon withdrawal, the organisation must cease collecting, using, or disclosing the individual's personal data. Moreover, organisations are required to make reasonable security arrangements to protect the personal data in the organisation’s possession, preventing unauthorised access, collection, use, and disclosure. Regarding the storage of personal data, the Act stipulates that when personal data is no longer needed for any business or legal purpose, organisations must cease retention of the data or properly dispose of it. Further, organisations must provide individuals with access to their personal data and information about how it was used or disclosed upon request. Lastly, in the event of a data breach, organisations must assess if it is notifiable and if the breach likely results in significant harm to individuals or is of significant scale, organisations are required to notify the Personal Data Protection Commission (PDPC) and the affected individuals as soon as possible.