Most multinational companies have rolled out programs to facilitate compliance with the European Union’s General Data Protection Regulation (GDPR). Enforcement under the GDPR began in 2018 and included several multimillion-dollar fines issued against companies for violations. On the tail of Europe’s sweeping data protection regulation, countries outside the EU and some states (e.g., California) have enacted or amended laws to align more closely with Europe.

Singapore’s data protection law, the Personal Data Protection Act 2012 (PDPA), took effect on January 2, 2013, and is enforced by the Personal Data Protection Commission (“the Commission”). Like the GDPR, the PDPA has an extraterritorial effect, meaning it applies to organizations collecting, using, or disclosing personal data of Singaporean residents regardless of whether the organization itself has a physical presence or is registered as a company in Singapore. Also like the GDPR, the PDPA requires that covered businesses appoint a data protection officer (DPO) who is responsible for the organization’s compliance with the PDPA.

On November 2, 2020, the Singapore Parliament passed several amendments to the PDPA aimed at “strengthening consumer trust through organizational accountability.” Like recent legislation in Brazil, California, and Canada, the amendments to the PDPA adopt several of the GDPR’s pro-consumer obligations, especially regarding data breaches. Parliament did not delay the enforcement of these new amendments, and we recommend businesses update their Singaporean programs immediately to comply with these new measures.

Read the full alert from Amy Worley.