Lazada’s Personal Data Breach and Rethinking Cost-Benefit Analysis of PDPA Compliance

Singapore Law; Legal; Lawyer

Lazada’s Data Breach

Lazada reported that its Redmart customers’ personal data had been illegally accessed and sold online. The stolen data includes names, phone numbers, email and mailing addresses, encrypted passwords and partial credit card numbers of 1.1 million accounts.

The Personal Data Protection Commission (PDPC) has been informed. If Lazada is eventually found to have failed to put in place reasonable security arrangements to protect the personal data, it will be subject to penalties. 

Yet, one wonders how effective the penalties are on making organisations, especially large profit-making ones, from taking users’ personal data seriously

Continue reading “Lazada’s Personal Data Breach and Rethinking Cost-Benefit Analysis of PDPA Compliance”

6 Ways Businesses Can Maximise Their Downtime During COVID-19 Season

By Ronald JJ Wong and Nee Yingxin

If your business is experiencing a slow-down because of Circuit Breaker and social distancing measures during this COVID-19 season 19, now is the best time to repair legal foundations, review internal systems, and position your business for when things pick up again.

Here are 6 key areas you should review.

Continue reading “6 Ways Businesses Can Maximise Their Downtime During COVID-19 Season”

Legislative Update: Consultation & Proposed Amendments to PDPA in view of technological advancements and data security issues

Singapore Law; Legal; Lawyer

The Personal Data Protection Act (PDPA) came into effect on 1 July 2014, and was developed with reference to international frameworks, namely the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (“OECD Guidelines”) and the APEC Privacy Framework, and data protection laws of jurisdictions such as the European Union, the United Kingdom, Hong Kong, Canada, Australia and New Zealand.

In view of technological advances and global developments, such as Big Data, cybersecurity and cyberterrorism, Internet of Things and Artificial Intelligence, the Personal Data Protection Commission (PDPC) is considering other possible bases for collecting, using and disclosing personal data under the PDPA, as well as the need for mandatory data breach notifications to PDPC and affected individuals under the PDPA. The PDPC is also cognisant that there may be instances where consent is not desirable or appropriate, such as for detection of fraud or security threats.

The PDPC is therefore considering 2 main amendments to the PDPA:

  1. enhanced framework for the collection, use and disclosure of personal data (the “Enhanced Framework”); and
  2. mandatory data breach notification framework.

Continue reading “Legislative Update: Consultation & Proposed Amendments to PDPA in view of technological advancements and data security issues”

Case Update: Re Executive Coach International Pte. Ltd. [2017] SGPDPC 3

In this case, the Personal Data Protection Commission (PDPC) issued a warning to the organisation Executive Coach International Pte. Ltd. which provides life and executive coaching services to individual and corporate clients for breaching the Personal Data Protection Act (PDPA).

The organisation’s director disclosed an ex-employee’s personal history (her past drug problem and issue with infidelity in her amorous relationship) in a WhatsApp group chat comprising the ex-employee and the organisation’s other staff and volunteer trainees without the ex-employee’s consent and without notifying her of the purposes for the disclosure.

The organisation argued that the director had disclosed the personal data in his personal capacity. However, the PDPC found that the disclosure of personal data was made in the context of a dispute arising from the unamicable departure of the complainant from the organisation’s employment. The PDPC found that the director of the organisation was acting in the course of his employment as a director when he disclosed the complainant’s personal data. Therefore he cannot said to be acting in his personal capacity.

PDPC developing local certification for Data Protection Officers (DPO)

Singapore Law; Legal; Lawyer

The Straits Times reported today that the Personal Data Protection Commission (PDPC), which is the government body under the Ministry of Communications and Information (MCI) responsible for enforcing Singapore’s Personal Data Protection Act 2012 (PDPA), announced that it is developing a local certification programme for data protection officers (DPOs).

Under the PDPA, all organisations which come under the scope of the Act are mandated to appoint data protection officers (DPOs). These officers may be employees or external consultants. The DPO has to ensure that the organisation is compliant with the PDPA.

Based on the PDPC’s survey of 1,513 organisations in March and June 2016, only about 40% of Singapore organisations have a DPO on their payroll.

While there is a foreign certification for data protection issued by the US-based International Association of Privacy Professionals, training for which is conducted by Straits Interactive, the PDPC hopes that the local certification will encourage more people to take up DPO certification, and give more recognition to the role of DPO. ST reports that “Experts estimate that there will be more than 10,000 DPO jobs here over the next three years.”

It is good for organisations to review their PDPA compliance and ensure they have a DPO appointed.

For individuals / employees / job-hunters, it is good to consider obtaining such DPO certification to boost one’s skill sets and qualification to meet the likely growing demand for DPO positions in the years to come.

For more information on PDPA compliance, visit

Legislative Update: enforcement action for PDPA breaches

Singapore Law; Legal; Lawyer


On 21 April 2016, the Personal Data Protection Commission (PDPC) issued a press release outlining its enforcement action against 11 organisations for breaches to the Personal Data Protection Act (PDPA).

The highlight penalty was a $50,000 fine and other directions meted out against karaoke chain K Box Entertainment Group Pte Ltd for not putting in place sufficient security measures to protect the personal data of 317,000 members (a list of the members’ details were uploaded onto some website), for inadequate data protection policies and the absence of a Data Protection Officer (DPO). Its IT vendor in charge of managing its content management system, Finantech Holdings Pte Ltd, was also fined.

PDPA breaches can result in financial penalties, valuable work hours spent on investigation proceedings, loss of trust from one’s clients, and reputational harm.

Since the PDPA came into full effect in July 2014, the PDPC has received 667 complaints. 92% of these complaints were resolved through investigation and facilitation between the respective organisations and individuals.

In this article, I consider some key themes in the enforcement action cases highlighted in the 21 April 2016 press release.

Continue reading “Legislative Update: enforcement action for PDPA breaches”