Love.Law.Robots. is moving!

You're browsing the original version of the Love.Law.Robots. Check out the new site. It's prettier and packs loads of new features!

Is $5,000 the going rate for not appointing a DPO?

Featured Image `

Enforcement of the Personal Data Protection Act in Singapore remains strong and visible. We are far away from the SingHealth incident, but enforcement decisions continue apace. Recently, the PDPC announced that it fined five organizations a combined $117,000 for different breaches of the Personal Data Protection Act. Many aspects of these decisions are still familiar. A data breach is discovered by a member of the public. The PDPC investigates the data breach. The PDPC delivers the punishment on the offender.

As discussed recently, recent decisions show that the PDPC is moving away from discussing the data breach towards the openness obligation, or what is now known as “accountability” principle. The latest decisions further evidence this. Three of the five new decisions refer to policies and procedures. This includes Horizon Fast Ferry Pte. Ltd., which was fined $54,000 (probably a high watermark in enforcement).

However, we are focusing on ChampionTutor Inc. in this post. The Organisation, from its description in the decisions, appears to be a “high tech” and lean and mean operation providing matchmaking services for tutors and students. It failed to appoint a Data Protection Officer or have any policies. Little is mentioned otherwise of the supposed data breach. However, the organisation was fined $5,000.

Sounds familiar? AgcDesign looms. In that decision, there was no data breach but the organisation was fined $5,000 for failing to appoint a Data Protection Officer or having any policies.

The most interesting line you can draw from these cases is that failing to appoint a Data Protection Officer or having any privacy policies nets you a $5,000 fine.

Imagine being able to walk up to your management or your client and telling them, “If you don’t do this, this is price you have to pay — $5,000”. Having a dollar value to a violation certainly puts things into perspective. If this is the PDPC’s intention, it should be applauded.

I know that two swallows do not make a summer. I do not think that this is a formula set in stone. There are benefits to making this look like a traffic violation, but traffic violations have different impacts. For example, a tuition agency might baulk at being fined $5,000, while a multinational company would take it as a scrape.

In this case, Horizon Fast Ferry Pte. Ltd. provides a little hint:

… while the Commissioner will seek to ensure that the financial penalty imposed is reasonable and proportionate on the facts, the financial penalty should also be sufficiently meaningful to act both as a sanction and as a deterrent to prevent similar contraventions of the PDPA.

Horizon Fast Ferry Pte. Ltd. at [34]

As mentioned, this is a continuously evolving space, so we will see what happens soon.

Do you agree that not appointing a DPO or having any policies should “cost” $5,000? Feel free to leave your comment below!