On 10 January 2022, the Singapore Ministry of Communications and Information (MCI) responded to a parliamentary question relating to the number of cases of unauthorised sales of consumers’ personal data that have been investigated over the last five years, and how many of those cases were successfully prosecuted by the Personal Data Protection Commission (PDPC).
Over the last five years, the PDPC has investigated three cases of alleged data breaches involving unauthorised sales of personal data.
Two companies were found to be in breach of the Personal Data Protection Act 2012 (No. 26 of 2012) for failing to notify and obtain consent from individuals before the sale of personal data to third parties for telemarketing purposes, and were fined SGD 48,000 (approx. USD 35,703) and SGD 6,000 (approx. USD 4,462) respectively. Apart from being fined, both companies were also directed to cease their actions and rectify their data protection practices.
In conclusion, MCI stated that the PDPC takes a firm stance against the unauthorised sale of personal data to safeguard against harm to the public, including identity theft and unsolicited calls.
Organisations purchasing contact lists must carry out due diligence to ensure that the sale of personal data is authorised, and that the data is sufficiently accurate and updated for its purposes, or be prepared to face the consequences.
* * * * *
© 2022 Baker & McKenzie.Wong & Leow. All rights reserved. Baker & McKenzie.Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.