Data protection & privacy laws in Singapore (2026)

The PDPC imposed a S$315,000 financial penalty on Marina Bay Sands after a 2023 cyberattack exfiltrated personal data of 665,495 loyalty-programme members, later offered for sale on the dark web. This was the first major penalty calculated under the revised percentage-of-turnover framework introduced by the 2020 Amendment Act.

IMDA and PDPC elevated the voluntary Data Protection Trustmark (DPTM) certification into a formal Singapore Standard (SS 714:2025), benchmarking it against global best practices and tightening requirements on third-party management and cross-border data transfers. Announced alongside new Privacy-Enhancing Technologies adoption guides.

Following a July 2023 public consultation, the PDPC published binding advisory guidelines clarifying how the PDPA applies when organisations use personal data to train and operate AI recommendation and decision systems. This is Singapore's first PDPA-specific AI data governance instrument.

Attackers illegally accessed and exfiltrated personal data of 665,495 MBS loyalty-programme patrons; the data subsequently appeared for sale on the dark web. The incident triggered investigation under the mandatory breach-notification regime introduced in 2021.

The final tranche of the Personal Data Protection (Amendment) Act 2020 came into force via Commencement Notification S767-2022, activating the data portability right that entitles individuals to request their data be transferred directly between organisations. Singapore became one of few Asian jurisdictions to enshrine portability in statute.

The PDPC updated its Advisory Guidelines on Enforcement of Data Protection Provisions and the Guide on Active Enforcement to reflect the higher financial penalties and new obligations introduced by the 2020 Amendment Act, providing clearer guidance on how penalties up to 10% of annual turnover would be calculated.

The most sweeping reform since the PDPA's enactment took effect: mandatory data breach notification to PDPC (within 3 days) and affected individuals, enhanced consent exceptions including deemed consent and legitimate interests, and a sharply increased financial penalty cap of S$1 million or 10% of Singapore annual turnover — whichever is higher.

Singapore's Parliament passed the first comprehensive review of the PDPA since 2012, introducing mandatory breach notification, a new data portability right, deemed-consent and legitimate-interest bases, and raising the maximum financial penalty from S$1 million flat to the higher of S$1 million or 10% of Singapore annual turnover.

In a single consolidated decision, the PDPC held M1, Singapore Telecommunications, and StarHub liable for failing to implement reasonable security measures after a vendor's systems were compromised, exposing customer data across all three operators. The joint decision signalled the PDPC's willingness to pursue sector-wide simultaneous enforcement.

Following the 2018 SingHealth cyberattack, the PDPC imposed S$750,000 on Integrated Health Information Systems (IHiS) and S$250,000 on Singapore Health Services for failing to make reasonable security arrangements, constituting the highest cumulative penalty since the PDPA's enactment and establishing the benchmark for large-scale breach enforcement.

State-sponsored attackers exfiltrated personal data of 1.5 million SingHealth patients and outpatient prescription records of 160,000, including data specifically targeting Prime Minister Lee Hsien Loong. A Committee of Inquiry was convened on 24 July 2018; its January 2019 report issued 16 recommendations that shaped subsequent PDPA reform and public-sector security policy.

The core data-protection provisions of the PDPA — governing the collection, use, disclosure, and care of personal data by private-sector organisations — took effect, completing the phased commencement of the Act and creating Singapore's general-purpose data protection framework for the first time.

The PDPA's Do Not Call (DNC) Registry went live, prohibiting organisations from sending voice, text, or fax marketing messages to Singapore telephone numbers registered on the DNC Registry. Enacted under the Personal Data Protection (Do Not Call Registry) Regulations 2013 (S709-2013), this was the first PDPA mechanism to become operational.

Singapore enacted its first omnibus data protection law, establishing the Personal Data Protection Commission (PDPC), a national Do Not Call Registry, and a general framework governing how private-sector organisations collect, use, and disclose personal data. The Act introduced nine data protection obligations and drew on international models including the APEC Privacy Framework.