Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 44
44
required for children under 13 years old. For
children between 13 and 17, their consent is
only valid if the policies on data processing
and how consent can be withdrawn are easily
understandable by them.
The CD Guidelines recognise and support the
use of age assurance methods, such as age
verification or estimation to ascertain a user’s
age. Organisations must, however, ensure that
data minimisation is adhered to, such that only
personal data which is necessary to ascertain a
user’s age is collected.
While not explicitly prescribed in the PDPA,
the CD Guidelines allude to children’s personal
data being of a greater sensitivity for which a
higher standard of protection is warranted. To
this end, it is advised that a data protection
impact assessment be conducted before
released products or services likely to be
accessed by children, and the CD Guidelines
include a list of sample questions to consider
when conducting such assessment.
Privacy-enhancing Technologies
A Proposed Guide on Synthetic Data
Generation was launched in July 2024, to
aid organisations in understanding potential
use cases particularly for AI. This is a further
step in PDPC’s push towards promoting the
deployment of privacy-enhancing technologies
(PETs) starting with its regulatory sandbox for
PETs launched in 2022. Practical guidance has
also been issued in response to a social media
provider’s request, which references the use of
multiparty computing and differential privacy
for attributing digital advertising impressions
and conversions.
Notable enforcement cases
2024 saw an aggregate of S$421,800 being
imposed as financial penalties for breaches
of the PDPA in 13 different cases. The vast
majority of these involved infringements of
the protection obligation in section 24 of the
PDPA, which requires organisations to make
Hogan Lovells
reasonable security arrangements to prevent
any unauthorised processing of personal data
in an organization possession or control.
Notably, 2024 also saw an unprecedented
increase in the take-up of voluntary
undertakings by organisations, as a means to
demonstrate remediation compliance in place
of a full investigation and financial penalties by
the PDPC for data breaches. While there were
in total 15 enforcement decisions published
by the PDPC last year, there were a whopping
44 accepted undertakings from organisations
that potentially contravened the PDPA, but
which promise implementation of specific
remediation and rectification measures in
exchange for the PDPC’s dropping any further
regulatory investigation or action.
The above offers insights about the PDPC’s
implicit philosophy in enforcing breaches
of the PDPA.
Court decision on PDPA
On November 12, 2024, the District Court of
Singapore issued its decision in Martin Piper v
Singapore Kindness Movement, which arose
from a claim by the plaintiff that the defendant
had contravened the consent and purpose
limitation obligations in the PDPA, and that
he had suffered financial loss and emotional
distress as a result.
The case facts were as follows. The plaintiff
had sent an email from his personal address to
the defendant, which is a registered charity in
Singapore, asking that allegedly discriminatory
messages about the plaintiff be removed. These
messages were sent by the co-founder of the
defendant’s affiliate. After extensive email
exchanges between the defendant and the
plaintiff on the one hand, and the defendant
and the co-founder on the other, the defendant
eventually emailed the co-founder asking her
to respond to the plaintiff directly. In this email
to the co-founder, the defendant appended
the various emails it had exchanged with the
plaintiff. The plaintiff brought a claim alleging
that by disclosing his name and email address
