Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 47
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
of a PDPA infringement, the volume, type and
nature of personal data involved, and the extent
to which the organisation has demonstrated its
accountability for responsible data use.
At the same time, the PDPC decisions take
care to cite mitigating factors, including
prompt remedial action and the voluntary
acknowledgement of failures made by each
organisation. Moreover, the financial penalties
above, while material, appear unlikely to
undermine the financial viability of each of the
organisations involved. In these respects, these
decisions suggest the PDPC’s overarching aim
to ensure that companies are proportionately,
not unduly, penalised for non-compliance
with the PDPA. That objective in turn appears
consistent with the PDPC’s broader aim – of
maintaining a regulatory environment that
supports commercial innovation through the
responsible use of personal data.
Amendment to Cybersecurity Act
Singapore’s forward-looking approach to
tackling the rise of cybersecurity threats was
reflected in an amendment to its Cybersecurity
Act in May 2024.
The changes effected by this amendment:
(a) Update the obligations on critical
information infrastructure (“CII”) owners
to encompass new technological and
business models, such as the use of
cloud computing. CII owners will now be
required to report to the CSA more types
of cybersecurity incidents, including
those that affect their supply chains. CII
is prescribed as the following 11 sectors
in Singapore: energy, water, banking
and finance, healthcare, transport
(land, maritime and aviation), infocommunications, media, security and
emergency services, and Government.
(b) Expand Singapore’s Cybersecurity Agency
(“CSA”)’s oversight to cover new classes
of regulated entities, namely Systems of
47
Temporary Cybersecurity Concern (i.e.
computer systems that are of higher risk
due to temporary events or situations);
Entities of Special Cybersecurity Interest
(i.e. that hold sensitive information or
perform a function of national interest);
and Foundational Digital Infrastructure
(i.e. cloud service providers and
data centres).
