Database

Browse Database

SINGAPORE

Since June 2024

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Code of Practice for E-Commerce Services
Under the Code of Practice for E-Commerce Services, designated e-commerce service providers must take all reasonably practicable steps to prevent their services from being used for scams and malicious cyber activity offences.
In particular, Section A5 requires service providers to retain all available data relating to accounts that have been, or are suspected of being, used for scams and/or malicious cyber activities. This includes, where available, records identifying the account user(s), transaction or interaction records, activity logs, IP addresses, and metadata. Such data must be retained for at least 90 days to facilitate potential criminal investigations into scams and malicious cyber activities.
The currently designated e-commerce services include Carousell, Facebook Marketplace, Facebook Advertisements, and Facebook Business Pages.
Coverage E-commerce services

SINGAPORE

Since October 2012, entry into force in July 2014, last amended in November 2025

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Personal Data Protection Act 2012
Under Section 11.3, each organisation is required to appoint one or more data protection officers to be responsible for ensuring the organisation’s compliance with the Personal Data Protection Act.
Coverage Horizontal

SINGAPORE

Since June 2010

Pillar Domestic data policies  |  Indicator Requirement to allow the government to access personal data collected
Criminal Procedure Code (Cap. 68)
Pursuant to Section 39 of the Criminal Procedure Code, police officers investigating arrestable offences may at any time access and search the data of any computer they suspect has been used in connection with the offence. No warrant or special authorisation is needed. It is reported that the police have seized electronic devices in the course of several investigations over the past few years. Penalties for noncompliance can include a fine of up to SSGD 5,000 (approx. USD 3,700), a six-month jail term, or both.
Coverage Horizontal

SINGAPORE

N/A

Pillar Intellectual Property Rights (IPRs)  |  Indicator Effective protection covering trade secrets
The Common Law doctrine of breach of confidence
In Singapore, there is no specific legislation dedicated to the protection of trade secrets. Instead, trade secrets are typically safeguarded through the common law doctrine of breach of confidence, alongside intellectual property and contract law, where applicable. For information to qualify as a trade secret or confidential information, it must not be publicly accessible and must be clearly and specifically identified, as demonstrated in Nanofilm Technologies International Pte Ltd v Semivac International Pte Ltd and others [2018] SGHC 167.
Additionally, the Intellectual Property Office of Singapore outlines three key considerations for determining whether a breach of confidence has occurred: (1) whether the information has the quality of confidentiality; (2) whether it was communicated under circumstances that impose an obligation of confidentiality—this obligation can exist even if the information was accessed or acquired without the company’s consent; and (3) whether the person who obtained the information can prove that they were unaware of its confidential nature or acquired it unintentionally.
Coverage Horizontal

SINGAPORE

N/A

Pillar Telecom infrastructure & competition  |  Indicator Passive infrastructure sharing obligation
Lack of obligation to share passive infrastructure
It is reported that there is no obligation for passive infrastructure sharing in Singapore to deliver telecom services to end users. However, it is practised in both the mobile and fixed sectors based on commercial agreements.
Coverage Telecommunications sector

SINGAPORE

Since October 1993

Pillar Telecom infrastructure & competition  |  Indicator Presence of shares owned by the government in telecom companies
Presence of shares owned by the government in the telecom sector
Singapore retains state-linked ownership in the telecommunications sector through Singapore Telecommunications Limited (Singtel), the incumbent telecommunications operator. According to Singtel’s Annual Report 2025, Temasek Holdings (Private) Limited is Singtel’s largest shareholder, holding 50.29% of Singtel’s issued share capital. Since Temasek is wholly owned by the Singapore Minister for Finance, Singtel remains majority-owned through a government-owned investment holding company.
Coverage Telecommunications sector

SINGAPORE

N/A

Pillar Telecom infrastructure & competition  |  Indicator Functional/accounting separation for operators with significant market power
Lack of mandatory functional separation for dominant network operators
Singapore does not mandate functional separation for operators with significant market power (SMP) in the telecom market. However, accounting separation is required in some instances (dominant licensees and their related companies).
Under Section 2.3 of the Code of Practice for Competition in the Provision of Telecommunication and Media Services 2022, a telecommunications licensee or regulated person may be classified as a dominant entity where it operates facilities that are sufficiently costly or difficult to replicate, creating a significant barrier to market entry, or where it has the ability to exercise significant market power in a market covered by its telecommunications or media licence.
The Accounting Separation Guidelines, issued under Section 28 of the Telecommunications Act, allow the Infocomm Media Development Authority (IMDA) to require facilities-based operators and individually licensed services-based operators to comply with accounting separation. The Guidelines provide for two levels of accounting separation: detailed segment reporting, which applies to dominant facilities-based operators and certain related entities, and simplified segment reporting, which applies to certain entities linked to a dominant operator.
Functional or structural separation is not generally imposed on all dominant operators. However, IMDA may impose structural separation as an enforcement remedy in appropriate cases under Sec. 12.6.4.6 of the 2022 Code.
Coverage Telecommunications sector

SINGAPORE

Since June 2022

Pillar Telecom infrastructure & competition  |  Indicator Licensing restrictions to operate in the telecom market
Guidelines for Submission of Application for Services-based Operations Licence
The "Guidelines for Submission of Application for Services-Based Operations Licence" outline the procedures for obtaining the Services-Based Operations (SBO) Licence, which authorises an operator to provide services-based telecommunications services in Singapore. Generally, operators that lease international transmission capacity to deliver their services are required to obtain an SBO (Individual) Licence. According to Section 2.3 of the Guidelines, applicants seeking an SBO (Individual) Licence for prepaid services must ensure that their company possesses a minimum paid-up capital of SGD 100,000 (approx. USD 74,000).
Coverage Telecommunications sector

SINGAPORE

Since April 1994

Pillar Telecom infrastructure & competition  |  Indicator Signature of the WTO Telecom Reference Paper
WTO Telecom Reference Paper
Singapore has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector

SINGAPORE

Since October 2016

Pillar Telecom infrastructure & competition  |  Indicator Presence of an independent telecom authority
Info-communications Media Development Authority Act 2016
According to the Info-communications Media Development Authority Act, the Info‑communications Media Development Authority, the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.
Coverage Telecommunications sector

SINGAPORE

Since December 1967, last amended in December 2025

Pillar Cross-border data policies  |  Indicator Local storage requirement
Companies Act 1967
Under Art. 199 of the Companies Act 1967, every company must keep accounting and other records that sufficiently explain its transactions and financial position. Where those records are kept outside Singapore, Art. 199(4) requires the company to send to and keep in Singapore the statements and returns necessary to enable the preparation of true and fair financial statements, including any documents required to be attached to them. These records must also remain open to inspection by the company’s directors at all times.
Coverage Horizontal

SINGAPORE

Since October 2012, entry into force in July 2014, last amended in November 2025
Since January 2021, entry into force in February 2021

Pillar Cross-border data policies  |  Indicator Conditional flow regime
Personal Data Protection Act 2012

Personal Data Protection Regulations 2021
According to Section 26.1 of the Personal Data Protection Act, organisations are prohibited from transferring personal data to a country or territory outside Singapore unless they comply with the requirements prescribed by the Act. Organisations must implement appropriate measures to verify and ensure that the recipient of the personal data, located in a foreign country or territory, is bound by legally enforceable obligations that provide a standard of protection comparable to that of the Personal Data Protection Act. Section 26.2 of the Act allows organisations to apply to the Personal Data Protection Commission for an exemption from any of the restrictions outlined in Section 26.1.
In addition, Part 3 of the Personal Data Protection Regulations specifies that if a recipient of personal data holds a specified certification granted or recognised under the law of the country or territory to which the personal data is transferred, they are considered to be bound by legally enforceable obligations to ensure a standard of protection for the transferred personal data that is at least equivalent to the protection provided by the Personal Data Protection Act. The specified certifications include those recognised under the Asia Pacific Economic Cooperation (APEC) Privacy Recognition for Processors System, applicable when the recipient is a data intermediary, or the APEC Cross-Border Privacy Rules in other cases. Additionally, data transfers are permitted under the following conditions:
- The individual has given consent to the transfer of their data, having been provided a reasonable summary, in writing, of the extent to which their data will be protected by standards comparable to the Personal Data Protection Act;
- The transfer is necessary for the performance of a contract between the organisation and the individual or for the purpose of entering into such a contract;
- The transfer is necessary for the conclusion or performance of a contract between the organisation and a third party, which is entered into at the individual's request;
- The transfer is necessary for use or disclosure in certain situations where the consent of the individual is not required under the Personal Data Protection Act, such as use or disclosure necessary to respond to an emergency;
- The data are in transit;
- The data are publicly available in Singapore.
Coverage Horizontal

SINGAPORE

Signed in October 2016, entry into force in December 2017
Signed in May 2019, entry into force in January 2020
Signed in March 2018, entry into force in December 2018
Signed in January 2018, entry into force in May 2018
Signed in August 2020, entry into force in December 2020
Signed in June 2020, entry into force in January 2021
Signed in February 2022, entry into force in June 2022
Signed in August 2005, entry into force in March 2006, as amended in January 2023
Signed in July 2023, entry into force in March 2024

Pillar Cross-border data policies  |  Indicator Participation in trade agreements committing to open cross-border data flows
Updated Singapore - Australia Free Trade Agreement (SAFTA)

Protocol to Amend the Agreement between Singapore and New Zealand on a Closer Economic Partnership

Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)

Free Trade Agreement between the Democratic Socialist Republic of Sri Lanka and the Republic of Singapore

Australia - Singapore Digital Economy Agreement

Digital Economy Partnership Agreement ("DEPA") Between Singapore, Chile & New Zealand

Digital Economy Agreement between the United Kingdom of Great Britain and Northern Ireland and the Republic of Singapore

Free Trade Agreement between the Government of the Republic of Korea and the Government of the Republic of Singapore

Protocol to the Digital Economy Partnership Agreement
Singapore has joined several agreements with binding commitments to open transfers of data across borders. These include: the Updated Singapore-Australia Free Trade Agreement (SAFTA, Chapter 14, Art. 13), the Protocol to Amend the Agreement between Singapore and New Zealand on a Closer Economic Partnership (Art. 9.10), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, Art. 14.11), the Free Trade Agreement between the Democratic Socialist Republic of Sri Lanka and the Republic of Singapore (Art. 9.9), the Australia - Singapore Digital Economy Agreement (Annex A Art. 23), the Digital Economy Partnership Agreement Between Singapore, Chile and New Zealand (DEPA, Art. 4.3), the Digital Economy Agreement between the United Kingdom of Great Britain and Northern Ireland and the Republic of Singapore [Art. 8.61-F(2)], the amended Free Trade Agreement between the Government of the Republic of Korea and the Government of the Republic of Singapore (Art. 14.14), and the Protocol to the Digital Economy Partnership Agreement (Art. 5)
Coverage Horizontal

SINGAPORE

Since October 2012, entry into force in July 2014, last amended in November 2025

Pillar Domestic data policies  |  Indicator Framework for data protection
Personal Data Protection Act 2012
The Personal Data Protection Act 2012 (PDPA) provides a baseline standard of protection for personal data in Singapore. It complements sector-specific legislative and regulatory frameworks such as the Banking Act and Insurance Act. It comprises various requirements governing the collection, use, disclosure and care of personal data in Singapore. The Act came into force in different phases, and the provisions concerning data protection were enforced in July 2014.
Coverage Horizontal

SINGAPORE

Since January 2019, last amended in December 2025

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Services-Based Operations (Individual) Licence Template
According to the Services-Based Operations (Individual) Licence Template issued by the Infocomm Media Development Authority (IMDA), licensees providing certain telecommunications services must maintain data records, including assigned source IP addresses, date and time stamps, assigned user IDs or user names, and, for some services, Call Detail Records (CDRs). These records must be made available for inspection by authorised Singapore government agencies and must generally be retained for at least 12 calendar months. IMDA also reserves the right to require licensees to retain any other details as part of data records where necessary.
In addition, the licensee shall disclose subscriber information, where deemed necessary to the Authority or such other relevant law enforcement or security agencies in the exercise of their functions and duties.
Coverage Telecommunication sector

Report issue     Report new measure