Data Protection in EU and Singapore: A Comparative Overview
4 září, 2025
Data protection is a global concern, prompting the emergence of distinct yet overlapping frameworks. The European Union’s General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act (PDPA) reflect this. Both stem from the basic standards established by the OECD and the Council of Europe, and the EU Directive 95/46/EC. While the PDPA aligns with early EU standards, it reflects Singapore’s pro-business focus: balancing the interests of data subjects and data users.
The GDPR is an EU Regulation with direct effect across all EU Member States, not requiring national transposition. The PDPA, by contrast, is a national statute developed considering Singapore’s context and its international ambitions.
Key areas of comparison highlight both overlap and divergence:
Personal data definition
Both laws define personal data as information identifiable to an individual. The GDPR has established a special category for sensitive data. This diverges from the PDPA; however, the Personal Data Protection Commission (PDPC) argues that these are subject to a higher threshold of protection.
Scope and jurisdiction
There is a common intention to protect the data of their respective citizens and residents, extending their extraterritorial reach to any organisation processing such data.
Their scope applies to almost all private-sectors organisations, including non-profits. The GDPR, however, reduces obligations for SMEs where data processing is not their core activity. Additionally, the GDPR applies to the public sector.
Both frameworks require the formation of independent supervisory authorities. The EU’s European Data Protection Board, coordinates the application of the GDPR across all Member States. Singapore’s PDPC, although domestically effective, faces challenges in enforcing the PDPA against overseas entities.
Consent
For ensuring lawful and secure data processing, both frameworks mandate organisations to meet certain requirements, namely consent, purpose limitation and notification, among others.
Under the GDPR, consent must be explicit and informed, requiring a clear opt-in. By contrast, the PDPA allows different forms of consent, such as deemed consent by conduct, contractual necessity and notification. This reflects Singapore’s aim for business efficiency and reducing regulatory burdens.
Both laws allow withdraw of consent at any time, differing on its implementation. The GDPR commands the establishment of a straightforward mechanism. Conversely, the PDPA involves the individual to provide “reasonable notice”.
Individual rights
The GDPR grants broad rights including access, correction, erasure, portability and objection to individuals, allowing them to have more control over their personal data. The PDPA has a narrower scope. For instance, it does not currently provide the right to be forgotten.
PDPA 2020 amendments
The amendments introduced significant updates, such as mandatory breach notifications within three calendar days and provisions regarding anonymised data, both concepts found in the GDPR. However, these modifications were not only driven by European influence, but also by rising cybersecurity threats and Singapore’s ambition to remain an international hub.
In conclusion, the PDPA has been influenced by European framework, nonetheless, it is far from a replica of the GDPR. Instead, Singapore’s approach is to support innovation and economic competitiveness, while still meeting with international standards.
For further information, please contact:
Júlia Elvira Castellnou
Bmk@bmk.es / julia.elvira_castellnou@kcl.ac.uk
