30 May 2018
Between 27 April 2018 and 7 June 2018, the Personal Data Protection Commission (“PDPC”) is conducting a public consultation on the following:
- Merger of DNC Provisions under the PDPA and SCA: Merger of the Do Not Call (“DNC”) provisions under the Personal Data Protection Act (“PDPA”) and the Spam Control Act (“SCA”) into a single legislation (“New Act”) to govern all unsolicited commercial messages;
- Introduction of an EPG framework under the PDPA: Introduction of an Enhanced Practical Guidance (“EPG”) framework under the PDPA to provide guidance with regulatory certainty to organisations; and
- Consent exceptions: The consent exceptions for the collection, use and disclosure of personal data pursuant to section 17 and the Second, Third and Fourth Schedules to the PDPA are under review, and the PDPC is seeking feedback on whether the scope or conditions of any exception should be adjusted or clarified, and if any exception is no longer necessary or relevant. For example, exceptions apply in certain circumstances or situations where obtaining consent for the collection, use or disclosure of personal data may not be feasible, or where the data is generally available to the public.
Merger of DNC Provisions under the PDPA and SCA
Following similar approaches in other jurisdictions, such as Hong Kong and the United Kingdom, PDPC proposes for the DNC provisions under the PDPA (“DNC Provisions”) and the SCA to be merged into the New Act to provide greater protection to individuals from unsolicited commercial messages and reduce ambiguity for organisations in complying with differing requirements when sending commercial messages. The PDPA will continue to be the baseline legislation for personal data protection.
PDPC is seeking views on the following suggestions:
- To regulate unsolicited commercial messages sent using IM identifiers: PDPC proposes for commercial text messages sent via Instant Messaging (“IM”) identifiers in bulk to be included in the scope of the spam control requirements under the New Act. This means that organisations will need to comply with spam control requirements such as providing an unsubscribe facility and their contact information, when sending commercial text messages using IM identifiers in bulk. If there is a contravention of the spam control requirements under the New Act, civil action may be taken by affected individuals or organisations. As there are a number of practical difficulties in implementing a national Register for IM identifiers, the intention is to treat IM identifiers similarly to email addresses under the spam control provisions under the New Act, which would be maintained as unsubscribe lists by organisations that intend to send unsolicited commercial text messages via IM identifiers in bulk. For the labelling requirements of text messages sent via IM identifiers, it is proposed that only the contact information is required (e.g. provide an email address at which the sender can be contacted).
- To provide a shorter withdrawal of consent for consumers: PDPC proposes to reduce the period for organisations to effect a withdrawal of consent to receive marketing messages under the DNC Provisions to 10 business days, in line with the period for organisations to effect an unsubscribe request under the SCA. This will minimise potential confusion and compliance costs as organisations streamline processes for all unsubscribe and withdrawal of consent requests. This also strengthens the protection for consumers who will have their withdrawal requests to stop receiving marketing voice, text and fax messages effected more quickly.
- To prohibit the use of dictionary attacks and address harvesting software: PDPC proposes to prohibit the sending of commercial messages to all telephone numbers (not limited to Singapore telephone numbers), IM identifiers and email addresses generated by or obtained through the use of dictionary attacks or address harvesting software by persons in Singapore. These provisions will be enforced under an administrative regime under the New Act.The use of dictionary attacks and address harvesting software is presently prohibited under the SCA, but it is not prohibited under the PDPA.
- To extend DNC Provisions under the New Act to B2B marketing messages: PDPC would like comments on whether the DNC Provisions under the New Act should be extended to cover business-to-business (“B2B”) marketing messages, to align the coverage of the DNC Provisions with the SCA. While expanding the scope of DNC Provisions under the New Act to cover B2B marketing messages may increase business costs for certain persons as they would now have to check the DNC Registry (“DNCR”) before sending B2B messages, it eliminates uncertainty and risks for persons sending marketing messages to a DNC-registered Singapore telephone number that may be an individual’s personal mobile number (not used for business purposes).
- To enforce DNC breaches under an administrative regime: PDPC proposes for infringements relating to the duties to check the DNCR, to provide contact information and not to conceal calling line identity under the New Act to be enforced under an administrative regime. This allows PDPC to better allocate resources for faster resolution of cases investigated, and PDPC will be empowered to issue directions (including financial penalties) for infringements of the DNC Provisions under the New Act. A private right of action in respect of the DNC Provisions will also be provided under the New Act.
- To impose obligation on third party checkers to communicate accurate information regarding DNCR results: PDPC proposes to impose an obligation for third-party checkers to communicate accurate information regarding DNCR results, and they can be held liable for infringements of the DNC Provisions under the New Act, as a result of inaccurate information that they had provided to the sender. PDPC also proposes to prohibit the resale of any results of telephone numbers that were screened through the DNCR.
- To introduce a deeming provision under the DNC Provisions in the New Act which presumes that the subscriber of the Singapore telephone number is the sender of unsolicited commercial messages: PDPC proposes to introduce a deeming provision under the DNC Provisions in the New Act such that the subscriber of the Singapore telephone number is presumed to have sent the specified message unless he or she proves otherwise. At the same time, should the specified message be sent by a third party, PDPC will consider any evidence submitted by the subscriber to substantiate the same.
Introduction of an EPG framework under the PDPA
Currently PDPC provides guidance (“Practical Guidance”) in relation to how specific PDPA provisions apply to a specific business activity and factual situation facing the organisation. However PDPC’s Practical Guidance does not constitute legal advice, and does not provide confirmation of an organisation’s compliance or recommendation of a particular course of action that the organisation should take to comply with the PDPA. As such, PDPC proposes to introduce an EPG framework to provide organisations guidance with regulatory certainty (“determinations”). PDPC’s provision of determinations will be chargeable. The current practice of providing Practical Guidance will remain and it is up to the organisation to decide whether to request for Practical Guidance or determinations under the EPG framework.
PDPC will assess requests for determinations under the proposed EPG framework based on the following criteria:
- the query relates to a complex or novel compliance issue for which there is currently no clear position for its treatment under the PDPA;
- the query cannot be addressed by PDPC’s general guidance and existing published resources; and
- the query does not amount to a request for legal advice.
PDPC will not initiate investigations in situations where PDPC, in the course of assessing and providing a determination to an organisation, finds any non-compliance with the PDPA based on the information submitted by the organisation. In such circumstances, PDPC may suspend the assessment and provide the organisation a reasonable period of time to rectify the non-compliance before resuming the assessment. However, if a complaint is received during the course of assessment, PDPC reserves the right to terminate the assessment and commence investigations. PDPC will not use the information provided by the organisation for the EPG assessment as part of its investigations.
For expediency, PDPC may provide for exemptions from specific PDPA provision(s) to be sought from the Minister as part of its determinations issued under the EPG framework, where applicable.
The Second, Third and Fourth Schedules to the PDPA enumerate exceptions to the obligation to obtain consent for the collection, use and disclosure of personal data respectively. For example, exceptions apply in certain circumstances or situations where obtaining consent for the collection, use or disclosure of personal data may not be feasible, or where the data is generally available to the public. Such situations include collection of personal data for life-threatening emergencies or where it is necessary to enable certain organisations to effectively perform their functions, such as investigations or legal proceedings.
In order to ensure that extant exceptions remain relevant in the face of technological developments and changes in business practices, PDPC seeks feedback from organisations on the practicality of relying on these exceptions. In particular, feedback is sought for the following:
- whether the scope or conditions of any exception should be adjusted or clarified; and
- whether any exception is no longer necessary or relevant.
Unsubstantiated or theoretical feedback may not be considered, and organisations providing feedback have been asked to provide sufficient details to assist PDPC in understanding practical issues faced. Confidential or commercially sensitive details provided to PDPC may be identified and requested to be redacted from published feedback.
The following materials are available on the PDPC website www.pdpc.gov.sg:
- Media Factsheet
- Public Consultation for Managing Unsolicited Commercial Message and the Provisions of Guidance to Support Innovation in the Digital Economy