29 November 2018
The Personal Data Protection Commission (“PDPC”) has issued a Response to feedback received from the public consultation on the following:
- Merger of DNC Provisions under the PDPA and SCA: Merger of the Do Not Call (“DNC”) Provisions under the Personal Data Protection Act 2012 (“PDPA”) and the Spam Control Act (“SCA”) into a single legislation (“New Act”) to govern all unsolicited commercial messages;
- Introduction of an EPG framework under the PDPA: Introduction of an Enhanced Practical Guidance (“EPG”) framework under the PDPA to provide guidance with regulatory certainty to organisations; and
- Consent exceptions: Review of the consent exceptions for the collection, use and disclosure of personal data pursuant to section 17 and the Second, Third and Fourth Schedules to the PDPA.
The majority of the respondents supported the merger of the DNC Provisions under the PDPA and the SCA, and the introduction of an EPG framework under the PDPA. On consent exceptions, PDPC received comments mainly relating to (i) research, (ii) business asset transaction and (iii) provision of service for personal and domestic purposes which PDPC will consider as part of its review of the exceptions in the PDPA.
PDPC issued the Response on 8 November 2018 following the public consultation which was conducted between 27 April 2018 and 12 June 2018.
New legislation amending the PDPA to give effect to the foregoing and other changes which have been consulted upon, such as the mandatory data breach notification regime, is expected to be promulgated during calendar year 2019, although this timeline has not been finalised or officially confirmed.
Merger of DNC Provisions under PDPA and SCA
- Scope and applicability: The majority of respondents supported the proposal to merge the DNC Provisions and the SCA under a single legislation, and to extend the scope of the spam control provisions under the New Act to include commercial text messages sent in bulk using Instant Messaging (“IM”) identifiers. In view of the feedback received, PDPC provided the following clarifications on the terms and definitions to be used in the New Act:
- Where a sender has to be added by a user before the sender can send a commercial text message via the user’s IM identifier, the message will still be considered an unsolicited commercial text message and the spam control provisions under the New Act will apply if it is sent in bulk.
- The New Act will not apply to in-app notifications (e.g. notifications to download the latest version of an app) or a mobile device’s notification feature.
- The DNC and spam control provisions under the New Act would also apply to images, videos and audio files that contain commercial messages.
- Shorter period for effecting withdrawal in two phases: PDPC’s initial proposal was to reduce the period for organisations to effect a withdrawal of consent to receive marketing messages under the DNC Provisions from the current 30 calendar days to 10 business days, in line with the period for organisations to effect an unsubscribe request under the SCA. Pursuant to feedback received on operational constraints, PDPC intends to reduce the withdrawal period in two phases as follows:
- In the first phase, the withdrawal period for the DNC Provisions under the New Act will be reduced to 21 calendar days (from the current 30 calendar days). The prescribed duration for validity of DNC Registry (“DNCR”) checks will correspondingly change to 21 calendar days.
- In the second phase, PDPC intends to align the withdrawal periods under both the DNC and spam control provisions under the New Act to 10 business days.
- Prohibition against dictionary attacks and address harvesting software: Most respondents supported PDPC’s proposal to prohibit the use of dictionary attack and address harvesting software for sending commercial messages. In the Response, PDPC clarified that:
- Senders will be liable when they use mailing lists generated through the use of dictionary attack or address harvesting software from third parties, to send unsolicited commercial messages (including the making of telemarketing calls).
- The prohibition is intended to be technology neutral, and will apply regardless of whether the use of dictionary attack or address harvesting software was carried out by a human or through automated means.
- The prohibition does not apply when organisations use address harvesting software on their own database.
- Business-to-business (“B2B”) marketing messages excluded from DNC Provisions: As most respondents commented that the DNC Provisions under the New Act should not cover B2B marketing messages, PDPC intends to retain the current exclusion of B2B marketing messages from the DNC Provisions in the New Act.
- Enforcing DNC breaches under an administrative regime: In the public consultation, PDPC had proposed for infringements relating to the duties to check the DNCR, to provide contact information and not to conceal calling line identity under the New Act to be enforced under an administrative regime. As a majority of the respondents are supportive of the proposal, PDPC intends to enforce the DNC Provisions under an administrative regime. However, repeat or egregious breaches of the DNC Provisions may still be prosecuted as criminal offences. Under the New Act, defendants will continue to have defences similar to the current regime. The DNC Provisions under the New Act will continue to be enforced by PDPC, and affected individuals and organisations will continue to have the statutory right to take private action. The spam control provisions under the New Act will continue to provide for private right of action for affected individuals and organisations.
- Liability of DNC third party checkers and resale of DNCR lists: PDPC intends to retain the proposal to impose an accuracy obligation and liability on third-party checkers under the New Act. However, it is still the sender’s duty to ensure that Singapore telephone numbers are duly checked with the DNCR and specified messages are not sent to individuals who are registered with the DNCR, unless the individuals had given clear and unambiguous consent to receive such messages.
Taking into consideration the feedback received, PDPC will not proceed with the proposal to prohibit the resale of results of telephone numbers checked against the DNCR.
- Deeming provision which presumes that the subscriber of the Singapore telephone number is the sender of unsolicited commercial messages: Respondents were divided on PDPC’s proposal to introduce a deeming provision under the DNC Provisions in the New Act such that the subscriber of the Singapore telephone number is presumed to have sent the specified message unless he or she proves otherwise. On balance, PDPC intends to proceed with the deeming provision proposal because mobile subscribers have control over their own subscriptions and devices and are in the best position to safeguard their subscriptions and devices from illicit use. In exercising the deeming provision in its enforcement work, PDPC would be mindful of the particular circumstances of the alleged DNC infringement and give due regard to the subscriber’s position.
Introduction of an EPG framework under the PDPA
In the public consultation, PDPC had proposed to introduce an EPG framework to provide organisations guidance on complex compliance queries with regulatory certainty (“determinations”) and which will be chargeable. A majority of the respondents were supportive of the proposed EPG framework. In the Response, PDPC stated that it intends to provide determinations under the EPG framework for queries relating to proposed business activities that are more than just exploratory, i.e. the proposal contains sufficiently detailed plans. PDPC also clarified that determinations may be sought by professional advisors (e.g. lawyers) on behalf of organisations, or by industry bodies, on behalf of their members.
According to PDPC, determinations may only be relied on by the requesting organisation. Where an application is submitted by multiple organisations, PDPC may issue the determination to all organisations making the application. The determination takes effect once issued to the applicant(s) and PDPC will impose a validity period for all determinations which will be decided on a case-by-case basis. In relation to the EPG fee structure, PDPC will take into account factors such as the size and number of organisations involved in the EPG application, and the complexity of the query.
The following materials are available on the PDPC website www.pdpc.gov.sg:
- Response to feedback on the public consultation for Managing Unsolicited Commercial Message and the Provisions of Guidance to Support Innovation in the Digital Economy
- List of responses received