On 8 November, 2018, Singapore’s Personal Data Protection Commission (PDPC) issued its response to feedback received on a public consultation paper. In that consultation paper, the PDPC had proposed to:
- merge the Do Not Call provisions in the Personal Data Protection Act 2012 of Singapore (PDPA) and Spam Control Act into a single legislation to govern all unsolicited commercial messages; and
- assess requests for the PDPC to make determinations on complex or novel compliance issues under the PDPA.
1. Unsolicited commercial messages
The new legislation will apply to messages sent to a user’s instant messaging identifier, where a sender has to be first added by a user. It will also apply to messages sent via MMS audio files and video files sent using instant messaging identifiers. However, it will not apply to in-app notifications or a mobile phone’s notifications.
Time period for effecting withdrawal requests
This will be eventually streamlined to a reduced period of 10 business days, via two distinct phases:
In the first phase, the withdrawal period for the Do Not Call provisions under the PDPA will be reduced from 30 to 21 calendar days. The pricing mechanism for Do Not Call registry checks will also be reviewed. However, for any spam unsubscribe requests, this will remain unchanged at 10 business days.
In the second phase, any withdrawal whether under the Do Not Call or spam control provisions will need to be effected within 10 business days.
Dictionary attack and address harvesting software
The use of dictionary attack and address harvesting software for sending commercial messages will be prohibited. Senders will be liable when they use mailing lists generated through use of either of these, but any third parties that merely generate the lists for the senders will not be similarly liable. The prohibition will be technology neutral, i.e. will apply whether sending is done through a human act or automation.
Business to business marketing
B2B marketing messages will be excluded from the Do Not Call provisions in the new legislation.
The PDPC will enforce Do Not Call breaches under an administrative regime instead of prosecuting these as criminal offences. However, where there are repeat or egregious breaches of the Do Not Call provisions, the PDPC will reserve the right to treat them as criminal offences. Contraventions of the new legislation will entitle affected individuals and organisations to take private action.
Liability for third-party checkers and resale of lists
An accuracy obligation will be imposed on third-party checkers under the new legislation. However, the sender will retain the duty of ensuring that Singapore numbers are duly checked and unsolicited commercial messages are not sent to numbers registered on the Do Not Call registry unless they have clear and unambiguous consent to do so.
The PDPC will not prohibit the resale of results of numbers checked against the Do Not Call registry. This is because such resale would be subject to the consent and notification obligations under the PDPA, and third-party checkers are already obliged to provide accurate results to the senders who remain liable for the sending of messages as explained above.
There will be a deeming provision that a subscriber is presumed to have sent a message unless they can prove otherwise. The rationale for this is as follows. Mobile subscribers have control over their own subscriptions and devices and hence are best placed to safeguard these from illicit use, as well as to detect any misuse. In the event that the subscriber’s number had been spoofed or their device hacked, they would be in a position to produce records or evidence that they did not send the message or call from the device. The PDPC will, however, take into consideration all of the relevant facts of each case in its investigations.
2. Enhanced practical guidance
Organisations can seek practical guidance from the PDPC on complex and novel compliance issues under the PDPA.
The PDPC intends to provide determinations for queries relating to proposed business activities, provided that sufficient details are provided on the same.
These determinations will only be made on complex or novel issues for which there are no clear positions under the PDPA, where the query cannot be addressed from existing guidance, and where the query is not a request for legal advice.
Organisations can only apply for such determinations in good faith, i.e. must be able to demonstrate that they are not seeking to evade compliance with the PDPA.
Where a determination is made that confirms compliance with the PDPA, the PDPC will generally not find the organization to be in breach unless the information provided by the organization was false or no longer accurate or there have been changes to the PDPA that affect such determination.
The PDPC may publish redacted versions of its determinations on a case-by-case basis and will give the organization an opportunity to review the facts prior to publication.
In relation to the fees that will be charged for such determination, the PDPC will provide further details on these, taking into account factors such as the size and number of organisations involved in the request as well as the complexity of the queries.
3. Exceptions to consent
The PDPC is still reviewing the exceptions to consent under the PDPA, including exceptions on: (i) research purpose; (ii) business asset transaction; and (iii) provision of service for personal and domestic purposes.
The public consultation response by the PDPC is part of a broader review to ensure that Singapore’s data protection laws are kept up-to-date with today’s fast-evolving digital economy.
Businesses will need to start reviewing their IT systems and checking processes, particularly in relation to responding to unsubscribe requests, to ensure that they will comply with the new legislation on unsolicited commercial messages once it is passed. Should you need to discuss the applicability of any of the above proposed changes to your business, please feel free to contact the author.