On 27 April 2018, the Personal Data Protection Commission (PDPC) announced that it will undertake a review of the Personal Data Protection Act (PDPA). The review seeks to streamline legislation so that organizations can have a degree of clarity and certainty in instances where the PDPA and the Spam Control Act (SCA) may overlap.
Public consultations have taken place as part of the process of the PDPC’s review of two key areas:
- Consolidation of the Do Not Call Registry (DNCR) provisions of the PDPA and the SCA into a proposed new act;
- Introduction of an enhanced practical guidance (EPG) framework.
The current framework
Unsolicited commercial messages are currently regulated under the DNCR provisions of the PDPA and the SCA. The SCA regulates electronic messages (emails and text messages) that are sent in bulk, whereas the DNCR provisions under the PDPA deal with specified messages sent via text message, fax message or voice call to Singapore telephone numbers, regardless of whether such messages are sent in bulk.
Breaches of the DNCR provisions are enforced as criminal offences under the PDPA, whereas the SCA is enforced as an administrative regime.
Both the DNCR provisions under the PDPA and the SCA do not regulate text messages that are sent through instant messaging. As such, individuals who register their number on the DNCR may continue to receive marketing messages sent through platforms such as Facebook and Whatsapp.
Key features of proposed law
Key areas the new act seeks to address include:
- Provide a shorter withdrawal of consent period. Under the DNCR provisions of the PDPA, organizations with an ongoing relationship with a subscriber or user of a Singapore telephone number have 30 days to stop messaging the subscriber or user with telemarketing messages, if the subscriber or user opts out of receiving such messages. The new act will give organizations 10 business days to stop messaging the subscriber or user if they opt out from receiving such messages. Such shorter withdrawal of consent period is consistent with the provisions of the SCA.
- Regulating unsolicited commercial messages sent in bulk via instant messaging (IM) platforms: Commercial text messages sent through IM platforms will be caught under the new act. Breaches of the new act in relation to messages sent through IM platforms will therefore be subject also to enforcement under its administrative regime.
- Prohibiting the use of dictionary attacks and address harvesting software. The SCA prohibits the use of random number generators or address harvesting software in relation to electronic messages, but does not extend this to Singapore telephone numbers. The new act will extend such prohibition to the DNCR provisions of the PDPA, thereby prohibiting dictionary attacks and address harvesting in relation to Singapore telephone numbers as well.
- New law enforced under administrative regime. The offences under the new act will be enforced under an administrative regime. For example, the PDPC will be empowered to issue directions and financial penalties for infringements of the DNCR provisions under the new act. A private right
of action in respect of the DNCR provisions will also be provided under the new act.
Enhanced practical guidance
The PDPC informally provides practical guidance to organizations in relation to how the provisions of the PDPA may be applied in a specific situation.
However, such practical guidance will not be a confirmation of an organization’s compliance with the PDPA. The PDPC has therefore proposed the EPG, which is a framework in which organizations may apply to the PDPC to provide determinations on their obligations with regulatory certainty under the new act.
The PDPC drew an analogy between the proposed function of the EPG framework, and the framework administered by the Competition and Consumer Commission of Singapore (CCCS) in which the CCCS may issue decisions as to whether an agreement, conduct or merger infringes Singapore competition law. As such, the EPG framework may similarly see the PDPC providing decisions on whether certain conduct may infringe the new act regulating unsolicited commercial messages.
The PDPC’s policy on having more regulatory certainty in the digital economy appears to be heading in a direction more conducive and relevant in light of technological advancements. However, organizations should still take note of the proposed changes under the new law as set out above, which may affect them in the event that the new act is passed.
Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by emailing Danian Zhang at firstname.lastname@example.org.