Enhanced practical guidance on data protection offered in Singapore

Out-Law News | 01 May 2018 | 9:50 am | 2 min. read

Businesses in Singapore will have the chance to obtain 'enhanced practical guidance' on data protection issues under new plans that have been outlined.

The Personal Data Protection Commission (PDPC) has also published plans for new legislation on unsolicited commercial messages, and is also consulting on whether existing exceptions to the need for consent for the collection, use and disclosure of personal data under the country's Personal Data Protection Act (PDPA) need to be updated.

The proposals are open to consultation (18-page / 792KB PDF) until 7 June.

According to the PDPC's plans, businesses will be able to obtain enhanced practical guidance (EPG) from it where "the query relates to a complex or novel compliance issue for which there is currently no clear position for its treatment under the PDPA; the query cannot be addressed by PDPC’s general guidance and existing published resources; and the query does not amount to a request for legal advice".

The watchdog said it would not consider "hypothetical" scenarios or "queries that entail a review of the organisation’s entire business model, processes or policies".

Businesses subject to regulatory or criminal investigation would not be ineligible from applying for an EPG, but the PDPC said determinations it does provide would "generally remain valid, including when the organisation is subsequently being investigated for a matter related to the subject of an EPG determination". This is unless "there have been changes made to an aspect of the PDPA that are relevant to the determination; or the information provided by the organisation with which PDPC’s determination was made was false, misleading or no longer accurate".

The watchdog said it would charge for the EPG service.

The PDPC's consultation also covers plans to bring together and streamline existing 'do not call' (DNC) rules contained in Singapore's Personal Data Protection Act, and the country's Spam Control Act (SCA), which applies to emails that are sent in bulk. The DNC rules require businesses to check a DNC register (DNCR) of Singapore telephone numbers before sending marketing communications to ensure they do not send messages to consumers that have opted out of receiving them.

One of the main changes would see the law updated to reflect the fact that marketing communications are often addressed to 'instant messaging' (IM) identifiers. Messages sent in this way are currently outside the scope of regulation.

"As commercial messages sent via IM identifiers are not covered under the DNC provisions or the SCA today, individuals who register their mobile numbers with the DNCR may continue to receive marketing text messages which are sent using their IM identifiers," the PDPC said. "Consumers would not be able to distinguish whether the marketing text messages have been sent to their mobile telephone numbers or sent using their IM identifiers."

"To ensure the new Act remains attuned to industry practices and new technologies, and provide better protection for consumers from unsolicited commercial messages sent using their IM identifiers, PDPC proposes for commercial text messages sent via IM identifiers in bulk to be included in the scope of the spam control provisions under the new Act. This means that individuals will be able to better manage such messages as organisations will need to comply with the spam control requirements such as providing an unsubscribe facility and their contact information, when sending commercial text messages using IM identifiers in bulk," it said.

The changes would also require businesses sending text messages via IM identifiers to include contact information alongside those messages, while the PDPC further proposed to reduce to 10 business days the time that organisations have to "effect a withdrawal of consent to receive marketing messages", in line with the existing requirements under the SCA.

The PDPC also proposed to bring third parties that screen the DNCR on behalf of marketers within the scope of the new laws, and to ban them from selling on lists detailing the results of their checks.

Under the proposed new rules, businesses could face fines for breaches, and the burden of proof would be with the alleged sender of unsolicited marketing messages to show that they were not responsible for sending the messages.

The PDPC also said that it is also considering applying the new Act to business-to-business marketing communications.