Out-Law / Your Daily Need-To-Know

Mobile device identifiers 'in isolation' unlikely to constitute personal data, says Singapore watchdog

Out-Law News | 29 Jan 2014 | 11:29 am | 3 min. read

The numbers that uniquely identify individual mobile devices are unlikely to constitute personal data, Singapore's data protection watchdog has said.

The Personal Data Protection Commission (PDPC) said that telecoms companies may not have to treat the IMEI numbers associated with mobile devices as personal data, and therefore in accordance with the country's new data protection laws, where those numbers are "viewed in isolation".

It said, though, that IMEI numbers may qualify as personal data where they can be linked to other identifying details of individuals.

"IMEI numbers are used to identify mobile devices in a network," the PDPC said. "As with any other network identifier such as an Internet Protocol (IP) address, an IMEI number may not be personal data when viewed in isolation, because it simply identifies a networked device. However, as each mobile device typically has a unique IMEI number, an IMEI number has the potential to form part of data that in combination relate to an identifiable individual."

"For example, where a large number of unique data points are tagged to the same IMEI number such that an individual may be identified (such as through his surfing habits or location profile), then the IMEI number and set of unique data points would be considered personal data of the individual," it said.

The PDPC's assessment was contained in new draft advisory guidelines (18-page / 140KB PDF) it has issued to businesses operating in the telecommunications sector in Singapore. The guidelines are part of the PDPC's attempt to better illustrate how new data protection laws in the country, which come into full force on 2 July this year, apply to companies in different industries.

Where Singapore mobile network operators enter into agreements with operators from other countries to allow those foreign operators' customers to use their network those Singapore-based businesses have data protection obligations, the PDPC said.

If the Singapore mobile operators purely process personal data of foreign operator's customers for the purposes set out by the foreign operator then they would be considered to be 'data intermediaries' (DIs) and only be required to adhere to rules on data security and data retention, the PDPC said.

However, if the Singapore mobile operators process the foreign customers' data for other purposes not stipulated in their contract with the foreign operator then the full data protection regime would generally apply to that activity, it added.

"The data protection provisions generally apply where the personal data of inbound roamers is collected, used and disclosed," the draft guidelines said. "Therefore, where the Singapore telecommunication operator is collecting, using, disclosing or otherwise processing the personal data of inbound roamers for other purposes beyond what is set out in the contract with the home operator, for example to market the Singapore telecommunication operators’ own pre-paid card options, they would not be considered DIs of the home operator, and the data protection provisions would apply to such activities unless exceptions apply."

"One of these exceptions would be an exception to the consent obligation where the collection, use or disclosure without the consent of the individual is required or authorised under a written law. In this regard, the Commission understands that the Info-communications Development Authority of Singapore (IDA) is considering authorising telecommunication licensees to collect and use the personal data of inbound roamers to offer such inbound roamers roaming-related information and services," it added.

The guide also contains advice on when telecoms companies can exchange customer details with other operators when connecting calls or text messages and on the displaying of personal information on itemised bills. It also made clear that Singapore telecoms companies can send customers registered on the country's 'Do Not Call' Registry messages containing account or product information without that activity falling foul of the rules that generally ban the sending of marketing messages to those listed on the Registry.

"Initial feedback from telco operators on the Personal Data Protection Act indicated that there were many unique concerns associated with the telco business and their regulatory environment and these guidelines will serve as a welcome clarification of those concerns in a balanced way," telecoms and data protection law expert Bryan Tan of Pinsent Masons MPillay, the Singapore-based joint venture partner of Pinsent Masons, the law firm behind Out-Law.com, said.

In addition, the PDPC has also released proposed advisory guidelines for the real estate agency sector (19-page / 135KB PDF), which were developed in consultation with the Council for Estate Agencies. The document includes guidance and clear examples for estate agents about how personal data should be collected and used in the context of property transactions and referrals to associated professionals.

Stakeholders have until 13 February to reply to the PDPC's guidance consultations.