Singapore seeks to introduce new data portability obligation
Jun04

Singapore seeks to introduce new data portability obligation

Key Takeaways  Singapore’s Personal Data Protection Commission (PDPC) released a public consultation on 22 May 2019 relating to data portability and data innovation under the Personal Data Protection Act (PDPA). The proposed data portability obligation would impose a mandatory obligation on organisations to provide an individual’s data at their request to another organisation in a commonly used machine-readable format. The proposed data innovation clarifications would exempt organisations from: (a) notifying individuals of and seeking their consent to use personal data for “business innovation purposes”; and (b) complying with the access, correction and proposed data portability obligations in respect of “derived personal data”. This PDPC is now seeking feedback on these proposals. The deadline to submit feedback is 3 July 2019. The proposed changes at a glance  Proposed Data Portability Obligation Who does the obligation apply to? All organisations to which the PDPA applies, except for data intermediaries. What is the scope of the obligation? Upon request from an individual, an organisation must provide the individual’s data in its possession or under its control to another organisation that has a presence in Singapore in a commonly used machine-readable format. This is subject to compliance with a prescribed process for dealing with such requests that includes verification of the request and allowing the individual to verify the data before it is ported. Please see the graphic below for more details. What data is subject to the obligation? Any data in electronic form: (i) provided by the individual to the organisation; and (ii) generated by the individual’s activities in using the organisation’s product or service. This is not limited to personal data and may include non-personal data, such as business contact information. However, personal data collected lawfully without consent (e.g. where authorised under the PDPA or other law) is not included. Are there any exceptions to the obligation? These would be the same as the exceptions to the existing Access Obligation, save for the exceptions where fulfilling the request would: (i) reveal personal data about another individual; (ii) reveal the identity of the individual who has provided the personal data and that individual does not consent to the disclosure of his/her identity. The data portability obligations must still be fulfilled in those situations. What are the penalties for non-compliance? The PDPC has the power to review refusals to port data, failure to port data within a reasonable time, and the fees imposed for porting data. Breaches of the proposed data portability obligation would be subject to the same penalty framework as the rest of the PDPA. Fig. 1 Handling Data Portability Requests: Key Obligations  Proposed Data Innovation Provisions PDPC is proposing clear...

Read More
IP on Edge: The South-East Asia Perspective
Apr16

IP on Edge: The South-East Asia Perspective

In recent years, there has been a tremendous growth in the adoption of Internet of Things (IoT) technology across all sectors globally. IoT technology has demonstrated an ability to enhance many aspects of how we work and live, from more accurately tracking cargo as it journeys across the globe, to enhancing predictive maintenance of manufacturing equipment, to allowing your refrigerator to tell you when you’re running low on your favourite yoghurt. This rapid adoption has been fuelled by the ability to pair IoT not just with cloud computing but also with edge computing, allowing businesses to benefit from the unlimited computing resources of the cloud to run artificial intelligence (AI) capabilities or more detailed diagnostics, and to pivot to edge computing where more processing is required closer to the IoT device. The ability to adopt both cloud and edge computing allows businesses to operate IoT technology across their entire operations, even where there is reduced latency or where faster response times are required. As a result of this, we are seeing more and more businesses developing and installing new IoT devices to enhance their products and services. By some estimates, there may be as many as 25 billion installed end-point IoT devices by 2020, with a further 1 million more devices expected to come online each hour thereafter.   IoT and the IP risk The explosion in the number of IoT devices naturally brings with it several risks. These include risks relating to data privacy, cybersecurity, data sovereignty and intellectual property (IP). There has been a traditional focus on the three former risks due to high profile data breaches and several new laws being enacted in the region such as Singapore’s Cybersecurity Act, Thailand’s new Personal Data Protection Act, and Vietnam’s Cybersecurity Law. The risks associated with IP are therefore not often the foremost consideration when undertaking IoT-related innovation projects. What then is this IP risk? In short, the development of new IoT technology by a company brings with it the risk of IP infringement claims by third parties that this ‘new’ technology incorporates or copies the third party’s IP without permission. Such litigation can be costly to undertake and may result in very high settlements or awards. According to a recent study, there has been a steady increase in IoT-related patent litigation in the past seven years in the US, the majority of which are brought by non-practicing entities (NPE), or patent trolls, and this scenario is very likely to play out in South-East Asia as the region develops. Simply put, the risk of litigation in the IoT space is growing and is likely to continue. IP infringement...

Read More
Update on proposed amendments to Singapore’s PDPA
Nov08

Update on proposed amendments to Singapore’s PDPA

Singapore’s Personal Data Protection Commission (PDPC) has today issued a response to the feedback received on its earlier public consultation on a new direct marketing act, a new enhanced practical guidance framework (EPG Framework) and a review of the exceptions to the consent obligation. A copy of the PDPC’s response can be found here. The PDPC’s response refines and clarifies some of its earlier proposals, taking into account the public feedback that was received. Outlined below are some of the key developments. The PDPC will clarify that the new direct marketing act: (A) will not apply to in-app notifications; (B) will also apply to unsolicited marketing and commercial messages sent via text but that include images, videos and audio files; and (C) will also apply to messages sent by senders who users have “followed” on a social media platform but from whom users may not wish to receive commercial text messages. The PDPC will institute a phased approach to the shortening of the mandated period for effecting a user’s withdrawal of consent for direct marketing calls. Such withdrawal period for phone calls under the Do-Not-Call provisions will be shortened from 30 days to 21 days initially, before being shortened to 10 business days in order to align with the withdrawal period for unsolicited marketing messages. The PDPC has confirmed that: (A) determinations under the EPG Framework will be available proposed business activities which have sufficiently detailed plans; and (B) that professional advisors will be allowed to seek determinations on behalf of organisations, and industry bodies will be allowed to seek determinations on behalf of their members. The PDPC will now impose a fixed validity period for all EPG Framework determinations, which will be decided on a case-by-case basis. What’s next? It is expected that the new Direct Marketing Act and EPG Framework provisions will now be drafted, although the timeframe within which these will be open to public consultation and tabled in Parliament is unknown. The PDPC’s response also suggests that further refinements to the exceptions to the Consent Obligation can be...

Read More
New direct marketing act and other proposed amendments to the PDPA
May30

New direct marketing act and other proposed amendments to the PDPA

Key takeaways Singapore’s Personal Data Protection Commission (PDPC) is proposing a new act on direct marketing that will combine the provisions in the Spam Control Act with the Do-Not-Call provisions in the Personal Data Protection Act (PDPA). The new act will also include some changes to streamline the regulations for all unsolicited commercial messages. A new Enhanced Practical Guidance framework has been proposed that will allow the PDPC to provide “determinations” with regulatory certainty on whether specific business activities are PDPA-compliant. A review of the existing exceptions to the consent obligation set out in the Second to Fourth Schedules to the PDPA will be undertaken, with a view to updating them for continuing commercial relevance. The deadline to submit comments on these proposals is 5pm on 7 June 2018. What you need to know about this Public Consultation On 27 April 2018, the PDPC released a Public Consultation Paper with a number of proposed changes to the PDPA. This Public Consultation follows in the wake of two recent public consultations conducted last year which dealt with proposed guidelines on the use of NRIC numbers, enhancements of the way in which data is collected, used and disclosed, and on the introduction of a data breach notification regime. We discuss some of the key proposals of this Public Consultation below. 1. New act to merge direct marketing regulations Unsolicited commercial messages are currently regulated under two Acts – the PDPA and the Spam Control Act (SCA). Presently, the SCA applies to electronic messages (i.e. email and text messages) sent in bulk, while the Do-Not-Call (DNC) provisions of the PDPA applies to marketing messages sent to a Singapore telephone number. The PDPC proposes to merge the SCA and the DNC provisions of the PDPA into a new act that will govern all unsolicited commercial messages, mirroring the approach taken in other jurisdictions such as Hong Kong and the United Kingdom. The new act will also introduce some additional changes including the extension the DNC provisions to all unsolicited marketing text messages sent to Singapore numbers (not just those sent in bulk) and by extending the SCA provisions to unsolicited messages sent through instant messaging platforms (e.g. WhatsApp and LINE). Amendments are also proposed to align the time period afforded to organisations to effect a withdrawal of consent or unsubscribe request from an individual. These changes are intended to reduce ambiguity for organisations in complying with different requirements when sending marketing messages. 2. New Enhanced practical guidance framework The PDPC proposes to introduce a new Enhanced Practical Guidance Framework to supplement the existing general advisory guidelines and guides it publishes. The proposed Framework...

Read More
IMDA releases long-awaited proposed changes to the Films Act
Dec08

IMDA releases long-awaited proposed changes to the Films Act

  On 4 December 2017, the Info-communications Media Development Authority of Singapore (“IMDA”) released its long-awaited public consultation paper on the proposed changes to the Films Act (Cap. 107). Minister for Communications and Information, Yaacob Ibrahim, first indicated in January of this year that the government was looking to amend both the Films Act and Broadcasting Act to take into account changes in technology. One broad theme that emerges from the proposed amendments is the fact that the IMDA is focussing its regulatory efforts on the distribution and public exhibition of films. While changes are also proposed to include digital streaming technology under the regime, the emphasis on “public exhibition” indicates that IMDA is, for the purposes of the current consultation at least, taking a lighter-touch approach to regulating consumer-focussed over-the-top video streaming services. There are several proposed amendments, but this post sets out the four key proposals you should be aware of. Four key proposed changes Formalisation of co-classification scheme. Following successful trials in 2011 and 2015, IMDA now proposes to formalise its industry co-classification scheme. This scheme allows employees of industry players to register and be trained as film content assessors. These industry players will then be allowed to independently co-classify films up to the PG-13 rating through their film content assessors. Safeguards will be put in place to ensure the system is not abused, such as IMDA’s right to conduct sample audits of films that have been co-classified and penalties for misclassification. Introduction of video games class licence. Currently, video games are often submitted for classification by wholesale distributors. For video games classified as M18, point-of-sale requirements are attached to the classification certificate issued by IMDA (e.g. ensuring the games are not sold to under-aged consumers). The downstream retailers that sell the video games to consumers are often not made aware of these requirements, defeating their purpose. IMDA proposes introducing an automatic class licence scheme for retailers that sell video games on physical media (e.g. on DVDs) to make them directly responsible for complying with the point-of-sale requirements. The licence will be automatic with no registration required, and will not involve the payment of any licence fees. Clarification that the films licence is only intended to apply to the distribution and public exhibition of films. IMDA has clarified that its films licensing scheme is only targeted at the distribution and public exhibition of films and is proposing amendments to reflect this. Amendments will also be made to ensure that films publicly exhibited by means of streaming or other digital transmission are also included under this scheme. In determining what is a “public exhibition” requiring a licence,...

Read More