- Singapore’s Personal Data Protection Commission (PDPC) is proposing a new act on direct marketing that will combine the provisions in the Spam Control Act with the Do-Not-Call provisions in the Personal Data Protection Act (PDPA). The new act will also include some changes to streamline the regulations for all unsolicited commercial messages.
- A new Enhanced Practical Guidance framework has been proposed that will allow the PDPC to provide “determinations” with regulatory certainty on whether specific business activities are PDPA-compliant.
- A review of the existing exceptions to the consent obligation set out in the Second to Fourth Schedules to the PDPA will be undertaken, with a view to updating them for continuing commercial relevance.
- The deadline to submit comments on these proposals is 5pm on 7 June 2018.
What you need to know about this Public Consultation
On 27 April 2018, the PDPC released a Public Consultation Paper with a number of proposed changes to the PDPA. This Public Consultation follows in the wake of two recent public consultations conducted last year which dealt with proposed guidelines on the use of NRIC numbers, enhancements of the way in which data is collected, used and disclosed, and on the introduction of a data breach notification regime. We discuss some of the key proposals of this Public Consultation below.
1. New act to merge direct marketing regulations
Unsolicited commercial messages are currently regulated under two Acts – the PDPA and the Spam Control Act (SCA). Presently, the SCA applies to electronic messages (i.e. email and text messages) sent in bulk, while the Do-Not-Call (DNC) provisions of the PDPA applies to marketing messages sent to a Singapore telephone number. The PDPC proposes to merge the SCA and the DNC provisions of the PDPA into a new act that will govern all unsolicited commercial messages, mirroring the approach taken in other jurisdictions such as Hong Kong and the United Kingdom.
The new act will also introduce some additional changes including the extension the DNC provisions to all unsolicited marketing text messages sent to Singapore numbers (not just those sent in bulk) and by extending the SCA provisions to unsolicited messages sent through instant messaging platforms (e.g. WhatsApp and LINE). Amendments are also proposed to align the time period afforded to organisations to effect a withdrawal of consent or unsubscribe request from an individual. These changes are intended to reduce ambiguity for organisations in complying with different requirements when sending marketing messages.
2. New Enhanced practical guidance framework
The PDPC proposes to introduce a new Enhanced Practical Guidance Framework to supplement the existing general advisory guidelines and guides it publishes. The proposed Framework will allow organisations to submit requests for a “determination” from the PDPC on whether a specific business activity complies with the PDPA. This Framework aims to facilitate the development of innovative data services while providing organisations with greater certainty on their compliance with the PDPA.
Organisations may only submit a request where their query relates to a complex or novel compliance issue that cannot be addressed by the existing general guides. The requests also cannot be hypothetical in nature.
To encourage use of the Framework, the PDPA has proposed that where it finds any non-compliance during the course of providing a determination, it will not initiate investigations into the organisation based on such findings nor use such information in any subsequent investigations.
3. Review of exceptions to the consent obligation
Also under review are the exceptions to the obligation to obtain consent before collecting, using and disclosing personal data. The PDPA seeks to update these exceptions to reflect recent technological developments and changes in business practice. The PDPA wishes to gather feedback on whether the present exceptions should be adjusted or clarified, and whether any should be removed. It remains to be seen how these exceptions will sit alongside the new “legitimate interests” basis of collection, use and disclosure of personal data that the PDPA is also proposing to adopt.
The PDPC is now welcoming comments on the proposed changes by 5 pm on Thursday, 7 June 2018. More details can be found here.
With thanks to Jeremy Tan.