Update on proposed amendments to Singapore’s PDPA
Nov08

Update on proposed amendments to Singapore’s PDPA

Singapore’s Personal Data Protection Commission (PDPC) has today issued a response to the feedback received on its earlier public consultation on a new direct marketing act, a new enhanced practical guidance framework (EPG Framework) and a review of the exceptions to the consent obligation. A copy of the PDPC’s response can be found here. The PDPC’s response refines and clarifies some of its earlier proposals, taking into account the public feedback that was received. Outlined below are some of the key developments. The PDPC will clarify that the new direct marketing act: (A) will not apply to in-app notifications; (B) will also apply to unsolicited marketing and commercial messages sent via text but that include images, videos and audio files; and (C) will also apply to messages sent by senders who users have “followed” on a social media platform but from whom users may not wish to receive commercial text messages. The PDPC will institute a phased approach to the shortening of the mandated period for effecting a user’s withdrawal of consent for direct marketing calls. Such withdrawal period for phone calls under the Do-Not-Call provisions will be shortened from 30 days to 21 days initially, before being shortened to 10 business days in order to align with the withdrawal period for unsolicited marketing messages. The PDPC has confirmed that: (A) determinations under the EPG Framework will be available proposed business activities which have sufficiently detailed plans; and (B) that professional advisors will be allowed to seek determinations on behalf of organisations, and industry bodies will be allowed to seek determinations on behalf of their members. The PDPC will now impose a fixed validity period for all EPG Framework determinations, which will be decided on a case-by-case basis. What’s next? It is expected that the new Direct Marketing Act and EPG Framework provisions will now be drafted, although the timeframe within which these will be open to public consultation and tabled in Parliament is unknown. The PDPC’s response also suggests that further refinements to the exceptions to the Consent Obligation can be...

Read More
New direct marketing act and other proposed amendments to the PDPA
May30

New direct marketing act and other proposed amendments to the PDPA

Key takeaways Singapore’s Personal Data Protection Commission (PDPC) is proposing a new act on direct marketing that will combine the provisions in the Spam Control Act with the Do-Not-Call provisions in the Personal Data Protection Act (PDPA). The new act will also include some changes to streamline the regulations for all unsolicited commercial messages. A new Enhanced Practical Guidance framework has been proposed that will allow the PDPC to provide “determinations” with regulatory certainty on whether specific business activities are PDPA-compliant. A review of the existing exceptions to the consent obligation set out in the Second to Fourth Schedules to the PDPA will be undertaken, with a view to updating them for continuing commercial relevance. The deadline to submit comments on these proposals is 5pm on 7 June 2018. What you need to know about this Public Consultation On 27 April 2018, the PDPC released a Public Consultation Paper with a number of proposed changes to the PDPA. This Public Consultation follows in the wake of two recent public consultations conducted last year which dealt with proposed guidelines on the use of NRIC numbers, enhancements of the way in which data is collected, used and disclosed, and on the introduction of a data breach notification regime. We discuss some of the key proposals of this Public Consultation below. 1. New act to merge direct marketing regulations Unsolicited commercial messages are currently regulated under two Acts – the PDPA and the Spam Control Act (SCA). Presently, the SCA applies to electronic messages (i.e. email and text messages) sent in bulk, while the Do-Not-Call (DNC) provisions of the PDPA applies to marketing messages sent to a Singapore telephone number. The PDPC proposes to merge the SCA and the DNC provisions of the PDPA into a new act that will govern all unsolicited commercial messages, mirroring the approach taken in other jurisdictions such as Hong Kong and the United Kingdom. The new act will also introduce some additional changes including the extension the DNC provisions to all unsolicited marketing text messages sent to Singapore numbers (not just those sent in bulk) and by extending the SCA provisions to unsolicited messages sent through instant messaging platforms (e.g. WhatsApp and LINE). Amendments are also proposed to align the time period afforded to organisations to effect a withdrawal of consent or unsubscribe request from an individual. These changes are intended to reduce ambiguity for organisations in complying with different requirements when sending marketing messages. 2. New Enhanced practical guidance framework The PDPC proposes to introduce a new Enhanced Practical Guidance Framework to supplement the existing general advisory guidelines and guides it publishes. The proposed Framework...

Read More
3 Things you need to know about Singapore’s proposed changes to Data Protection
Jul31

3 Things you need to know about Singapore’s proposed changes to Data Protection

On 27 July 2017, the Personal Data Protection Commission of Singapore (PDPC) issued a public consultation paper on managing personal data in the digital economy. The consultation paper seeks to greater facilitate the use of personal data in the digital economy through changes to the consent requirements and at the same time seeks to ensure that security standards are uplifted through the introduction of mandatory breach notification. The consultation paper is a step in the right direction for Singapore on its Smart Nation journey given the importance of data analytics in the digital economy, whilst the mandatory breach notification provisions align the Singapore data protection regime with that of Singapore’s draft Cybersecurity Bill which was recently introduced. The consultation paper demonstrates that the PDPC recognises the importance of data for innovation and growth, and has proposed changes to ensure the regulatory environment keeps pace with evolving technology in enabling innovation, while ensuring effective protection for individuals’ personal data in the changing landscape. The following are the 3 key things you need to know about the PDPC’s proposed changes: Notification of purpose can be sufficient. Although the PDPC proposes that organisations should still seek consent for collecting, using and disclosing personal data where practicable, it recognises the need to cater to circumstances where consent is not feasible or desirable, and where the collection, use or disclosure would benefit the public. The PDPC recommends that notifying individuals of the purpose can be sufficient where: (i) it is impractical to obtain consent (and deemed consent does not apply); and (ii) the collection, use or disclosure of personal data is not expected to have any adverse impact on individuals. However, when using this exception, organisations have to conduct a risk and impact assessment and put in place measures to identify and mitigate the risks that may arise. Consent (or notification) not needed where it is for a legitimate purpose. Under the current personal data protection regime, except for where an exemption applies, organisations are not allowed to collect, use or disclose personal data without consent even for a legitimate purpose if this is not expressly provided for or required under any written law (e.g. the sharing and use of personal data to detect and prevent fraudulent activities). As such, the PDPC proposes to update the law so that organisations will be able to collect, use or disclose personal data without consent where: (i) it is not desirable or appropriate to obtain consent; and (ii) the benefits to the public clearly outweigh any adverse or risks to the individual. Again, when relying on this exception, organisations have to conduct a risk and impact assessment...

Read More
Singapore cracks down on privacy breaches
Apr25

Singapore cracks down on privacy breaches

Singapore’s data protection regulator, the Personal Data Protection Commission (PDPC), has been cracking down on breaches of the Personal Data Protection Act (PDPA). It has just released a set of Data Protection Enforcement Cases, which includes a list of enforcement actions taken against 11 organisations for breaching the PDPA. This provides an insight into the approach the authorities will take to enforcing what is still a relatively new law. According to the reported enforcement cases, four organisations were fined, ranging from S$5,000 to S$50,000 (about USD 3,700 to USD 37,000), and seven others were issued warnings or directions.  The PDPC looked at various factors when determining severity of breaches, such as to what extent the organisations had data protection policies and processes in place, the time taken to remedy the breach, the number of affected individuals and the type of personal data involved.  The highest fine of S$50,000 (about USD 37,000) was imposed on K Box Entertainment Group for failing to have in place adequate security measures to protect its members’ personal data, resulting in details of 317,000 members being leaked online in September 2014.  An IT vendor, Finantech Holdings, which was engaged by K Box to develop and manage K Box’s Content Management System, was also found liable and fined S$10,000 (about USD 7,400), as a data intermediary for K Box.  As with all published enforcement actions, the reputational implications tend to be at least as significant as any other penalties. Since the PDPA came into force in July 2014, the PDPC has received 667 complaints in total, of which 92% were resolved by investigation and facilitation between the respective complainants and organisations. Common issue with these complaints involved unauthorised personal data processing and lack of data protection measures in place. So what does this mean for organisations in Singapore? These enforcement cases confirm that although the PDPA is generally regarded a “business-friendly” regulation which is not intended to stifle data innovation, the PDPA is clearly willing to intervene when organisations fall short of the required standards. Given the reputational and financial implications of these high-profile enforcement actions, organisations will need to look carefully at their processes and policies to ensure they are...

Read More